How Microsoft Secure Score works

1. Welcome

You're given points for the following actions:

• Configuring recommended security features
• Doing security-related tasks
• Addressing the recommended action with a third-party application or software, or an alternate mitigation

Some recommended actions only give points when fully completed. Some give partial points if the organization completes them for some devices or users. If you can't or don't want to enact one of the recommended actions, you can choose to accept the risk or remaining risk.

If you have a license for one of the supported Microsoft products, then the Secure Score dashboard displays recommendations for those products. The dashboard displays the full set of possible recommendations for a product, regardless of license edition, subscription, or plan. This way, you can understand security best practices and improve your score. Your absolute security posture, represented by Secure Score, stays the same no matter what licenses your organization owns for a specific product. Keep in mind that you should balance security with usability, and not every recommendation can work for your environment.

Secure Score updates an organization's score in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.

2. Scoring recommended actions

Each recommended action is worth 10 points or less, and most get scored in a binary fashion. If you implement the recommended action, like create a new policy or turn on a specific setting, you get 100% of the points. For other recommended actions, Secure Score calculates points as a percentage of the total configuration.

For example, an action assigns 10 points if you protect all your users with multifactor authentication. Let's say your organization has 100 users. If 50 of the 100 users have MFA enabled, you get a partial score of five points (50 protected / 100 total X 10 maximum points = 5 points).

3. Products included in Secure Score

Secure Score currently includes recommendations for the following products:

• Microsoft 365 (including Exchange Online)

• Microsoft Entra ID - Important (Azure Active Directory (Azure AD) is now Microsoft Entra ID.)

• Microsoft Defender for Endpoint

• Microsoft Defender for Identity

• Microsoft Defender for Cloud Apps

• Microsoft Teams

The recommendations don't cover all the attack surfaces associated with each product, but they provide a good baseline. You can also mark the recommended actions as covered by a third party or alternate mitigation.

4. Security defaults

Microsoft Secure Score includes recommended actions to support security defaults in Microsoft Entra ID. This design makes it easier to help protect your organization with preconfigured security settings for common attacks.

If you turn on security defaults, Secure Score awards you with full points for the following recommended actions:

• Ensure all users can complete multifactor authentication for secure access (9 points)
• Require MFA for administrative roles (10 points)
• Enable policy to block legacy authentication (7 points)

Important

Security defaults include security features that provide similar security to the "sign-in risk policy" and "user risk policy" recommended actions. Instead of setting up these policies on top of the security defaults, Microsoft recommends updating their statuses to "Resolved through alternative mitigation."