What Is Secure Score? Security Definition
On This Page
Quick Definition
Secure Score is a number that tells you how well you are protecting your Microsoft 365 data. It looks at your security settings and gives you a score out of 100. A higher score means you have more security measures in place. You can use it to see what you can improve and track your progress over time.
Commonly Confused With
Compliance Manager is a tool that measures your organization's compliance with regulatory standards like GDPR or HIPAA. Secure Score measures your security configuration against Microsoft's best practices. While both are in the Microsoft 365 Defender portal, Compliance Manager tracks assessments and actions for legal and regulatory requirements, whereas Secure Score focuses on security posture without regulatory context.
You use Compliance Manager to check if you meet GDPR requirements. You use Secure Score to check if you have MFA enabled.
Secure Score for Identity is a subset of the overall Secure Score that specifically measures identity-related security controls. It focuses on risks like compromised credentials, lateral movement, and domain dominance. The main Secure Score covers all Microsoft 365 workloads including email, SharePoint, and devices. They are related but address different scopes.
Your overall Secure Score might be 70, but your Secure Score for Identity might be 55, indicating that identity controls need more attention.
Azure Secure Score is part of Microsoft Defender for Cloud and measures the security posture of your Azure resources like virtual machines, databases, and storage accounts. Microsoft 365 Secure Score is for Microsoft 365 services. They are separate tools for different cloud environments. An organization using both Azure and Microsoft 365 will have two different scores.
You manage your Azure virtual machines using Azure Secure Score in Defender for Cloud. You manage your Exchange Online security using Microsoft 365 Secure Score in the Microsoft 365 Defender portal.
Intune compliance policies enforce device-level requirements like requiring a PIN or encryption. Secure Score checks if those policies are configured and assigned. Secure Score is the overall score, while compliance policies are specific actions that can improve the score. They are not the same thing; compliance policies are one type of improvement action contributing to the score.
Creating an Intune policy that requires a device PIN will raise your Secure Score because it checks that action as completed. But the policy itself is not the score; it is a component of it.
Must Know for Exams
Secure Score appears in three key Microsoft certification exams: MS-102 (Microsoft 365 Administrator), MS-900 (Microsoft 365 Fundamentals), and SC-900 (Microsoft Security, Compliance, and Identity Fundamentals). In each exam, the depth of coverage differs, but the core concept is tested.
For MS-102, Secure Score is a primary objective. This exam is for administrators who manage Microsoft 365 tenants. Candidates must know how to access Secure Score, interpret the score, and use improvement actions to enhance security posture. You may see scenario-based questions where you need to determine which improvement action to prioritize. Microsoft expects you to know the difference between Secure Score and Secure Score for Identity. Also, understand that Secure Score is found in the Microsoft 365 Defender portal, not in the Azure portal or the Microsoft 365 admin center. MS-102 questions often ask you to configure monitoring and reporting related to Secure Score. You might need to know how to export score data via PowerShell or Graph API. The exam also covers how to set up alerts when the score drops below a certain threshold.
For MS-900, Secure Score appears as a lighter supporting topic. This exam is for business decision makers and beginners. The questions are conceptual. You need to know what Secure Score measures, that it is a percentage out of 100, and that a higher score indicates a stronger security posture. You should also know that Secure Score provides recommendations for improvement. The exam does not require deep technical knowledge like PowerShell export or API integration. Instead, focus on the business value: Secure Score helps organizations track security improvements over time and compare against industry peers.
For SC-900, Secure Score is also a primary topic. This exam is all about security, compliance, and identity concepts. You must understand how Secure Score is calculated, what improvement actions are, and how to use the tool to prioritize security efforts. SC-900 goes deeper than MS-900. You might be asked to identify which security controls affect the score or to differentiate between Secure Score and Compliance Manager. Compliance Manager measures compliance with regulatory standards, while Secure Score measures security configuration. Confusing the two is a common trap. SC-900 exam questions often present a scenario where you need to choose the best action to raise the score. You may also need to know that enabling MFA has a high point value compared to other actions.
Across all three exams, the core idea is consistent: Secure Score helps you manage and improve your security posture. The key differences lie in the depth of technical detail required. MS-102 expects hands-on administration knowledge. SC-900 expects conceptual understanding with some technical context. MS-900 expects only high-level business understanding. When studying, focus on the functions of Secure Score, its location in the portal, the types of improvement actions, and the difference between Secure Score and similar tools like Compliance Manager.
Simple Meaning
Imagine you are the manager of a large apartment building. Your job is to make sure every apartment is safe. You check things like whether the front door locks automatically, if there are smoke detectors in every unit, and if the security cameras are working. You make a checklist of all the safety features you want to have. Then you walk through the building and see how many of those features are actually in place. You give your building a safety score out of 100. The closer you get to 100, the safer your building is.
Secure Score works the same way but for your company’s Microsoft 365 online services like email, Teams, and file storage. Microsoft gives you a checklist of security actions you can take. These actions include things like turning on multi-factor authentication, keeping software updated, and stopping old login methods. Secure Score measures how many of those actions your company has completed. It gives you a score out of 100. A score of 100 means you have done everything Microsoft recommends to be secure.
Your Secure Score goes up when you take recommended security actions. It goes down if you turn off a security feature or if Microsoft adds new recommendations. The goal is to always improve your score, but experts say 100% is very hard to reach because new recommendations keep coming. Instead, you should focus on the most important actions that protect your highest-risk data first. Secure Score helps you see exactly where you are weak so you can fix the biggest problems first.
Secure Score also lets you compare your score to other companies of similar size. This helps you know if you are doing better or worse than average. It is like knowing that your building’s safety score is higher than most other buildings in your city. That gives you confidence that your building is well protected.
Full Technical Definition
Secure Score is a security analytics service within the Microsoft 365 Defender portal. It quantifies an organization’s security posture based on system configuration, user behavior, and security feature adoption. The score is calculated using data collected from various Microsoft 365 workloads including Exchange Online, SharePoint Online, Microsoft Teams, Azure Active Directory (now Entra ID), and Microsoft Intune. Each security action, which Microsoft calls an improvement action, is assigned a point value. The total possible points change over time as Microsoft updates its security recommendations based on the threat landscape.
Secure Score works by evaluating the configuration of your Microsoft 365 tenant. It checks whether specific security controls are enabled or disabled. For example, one improvement action might be “Enable multi-factor authentication for all users.” If you have MFA enabled for all users, you earn the points for that action. If you have it enabled for only some users, you earn partial points. The score is presented as a percentage of total possible points. The service also tracks your score over time so you can see trends.
There are two main views: the basic Secure Score and the Secure Score for Identity. The basic Secure Score covers all Microsoft 365 security configuration. Secure Score for Identity is part of Microsoft Defender for Identity and focuses on identity-related risk factors. Both scores appear in the Microsoft 365 Defender portal under the “Secure Score” section. Improvement actions are categorized by priority: Critical, High, Medium, and Low. Each action includes a status indicator showing whether it is completed, partially completed, or not started.
Secure Score does not measure the absolute security of your environment. It measures how well you have implemented Microsoft’s recommended security configurations. A high score does not guarantee you are safe from all threats, but it strongly correlates with a lower risk of compromise. Microsoft uses telemetry from millions of tenants to validate that higher Secure Scores result in fewer security incidents. The scoring model is continuously refined. Actions that were once considered optional may become required as threats evolve.
Secure Score also supports third-party integrations through Microsoft Graph API. Organizations can export their Secure Score data for custom reporting. IT professionals can use PowerShell to retrieve score details and track improvement actions programmatically. This allows large enterprises to automate security posture reporting across multiple tenants. The tool is available to any Microsoft 365 customer with a subscription that includes Exchange Online, SharePoint Online, or Microsoft Teams. Premium features like Secure Score for Identity require additional licenses such as Microsoft 365 E5 or Microsoft Defender for Identity licenses.
Real-Life Example
Think of Secure Score like the safety rating you see on a new car. When you buy a car, independent organizations like the National Highway Traffic Safety Administration crash-test it and give it a star rating from one to five. Five stars means the car has excellent safety features like airbags, anti-lock brakes, and electronic stability control. The rating helps you compare different cars and pick the safest one. But even a five-star car can be dangerous if you drive recklessly or don’t wear your seatbelt. The rating only tells you about the built-in safety features, not how you drive.
Secure Score is exactly like that car safety rating but for your Microsoft 365 environment. Microsoft crash-tests your security settings and gives you a score out of 100. Just like a car’s rating considers multiple safety features, Secure Score checks many security controls. It checks if you have multi-factor authentication (like airbags), if you block legacy authentication (like anti-lock brakes), and if you have audit logging enabled (like a seatbelt reminder). The higher your score, the more built-in safety features your organization has turned on.
But here is the important part: a high Secure Score does not mean you are immune to every attack. It only means you have the recommended security features enabled. If your users click on phishing links despite those features, you can still get hacked. Secure Score is a measurement of your security configuration, not your security behavior. It is like a car having five stars but the driver speeding and texting. The car is designed to be safe, but the driver’s actions still create risk.
That said, Secure Score is incredibly useful. It gives you a starting point and a clear list of actions you can take to get safer. If you have a low score, you know you need to enable basic protections like MFA. If you have a high score, you can focus on more advanced controls like conditional access policies. Microsoft even provides a “Comparison” view so you can see how your score stacks up against others in your industry. It is like seeing the average safety rating for cars in your category and knowing if your car is above or below average.
Why This Term Matters
Secure Score matters because it gives IT teams a single, measurable number to track their security progress. Without Secure Score, it is hard to know if you are doing enough or where you should focus next. Security is complex, with hundreds of possible configurations across email, identity, devices, and apps. Secure Score cuts through that complexity by prioritizing the actions that have the biggest impact. It tells you exactly what to fix first.
For example, if you have a score of 40, Secure Score will show you that enabling multi-factor authentication for all users would add 10 points. That is a clear, actionable step. You can then track whether your score goes up after you enable MFA. This makes security improvements tangible. You can show your boss or your board that your security posture is improving over time. You can set goals like “reach a Secure Score of 80 by the end of the quarter.”
Secure Score also helps you justify security spending. If a new security tool costs money but Secure Score shows it would add 15 points, you can use that data to make the business case. It provides a common language between IT, security teams, and management. Everyone can understand “we need to increase our score from 60 to 75.”
Secure Score helps with compliance. Many regulatory frameworks like NIST or ISO 27001 require organizations to have certain security controls in place. Secure Score’s improvement actions often align with those controls. By following Secure Score recommendations, you naturally move toward compliance. Microsoft also uses Secure Score data to inform customers about new threats. If a new attack vector emerges, Microsoft may add a new improvement action. That immediately tells you what to do to protect against that threat.
Finally, Secure Score reduces the chance of a costly data breach. Microsoft has published research showing that organizations with higher Secure Scores experience fewer security incidents. While no tool can guarantee 100% safety, Secure Score is a proven way to reduce risk. For IT professionals, it is an essential part of their daily security management routine.
How It Appears in Exam Questions
Secure Score questions appear in several patterns across certification exams. The most common pattern is the scenario-based question. Here is an example: “Your organization has a Microsoft 365 tenant. The security team reports that the Secure Score is currently 45. You need to raise the score to at least 70 within the next month. Which action should you take first?” The correct answer is usually to enable multi-factor authentication for all users because that improvement action carries the highest point value. Wrong answers might include implementing a Conditional Access policy that applies only to admins or enabling mailbox auditing. These are good actions but do not raise the score as much or as quickly.
Another pattern is configuration questions. For example: “You need to view the improvement actions that will provide the highest point increase. Where should you look?” The answer is the Secure Score page in the Microsoft 365 Defender portal. A distractor might be the Microsoft 365 admin center or the Azure Active Directory blade. You need to know the exact location. Similarly, questions may ask how to export Secure Score data. The correct method is using the Microsoft Graph API or the Get-MpScores PowerShell cmdlet. They might ask which license is required for Secure Score for Identity. The answer is Microsoft 365 E5 or a standalone Microsoft Defender for Identity license.
Troubleshooting questions also appear. Example: “A user reports that the Secure Score has dropped by 5 points overnight. What could be the cause?” The correct answer could be that a security feature was disabled, a new improvement action was added by Microsoft, or a user group was removed from a policy. You need to know that the score is dynamic and changes with configuration changes and new recommendations. Wrong answers might blame user behavior or hardware issues, which do not directly affect the score.
There are also comparison questions. “Your organization’s Secure Score is 80. The average for organizations of your size is 75. What does this indicate?” The correct interpretation is that your security posture is above average, but you should still look for high-impact improvement actions. A distractor might claim that a score of 80 means you are completely secure, which is false. Another pattern: “You have a Secure Score of 85. A new improvement action is added that is worth 10 points. Your score now drops to 77. Why?” Because the total possible points increased, so your percentage decreased even though your configuration did not change.
Finally, questions may test your understanding of what Secure Score does NOT measure. For example: “Does Secure Score measure the number of phishing attacks your organization has received?” The answer is no. Secure Score measures configuration, not threat detection or incident volume. They might ask: “Can Secure Score guarantee your organization will not be breached?” The correct answer is no. It is a measure of your security posture, not an absolute defense. Being aware of these limitations is critical for exam success.
Practise Secure Score Questions
Test your understanding with exam-style practice questions.
Example Scenario
Contoso, Ltd. is a mid-sized company with 500 employees. They use Microsoft 365 Business Premium. The IT team recently attended a security workshop and learned about Secure Score. They log into the Microsoft 365 Defender portal and find their current Secure Score is 32 out of 100. They are alarmed because they thought they were reasonably secure. The score shows many improvement actions marked as “not started.” The highest priority action is “Enable multi-factor authentication for all users,” worth 15 points. Currently, MFA is only enabled for the IT team.
Maria, the IT manager, decides to start there. She works with her team to roll out MFA to all 500 users. They use Conditional Access policies to require MFA for all cloud apps. After two weeks, all users are registered for MFA and the policy is enforced. Maria checks Secure Score again. The score has increased to 47. The team feels a sense of accomplishment because they can directly see the impact of their work.
Next, Secure Score shows the action “Disable legacy authentication protocols” worth 10 points. Maria discovers that several applications still use Basic Authentication for email. She works with the developers to migrate those apps to Modern Authentication. After disabling legacy protocols, the score rises to 57. The team continues this process each month. They enable mailbox auditing, turn on audit log search, and configure data loss prevention policies. Over six months, their Secure Score climbs to 82.
However, the team learns that the score can also drop. One day, the score goes down from 82 to 79. Maria investigates and finds that Microsoft added a new improvement action related to Microsoft Teams meeting security. The new action is worth 3 points, but because they have not completed it, the total possible points increased, and their percentage went down. The team configures the new settings, and the score goes back up to 82. They now understand that Secure Score is a dynamic tool that requires ongoing attention. They set up weekly reviews and create a dashboard to track their progress.
Common Mistakes
Thinking a Secure Score of 100 means you are completely safe from all cyberattacks.
Secure Score only measures how well you have implemented Microsoft's security recommendations. It does not measure user behavior, threat detection, or third-party risks. A score of 100 indicates excellent configuration but does not guarantee that users will not click on a phishing link or that your network perimeter is secure.
Treat Secure Score as a measure of your security configuration posture, not a guarantee of absolute safety. Always layer Secure Score improvements with user training, endpoint protection, and incident response planning.
Confusing Secure Score with Compliance Manager.
Secure Score measures security configuration. Compliance Manager measures adherence to regulatory standards like GDPR, HIPAA, or ISO 27001. They are different tools in the Microsoft 365 Defender portal. A high Secure Score does not automatically mean you are compliant with a specific regulation.
Remember that Secure Score is about security health, Compliance Manager is about regulatory compliance. Use both tools for a complete picture, but understand their distinct purposes.
Assuming Secure Score updates instantly when you change a setting.
Secure Score data is not real-time. It can take up to 48 hours for configuration changes to reflect in your score. If you enable MFA and check the score immediately, it will not show the change yet. This can cause confusion and false conclusions.
Wait 24 to 48 hours after making a configuration change before expecting the Secure Score to update. Use the improvement action status to track completion, but check the score after the delay period.
Ignoring lower-point improvement actions because they seem less valuable.
Lower-point actions often address foundational security controls. For example, blocking legacy authentication may be worth only 5 points, but it closes a major attack vector. Attackers frequently exploit legacy protocols. Ignoring these actions leaves your environment vulnerable even if your overall score is high.
Prioritize actions based on risk and threat impact, not just point value. Use Secure Score as guidance, but always consider the security benefit of each action. A low-point action that blocks a common attack is worth doing even if it barely moves the score.
Exam Trap — Don't Get Fooled
{"trap":"A question asks: \"You need to improve your Secure Score. Which action would have the greatest immediate impact?\" A common wrong answer is \"Implement a data loss prevention policy.
\" In reality, enabling multi-factor authentication for all users typically gives the highest point increase.","why_learners_choose_it":"Data loss prevention sounds like a major security feature. Learners often think that the more complex the action, the more points it will earn.
They also may not realize that MFA is weighted heavily because it directly reduces the risk of account compromise.","how_to_avoid_it":"Learn that Microsoft weights improvement actions based on the risk they address. MFA is a critical control against identity theft, so it carries high point value.
DLP is important but often comes with lower points. When in doubt, think about security fundamentals: authentication, access control, and legacy protocol blocking usually have the highest impact on the score."
Step-by-Step Breakdown
Access the Secure Score dashboard
Log into the Microsoft 365 Defender portal (security.microsoft.com). In the left navigation, under 'Reports' or 'Security', select 'Secure Score'. This opens the main dashboard that shows your current score, historical trends, and a list of improvement actions. This is the starting point for all Secure Score activities.
Review your current score and historical trend
The dashboard shows your score as a percentage. Below it, a chart displays how your score has changed over the past 30, 90, or 365 days. This trend helps you understand if your security posture is improving or declining. A downward trend indicates that either configuration changes or new recommendations are lowering your score. This step helps you set a baseline.
Examine the improvement actions list
Scroll down to see all improvement actions. Each action has a status (completed, partially completed, not started), a point value, and a priority level (Critical, High, Medium, Low). The actions are sorted by point value by default, but you can filter by category like 'Identity', 'Device', 'Data', or 'Apps'. This step helps you identify which areas need attention.
Select an improvement action to view details
Click on an improvement action to open its detail pane. This shows a description of the action, the steps to implement it, the point value, and the current status. It also shows any dependencies (e.g., you must have a certain license) and an estimated effort level. This helps you plan your implementation work.
Implement the improvement action
Follow the instructions in the detail pane to make the configuration change. For example, if the action is 'Enable multi-factor authentication', you would go to Azure Active Directory > Security > Conditional Access and create a policy requiring MFA. After making the change, the status will update to 'Completed' or 'Partially completed' depending on whether it applies to all users.
Monitor the score update
Secure Score does not update instantly. Wait 24 to 48 hours. Then revisit the dashboard to confirm that your score has increased. If the score did not change, check if the action was marked as completed. Sometimes the action is fully completed but the score does not reflect it immediately due to the update delay. This step verifies your work had the intended impact.
Set up recurring reviews and alerts
Use the Secure Score dashboard to set a recurring schedule for reviewing your score, such as weekly or monthly. You can also configure alerts in Microsoft 365 to notify you when the score drops below a certain threshold or when new improvement actions are added. This ensures ongoing attention to your security posture.
Practical Mini-Lesson
Secure Score is more than just a number; it is a practical tool for daily security management. As an IT professional, you should integrate Secure Score into your regular workflow. Start by configuring Secure Score as a default tab in your Microsoft 365 Defender portal. Assign someone on your team to be the Secure Score owner. This person monitors the score, reviews new improvement actions, and coordinates implementation with other teams.
One of the most valuable features is the ability to compare your score against organizations of similar size and industry. This benchmarking helps you set realistic targets. If the average for your industry is 70 and you are at 55, you know you have significant room for improvement. You can use this data to justify budget requests for security tools or additional training.
When implementing improvement actions, do not try to do everything at once. That can overwhelm your users and disrupt operations. Instead, use the priority categories. Start with Critical and High actions. For example, if 'Disable legacy authentication' is listed as Critical, prioritize that over a Medium action like 'Enable mailbox audit logging'. Legacy authentication is a known attack vector that attackers exploit daily. Closing it immediately reduces your risk substantially.
Be aware of what can go wrong. Sometimes an improvement action might break an existing application. For instance, disabling legacy authentication can cause older email clients that use Basic Authentication to stop working. Before implementing, check with your application owners to ensure they have migrated to Modern Authentication. Have a rollback plan in case an application breaks. Secure Score is about improving security, but not at the cost of business continuity.
Another practical point: Secure Score does not cover every aspect of security. For example, it does not measure your incident response readiness or your user security awareness training. A high Secure Score is good, but it should be part of a broader security program. Use Secure Score alongside other tools like Microsoft Defender for Office 365, Microsoft Defender for Endpoint, and your own risk assessments.
Finally, use automation where possible. The Microsoft Graph API allows you to pull Secure Score data into your own dashboards. You can use PowerShell to get the list of improvement actions and their status. This is especially useful for managed service providers who need to track scores for multiple tenants. Automating the retrieval of Secure Score data helps you scale your security monitoring without adding manual work.
Memory Tip
Think of Secure Score as your security report card: MFA gets you the most extra credit, and the score updates two days after you turn in your homework.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
MS-102MS-102 →MS-900MS-900 →SC-900SC-900 →220-1102CompTIA A+ Core 2 →CS0-003CompTIA CySA+ →MD-102MD-102 →CDLGoogle CDL →ISC2 CCISC2 CC →Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
An AAAA record is a DNS record that maps a domain name to an IPv6 address, allowing devices to find each other over the internet using the newer IP addressing system.
Frequently Asked Questions
How often does Secure Score update?
Secure Score updates typically every 24 to 48 hours. If you make a configuration change, you will not see the impact on your score immediately. You need to wait for the next update cycle.
Can I get a Secure Score of 100?
Technically yes, but it is very difficult because Microsoft regularly adds new improvement actions as the threat landscape evolves. As soon as you reach 100, a new action might appear, causing your score to drop. It is better to focus on continuous improvement rather than a perfect score.
Is Secure Score available in all Microsoft 365 plans?
Secure Score is available in most subscription plans that include Exchange Online, SharePoint Online, or Microsoft Teams. However, advanced features like Secure Score for Identity require Microsoft 365 E5 or a standalone Microsoft Defender for Identity license.
Does Secure Score measure third-party security tools?
No, Secure Score only measures security configurations within Microsoft 365. It does not evaluate third-party antivirus, firewalls, or other non-Microsoft tools. However, you can use the Microsoft Graph API to incorporate third-party data into your own reporting.
What is the difference between Secure Score and the Microsoft 365 compliance score?
Secure Score measures security configuration. The compliance score (part of Compliance Manager) measures adherence to specific regulatory standards. They are separate tools with different purposes, though they both live in the Microsoft 365 Defender portal.
Can I compare my Secure Score with other organizations?
Yes, the Secure Score dashboard includes a comparison feature that shows your score relative to other organizations of similar size and industry. This helps you understand if your security posture is above or below average.
Summary
Secure Score is a core tool in Microsoft 365 that quantifies your organization’s security posture based on the security features you have enabled. It provides a clear, measurable number that makes security improvements tangible and trackable. For IT administrators, it is an essential part of daily operations because it prioritizes actions that reduce real-world risk. For exam candidates, understanding Secure Score is critical because it appears in Microsoft 365 security-related certifications at different depth levels.
The key takeaways are: Secure Score ranges from 0 to 100, with a higher score indicating better security configuration. It updates every 24 to 48 hours. The most impactful improvement actions are often related to identity protection, such as enabling multi-factor authentication and disabling legacy authentication. Secure Score is not a measure of absolute security; it is a measure of configuration. You must combine it with user training, threat detection, and incident response for full protection.
For exam success, remember that Secure Score lives in the Microsoft 365 Defender portal, not the Azure portal or admin center. It is different from Compliance Manager and from Azure Secure Score. When prioritizing improvement actions, think of risk impact rather than just point value. Practice interpreting scenario questions where you must choose the action that will raise the score the most. With this knowledge, you will be well prepared for MS-102, MS-900, and SC-900 exam questions related to Secure Score.