This chapter covers Microsoft Entra Identity Secure Score, a crucial tool for assessing and improving your identity security posture in Azure AD (now Microsoft Entra ID). For the AZ-500 exam, this topic appears in approximately 5-10% of questions within the Identity and Access Management domain (objective 1.4). Understanding how the secure score works, how to interpret it, and how to use it to prioritize security improvements is essential for passing the exam and for real-world security engineering.
Jump to a section
Imagine you own a house with multiple doors, windows, an alarm system, and security cameras. A home security auditor walks through your property and checks each security feature: Are all doors locked? Are windows secured? Is the alarm system armed when you're away? Do you have cameras covering all entry points? Each feature is scored based on best practices (e.g., deadbolt locks score higher than simple latches). The auditor then calculates an overall 'Home Security Score' from 0 to 100%. The score reflects how well you follow recommended security measures, not how many break-ins you've had. If your score is low, the auditor provides a list of specific improvements—like upgrading to smart locks or installing motion sensor lights—and estimates how much each action will raise your score. Over time, as you implement changes, the score increases. The key insight: the score measures adherence to best practices, not actual incidents. Similarly, Microsoft Entra Identity Secure Score measures how well your tenant follows Microsoft's identity security recommendations, not whether you've had a breach. It provides a numerical score (0-100%) and a prioritized list of improvement actions with score impact, helping you systematically improve your identity security posture.
What is Microsoft Entra Identity Secure Score?
Microsoft Entra Identity Secure Score is a security analytics tool that measures your tenant's identity security posture against Microsoft's recommended best practices. It provides a numerical score from 0% to 100% and a prioritized list of improvement actions. The higher the score, the more aligned your identity configuration is with security best practices. The tool is part of Microsoft Entra admin center under 'Identity Secure Score' (formerly Azure AD Identity Secure Score).
Why It Exists
Organizations often struggle to understand their identity security posture. The secure score provides a single, quantifiable metric that reflects how well you have implemented identity security controls such as multifactor authentication (MFA), conditional access policies, privileged identity management (PIM), and audit logging. It helps security teams identify gaps, track progress over time, and benchmark against industry standards.
How It Works Internally
Microsoft continuously evaluates your tenant's configuration against a set of predefined security controls. Each control represents a specific best practice, such as 'Enable MFA for all users' or 'Use least privileged roles in PIM'. For each control, Microsoft checks whether the recommended configuration is implemented. If fully implemented, the control contributes its maximum score; if partially implemented, it contributes a fraction; if not implemented, it contributes zero. The overall score is the sum of achieved points divided by the total possible points, expressed as a percentage.
Score calculation: Score = (Achieved points / Total possible points) * 100%. Points are weighted based on risk reduction. For example, enabling MFA for all users might be worth 20 points, while enabling passwordless authentication might be worth 5 points.
Improvement actions: Each control is listed as an improvement action with its current status (Not started, In progress, Completed), the score impact (points you gain by implementing it), and the number of users or objects affected.
Score history: The tool tracks your score over time, allowing you to see trends and the effect of changes.
Data source: The score is based on configuration data from your tenant, not on actual security events. It does not reflect whether a breach has occurred.
Key Components, Values, Defaults, and Timers
Score range: 0% to 100%. A higher score is better, but no maximum is guaranteed; Microsoft updates the controls and weights periodically.
Score refresh: The score is updated approximately every 24 hours. However, some changes may take up to 48 hours to reflect.
Control categories: Controls are grouped into categories such as Identity, Privileged Identity, and Monitoring & Analytics. Each category has a sub-score.
Default settings: By default, the secure score is available for all tenants with Azure AD Premium P1 or P2 licenses. Some controls require specific licenses (e.g., P2 for PIM).
Score impact: Each improvement action shows the potential score increase. For example, 'Enable MFA for all users' might show +10 points.
Status indicators: Each control has a status: 'Completed' (green check), 'In progress' (yellow), or 'Not started' (red).
Configuration and Verification Commands
You can access the secure score via the Microsoft Entra admin center (https://entra.microsoft.com) under 'Identity Secure Score'. There is no direct PowerShell or CLI command to retrieve the score, but you can use Microsoft Graph API to query improvement actions. Example Graph API call:
GET https://graph.microsoft.com/v1.0/identityProtection/securityScoreTo get improvement actions:
GET https://graph.microsoft.com/v1.0/identityProtection/securityScore/improvementActionsYou can also use the Microsoft Graph PowerShell SDK:
Connect-MgGraph -Scopes "IdentityRisk.Read.All"
Get-MgIdentityProtectionSecurityScoreInteraction with Related Technologies
Conditional Access: Many improvement actions involve configuring conditional access policies, such as requiring MFA or blocking legacy authentication.
Privileged Identity Management (PIM): Controls related to privileged roles (e.g., requiring approval for role activation) are tied to PIM.
Identity Protection: Some controls are based on risk policies (e.g., user risk policy, sign-in risk policy).
Audit logs: Controls related to audit logging (e.g., ensuring audit logs are retained) are checked.
Exam-Relevant Details
The secure score is not a real-time indicator; it refreshes daily.
It measures configuration, not breaches.
Some controls may require Azure AD Premium P2 licenses.
The score can be used to prioritize security investments based on potential score improvement.
Microsoft periodically updates the control list and weights, so your score may change even without configuration changes.
Trap Patterns
Trap: Candidates think the secure score reflects actual security incidents. Reality: It only measures configuration adherence to best practices.
Trap: Candidates assume a score of 100% means perfect security. Reality: No configuration can guarantee security; the score is based on a finite set of controls.
Trap: Candidates think the score updates instantly. Reality: It refreshes every 24-48 hours.
Trap: Candidates overlook that some controls require specific licenses (e.g., P2 for PIM-related controls).
Access Identity Secure Score
Navigate to the Microsoft Entra admin center (https://entra.microsoft.com). Sign in with an account that has Global Administrator or Security Administrator role. Under 'Identity', select 'Identity Secure Score'. The dashboard displays your overall score, category scores, and a list of improvement actions. The score is calculated based on your tenant's current configuration, which is evaluated against Microsoft's security best practices. The dashboard also shows your score trend over time, allowing you to track improvements.
Review Improvement Actions
The 'Improvement actions' tab lists all available controls. Each action shows the name, current status (Not started, In progress, Completed), the potential score impact (points you can gain), and the number of users or objects affected. For example, 'Enable MFA for all users' might show a score impact of +10 points and affect 500 users. You can filter by status, category, or search for specific actions. Click on an action to see details, including the recommended configuration steps and the exact settings required.
Implement a Control
Select an improvement action to implement. The detail page provides step-by-step guidance. For example, to enable MFA for all users, you might need to create a conditional access policy that requires MFA for all cloud apps. After making the configuration change in your tenant, the secure score will reflect the change after the next refresh cycle (up to 24-48 hours). You can verify the change by checking the status of the improvement action; it should change to 'In progress' or 'Completed' after the refresh.
Monitor Score Changes
After implementing changes, monitor the score over time. The dashboard shows a score history graph. You can see how your score changes day by day. This helps you understand the impact of your security improvements. Also, note that Microsoft may add new controls or adjust weights, which can cause score fluctuations. Regularly review the improvement actions list to see if new recommendations appear.
Export and Report
You can export the improvement actions list to a CSV file for reporting or auditing purposes. In the Identity Secure Score dashboard, click 'Export' to download the list. This is useful for demonstrating compliance or tracking progress in security projects. The export includes the action name, status, score impact, and affected users. You can also use Microsoft Graph API to programmatically retrieve the data.
Enterprise Scenario 1: Large Financial Institution Implementing MFA
A bank with 20,000 employees wants to enforce MFA for all users. The security team uses Identity Secure Score to identify the 'Enable MFA for all users' improvement action. They see that it has a high score impact (e.g., +25 points). They create a conditional access policy requiring MFA for all cloud apps, but exclude a small group of service accounts that cannot use MFA. After implementation, the secure score shows the action as 'In progress' because not all users are covered due to the exclusions. The team then works to replace the service accounts with managed identities or certificate-based authentication to fully comply. Over time, the score increases, and the team uses the score trend to report to management on security posture improvement. Misconfiguration: If they accidentally exclude all users, the score won't improve, and the action remains 'Not started'.
Enterprise Scenario 2: Healthcare Provider Managing Privileged Roles
A hospital uses Azure AD Privileged Identity Management (PIM) to manage privileged roles. The secure score includes controls like 'Require approval for role activation' and 'Use least privileged roles'. The IT team reviews the improvement actions and sees that they have not configured approval for role activation. They enable approval workflows in PIM, which adds a score impact of +5 points. However, they also notice a control 'Do not use permanent privileged roles' which requires that all privileged assignments are eligible (not permanent). They convert all permanent assignments to eligible, which further increases the score. The team uses the score to justify the investment in PIM licenses. Common pitfall: They might ignore the 'Use least privileged roles' control because it requires restructuring assignments, which is complex, but the exam tests that this control exists and its importance.
Scenario 3: Retail Company Monitoring and Analytics
A retail company wants to improve its monitoring and analytics posture. The secure score includes controls like 'Ensure audit logs are retained for at least 30 days' and 'Enable sign-in risk policy'. The security team uses the improvement actions list to configure diagnostic settings to send logs to a Log Analytics workspace with retention of 30+ days. They also enable Identity Protection sign-in risk policy to block risky sign-ins. After implementation, the score increases. However, they miss the control 'Ensure there are no unused identities' which checks for stale users. The exam often tests that unused identities can lower your score. The team later runs a user cleanup script to disable dormant accounts, further improving the score.
What AZ-500 Tests on This Topic (Objective 1.4)
The AZ-500 exam specifically tests your understanding of:
The purpose and limitations of Identity Secure Score.
How to interpret the score and improvement actions.
The relationship between secure score and other identity security features (Conditional Access, PIM, Identity Protection).
The fact that the score refreshes every 24-48 hours (not real-time).
That some controls require Azure AD Premium P2 licenses.
That the score measures configuration, not actual incidents.
Common Wrong Answers and Why Candidates Choose Them
Wrong answer: 'The secure score indicates the number of security incidents in your tenant.' Why chosen: Candidates confuse 'security score' with 'security incidents' or 'risk score'. Reality: The secure score is a configuration posture metric, not an incident count.
Wrong answer: 'The score updates in real time.' Why chosen: Many Azure metrics are near real-time, but the secure score is not. Reality: It refreshes every 24-48 hours.
Wrong answer: 'A score of 100% means your tenant is completely secure.' Why chosen: 100% sounds perfect, but it only means you have implemented all current controls. Reality: New controls can be added, and security is never absolute.
Wrong answer: 'All improvement actions are available in any tenant.' Why chosen: Candidates assume all features are available by default. Reality: Some actions require specific licenses (e.g., P2 for PIM-related actions).
Specific Numbers, Values, and Terms That Appear on the Exam
Score range: 0% to 100%.
Refresh interval: 24-48 hours.
License requirement: Azure AD Premium P1 or P2 (some controls need P2).
Common improvement actions: 'Enable MFA for all users', 'Use least privileged roles', 'Require approval for role activation', 'Block legacy authentication', 'Enable user risk policy'.
Terms: 'Improvement actions', 'Score impact', 'Score history', 'Category scores'.
Edge Cases and Exceptions the Exam Loves to Test
New tenants: A new tenant with default settings may have a low score because many best practices are not configured. The exam might ask what the initial score would be (likely near 0%).
Licensing: If a tenant has only Azure AD Free, the secure score is not available. The exam might test that you need at least P1.
Partial implementation: If you enable MFA for 50% of users, the control shows 'In progress' and contributes partial points. The exam might ask about the score impact.
Control removal: Microsoft may retire or add controls. The exam might test that the score can change without configuration changes.
How to Eliminate Wrong Answers Using the Underlying Mechanism
If a question asks about real-time updates, remember the 24-48 hour refresh cycle.
If a question implies the score measures breaches, remember it measures configuration.
If a question suggests all controls are free, recall that P2 licenses are needed for some.
Use the mechanism: The score is a weighted sum of implemented controls. If a control is partially implemented, it contributes partial points. This helps eliminate answers that claim full points for partial implementation.
Identity Secure Score measures configuration adherence to best practices, not security incidents.
The score refreshes every 24-48 hours, not in real time.
A higher score indicates better alignment with Microsoft's identity security recommendations.
Some improvement actions require Azure AD Premium P2 licenses (e.g., PIM-related controls).
The score can be used to prioritize security investments based on potential score impact.
Partial implementation of a control yields partial points.
Microsoft periodically updates the control list and weights, which can change your score even without configuration changes.
These come up on the exam all the time. Here's how to tell them apart.
Identity Secure Score
Focuses exclusively on identity security in Microsoft Entra ID.
Provides improvement actions specific to identity configuration (MFA, PIM, etc.).
Score range 0-100% based on identity controls.
Requires Azure AD Premium P1 or P2 license.
Accessed via Microsoft Entra admin center.
Microsoft Secure Score (for all workloads)
Covers multiple workloads: identity, apps, devices, data, infrastructure.
Includes identity-related controls plus controls for Microsoft 365, Azure, etc.
Overall score across all workloads, with sub-scores per workload.
Available in Microsoft 365 Defender portal with appropriate licenses.
Provides a broader view of security posture across the organization.
Mistake
The Identity Secure Score updates in real time when you make a configuration change.
Correct
The score refreshes every 24-48 hours. Changes made today may not be reflected until the next day or even two days later.
Mistake
A score of 100% means your identity security is perfect and cannot be improved.
Correct
A 100% score means you have implemented all currently recommended controls, but Microsoft periodically adds new controls, and security is an ongoing process. No configuration guarantees perfect security.
Mistake
The secure score measures the number of security incidents or breaches in your tenant.
Correct
The secure score is based solely on your configuration against best practices. It does not consider actual security events or incidents.
Mistake
All improvement actions are available for any Azure AD tenant regardless of license.
Correct
Some improvement actions require Azure AD Premium P2 licenses, such as those related to Privileged Identity Management (PIM) and Identity Protection risk policies.
Mistake
The secure score is a single number that applies to the entire tenant equally.
Correct
The score is a composite of category scores (e.g., Identity, Privileged Identity, Monitoring). You can drill down into each category to see specific weaknesses.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The Identity Secure Score updates approximately every 24 to 48 hours. Changes you make to your tenant configuration are not reflected in the score immediately. You need to wait for the next refresh cycle to see the updated score and improvement action statuses.
Identity Secure Score is a subset of Microsoft Secure Score focused only on identity security within Microsoft Entra ID. Microsoft Secure Score covers multiple workloads including identity, apps, devices, data, and infrastructure. Identity Secure Score is found in the Microsoft Entra admin center, while Microsoft Secure Score is in the Microsoft 365 Defender portal.
Yes, it is possible to achieve a 100% score by implementing all currently available improvement actions. However, Microsoft may add new controls over time, which could lower your score if you don't implement them. A 100% score does not mean you are immune to security threats; it only indicates strong adherence to current best practices.
Yes, you need at least Azure AD Premium P1 licenses to access Identity Secure Score. Some improvement actions, such as those related to Privileged Identity Management (PIM) and Identity Protection, require Azure AD Premium P2 licenses.
In the Identity Secure Score dashboard, you can click the 'Export' button to download the improvement actions list as a CSV file. You can also use Microsoft Graph API to programmatically retrieve the data using the endpoint: GET https://graph.microsoft.com/v1.0/identityProtection/securityScore/improvementActions.
No, the score only checks whether MFA is configured as a requirement (e.g., through conditional access policy). It does not verify if users have registered for MFA or if they have actually used it. However, there are separate improvement actions for user registration status.
If you partially implement a control, it will contribute a fraction of the total possible points. For example, if a control is worth 10 points and you have implemented it for 50% of users, you might get 5 points. The control status will show as 'In progress' until fully implemented.
You've just covered Microsoft Entra Identity Secure Score — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?