Secure Score is the single most visible security metric in the Microsoft 365 admin experience — a number between 0 and a tenant-specific maximum, updated continuously as configuration changes. It's genuinely useful as a structured improvement roadmap, and genuinely misleading if treated as a certification or a complete measure of security posture. This guide covers how it actually works and how to use it well.
How Secure Score is calculated
Secure Score awards points for specific, individually scored improvement actions — configuration changes, policy enablements, and usage behaviors — each with a defined point value and a maximum achievable score. The total score is a percentage of points achieved against points available for your tenant's specific license mix and configuration, which is why two organizations of similar size can have very different maximum possible scores.
Secure Score maximum varies by tenant
Your maximum achievable score depends on which Microsoft 365 workloads and licenses are active in your tenant — an organization without Microsoft Defender for Office 365 licensed, for instance, won't see (or be scored against) improvement actions that require it. This is why Secure Score should never be compared directly between organizations without confirming they have comparable licensing.
What Secure Score actually measures — and what it doesn't
| Covers Well | Does Not Cover |
|---|---|
| Baseline configuration hygiene (MFA enabled, legacy auth blocked, etc.) | Whether configured policies are actually effective in practice (e.g., a Conditional Access policy with an overly broad exclusion) |
| Availability of security features relative to license | Non-Microsoft security tools and controls (a separate EDR product, a third-party email gateway) |
| Trackable improvement over time | Human/process factors — training quality, incident response readiness, documentation |
| Comparison against similar organizations (industry benchmark) | Actual breach risk or compliance certification status |
Using Secure Score as an improvement roadmap
The practical value of Secure Score isn't the number itself — it's the prioritized, point-scored list of specific actions behind it. Each improvement action includes an implementation guide, an estimated user impact, and a point value, which makes the list usable as an actual work queue rather than an abstract goal.
- Sort by point value and implementation effort, not just point value alone. A low-effort, high-point action (like enabling a tenant-wide setting) should usually be prioritized over a high-point action requiring a multi-week rollout, purely for momentum and quick wins.
- Read the "user impact" rating before implementing, since some improvement actions (stricter Conditional Access, blocking legacy auth) have real operational impact that should be planned and communicated, not just toggled on.
- Re-check score monthly, not just once. Microsoft periodically adds new improvement actions as new features ship — a score that was "complete" six months ago may have new, unaddressed actions available now.
- Don't chase 100%. Some improvement actions have a real usability trade-off your organization may reasonably decide isn't worth the point value — Secure Score is an input to a decision, not a mandate.
Common mistakes
- Treating Secure Score as a compliance certification. It is not equivalent to, and does not substitute for, HIPAA, SOC 2, or any other formal compliance attestation — see HIPAA Password Guidance for why compliance requires its own dedicated framework mapping.
- Comparing scores across organizations with different licensing without accounting for differing maximum achievable scores.
- Implementing every improvement action without reading the user-impact assessment, causing avoidable support disruption from changes rolled out without planning.
- Checking the score once and never returning to it, missing new improvement actions Microsoft adds over time.
FAQ
What's a "good" Secure Score? There's no universal target — it depends heavily on your specific licensing and configuration. A more useful framing is trend: is the score improving over time, and are the highest-value, lowest-effort actions being addressed first.
Does a high Secure Score mean we're not going to get breached? No. Secure Score measures configuration hygiene against Microsoft's own recommended actions — it does not account for human factors, third-party tooling, or sophisticated attack techniques covered in Authentication Attacks. It's one useful signal among several, not a guarantee.
Can Secure Score go down? Yes — if a previously implemented control is disabled or misconfigured, or if Microsoft reweights or retires an improvement action, the score reflects that change. This is part of why a monthly check-in is more useful than a one-time push to a target number.
Where do we see Secure Score in the admin center? Within the Microsoft 365 Defender portal's Secure Score page, which lists every improvement action, its point value, its implementation status, and links directly to the relevant admin configuration page.