Security Guide

What is a Microsoft Secure Score and how do you improve it?

A plain-English guide to the security rating built into Microsoft 365 — what it measures, which actions matter most, and how far to take it.

The basics
What Microsoft Secure Score actually measures

Microsoft Secure Score is a security posture rating built into the Microsoft 365 admin center (Microsoft Defender portal). It scores your tenant against a list of recommended security controls — things like enforcing multi-factor authentication, blocking legacy authentication, and limiting admin accounts — and gives you a single percentage and a points total.

The score is relative, not absolute. A higher score means you have turned on more of Microsoft’s recommended protections; it does not guarantee you are unbreachable. Think of it as a prioritized to-do list with a progress bar, not a compliance certificate.

How it works
Points, categories, and comparison

Each recommended action is worth a set number of points. You earn the points by implementing the control (or by marking it as covered by a third-party tool or accepted as a risk). Actions are grouped into three areas:

  • Identity — accounts, MFA, conditional access, admin hygiene
  • Devices — endpoint protection, patching, device compliance (if you use Intune/Defender for Endpoint)
  • Apps & Data — email protection, sharing controls, DLP

Microsoft also shows how your score compares to organizations of similar size and industry, which is useful context when you report to leadership.

The work
The highest-impact actions to do first

Most small businesses can move their score substantially in an afternoon by doing the high-value, low-friction items first:

  • Require MFA for all users (and especially every admin)
  • Block legacy/basic authentication protocols
  • Reduce the number of Global Administrators to two or three, and use a separate admin account
  • Turn on Safe Links and Safe Attachments in Defender for Office 365
  • Enable a conditional access policy that blocks sign-ins from unexpected countries

Avoid chasing the last few percent for its own sake. Some actions require licenses you may not have, or introduce friction that is not worth the points for your environment.

The trap: turning on everything at once

It is tempting to implement every recommendation in one session to maximize the number. Don’t. Enabling conditional access and blocking legacy auth without a rollout plan can lock out shared mailboxes, scanners, and older line-of-business apps. Stage changes, use report-only mode first, and communicate with your team.

Common questions
FAQ
What is a good Microsoft Secure Score?
There is no universal pass mark. Many small businesses sit in the 30–45% range before any hardening and can reach 60–75% with the licenses they already own. The right target is “all the controls that make sense for our risk and licensing,” not a round number.
Does a high Secure Score mean we are compliant with HIPAA or SOC 2?
No. Secure Score is a Microsoft-specific posture metric. It overlaps with many compliance controls but is not a substitute for a framework assessment. It is, however, strong supporting evidence that you take technical controls seriously.
Will improving our score annoy our users?
Some actions add friction (MFA prompts, blocked legacy apps). The trick is sequencing: roll out MFA and conditional access carefully with exclusions and communication. A managed provider does this without locking people out.
How often should we check it?
Review it monthly. The score drifts as Microsoft adds new recommendations and as your configuration changes. We monitor it continuously for managed clients and act on regressions automatically.

Want us to raise your Secure Score for you?

We harden Microsoft 365 the right way — MFA, conditional access, and email protection — without locking your team out. Most clients see a major jump in week one.

Get a Free IT Assessment →