Skip to main content
IT KORR
IT KORRKeeping Organizations Reliable & Resilient
Knowledge Center

Microsoft Secure Score Guide

How Secure Score is calculated, what it does and doesn't measure, and how to use it as a genuine improvement roadmap rather than a vanity number.

4 min read
Microsoft 365

Secure Score is the single most visible security metric in the Microsoft 365 admin experience — a number between 0 and a tenant-specific maximum, updated continuously as configuration changes. It's genuinely useful as a structured improvement roadmap, and genuinely misleading if treated as a certification or a complete measure of security posture. This guide covers how it actually works and how to use it well.

How Secure Score is calculated

Secure Score awards points for specific, individually scored improvement actions — configuration changes, policy enablements, and usage behaviors — each with a defined point value and a maximum achievable score. The total score is a percentage of points achieved against points available for your tenant's specific license mix and configuration, which is why two organizations of similar size can have very different maximum possible scores.

Secure Score maximum varies by tenant

Your maximum achievable score depends on which Microsoft 365 workloads and licenses are active in your tenant — an organization without Microsoft Defender for Office 365 licensed, for instance, won't see (or be scored against) improvement actions that require it. This is why Secure Score should never be compared directly between organizations without confirming they have comparable licensing.

What Secure Score actually measures — and what it doesn't

What Secure Score covers well vs. where it falls short
Covers WellDoes Not Cover
Baseline configuration hygiene (MFA enabled, legacy auth blocked, etc.)Whether configured policies are actually effective in practice (e.g., a Conditional Access policy with an overly broad exclusion)
Availability of security features relative to licenseNon-Microsoft security tools and controls (a separate EDR product, a third-party email gateway)
Trackable improvement over timeHuman/process factors — training quality, incident response readiness, documentation
Comparison against similar organizations (industry benchmark)Actual breach risk or compliance certification status
Review

Check current score and available actions

Prioritize

Sort by point value vs. implementation effort

Implement

Apply the change, reading user-impact notes first

Re-check

Confirm score updated; watch for new actions

Secure Score is a continuous cycle, not a one-time push to a target number — Microsoft periodically adds new improvement actions as features ship.

Using Secure Score as an improvement roadmap

The practical value of Secure Score isn't the number itself — it's the prioritized, point-scored list of specific actions behind it. Each improvement action includes an implementation guide, an estimated user impact, and a point value, which makes the list usable as an actual work queue rather than an abstract goal.

  1. Sort by point value and implementation effort, not just point value alone. A low-effort, high-point action (like enabling a tenant-wide setting) should usually be prioritized over a high-point action requiring a multi-week rollout, purely for momentum and quick wins.
  2. Read the "user impact" rating before implementing, since some improvement actions (stricter Conditional Access, blocking legacy auth) have real operational impact that should be planned and communicated, not just toggled on.
  3. Re-check score monthly, not just once. Microsoft periodically adds new improvement actions as new features ship — a score that was "complete" six months ago may have new, unaddressed actions available now.
  4. Don't chase 100%. Some improvement actions have a real usability trade-off your organization may reasonably decide isn't worth the point value — Secure Score is an input to a decision, not a mandate.

Common mistakes

  • Treating Secure Score as a compliance certification. It is not equivalent to, and does not substitute for, HIPAA, SOC 2, or any other formal compliance attestation — see HIPAA Password Guidance for why compliance requires its own dedicated framework mapping.
  • Comparing scores across organizations with different licensing without accounting for differing maximum achievable scores.
  • Implementing every improvement action without reading the user-impact assessment, causing avoidable support disruption from changes rolled out without planning.
  • Checking the score once and never returning to it, missing new improvement actions Microsoft adds over time.

FAQ

What's a "good" Secure Score? There's no universal target — it depends heavily on your specific licensing and configuration. A more useful framing is trend: is the score improving over time, and are the highest-value, lowest-effort actions being addressed first.

Does a high Secure Score mean we're not going to get breached? No. Secure Score measures configuration hygiene against Microsoft's own recommended actions — it does not account for human factors, third-party tooling, or sophisticated attack techniques covered in Authentication Attacks. It's one useful signal among several, not a guarantee.

Can Secure Score go down? Yes — if a previously implemented control is disabled or misconfigured, or if Microsoft reweights or retires an improvement action, the score reflects that change. This is part of why a monthly check-in is more useful than a one-time push to a target number.

Where do we see Secure Score in the admin center? Within the Microsoft 365 Defender portal's Secure Score page, which lists every improvement action, its point value, its implementation status, and links directly to the relevant admin configuration page.

Operational Support

Need help implementing these findings?

IT KORR can coordinate DNS configuration, email authentication setup, and Microsoft 365 governance alignment. We work with your current providers — no migration required.

No commitment required — we respond within one business day.

Build: add8299 | Built: Jul 9, 2026 9:26 PM EDT