This chapter covers Microsoft Secure Score, a key component of security operations in Microsoft 365 and Azure. It explains how Secure Score measures your security posture, provides actionable recommendations, and helps prioritize improvements. For the AZ-500 exam, Secure Score is tested under Objective 4.3 (Manage security posture), typically appearing in 5-10% of questions. You'll need to understand how scores are calculated, how to interpret improvement actions, and how to use the tool to track progress over time.
Jump to a section
Think of Microsoft Secure Score like a comprehensive safety inspection for a car. Your car (tenant) has many systems: brakes (identity security), airbags (data protection), seatbelts (app governance), and headlights (network security). The inspection checklist (Secure Score) contains dozens of specific items, each worth a certain number of safety points. For example, installing anti-lock brakes might earn 5 points, while ensuring all seatbelts are functional earns 3 points. You don't have to do every item—some may be optional or not applicable—but the more you complete, the higher your overall safety score. The inspection also provides recommendations: if your brake pads are worn, it tells you exactly how to replace them and how many points you'll gain. As you fix items, your score increases. However, if you later disable a safety feature (e.g., remove anti-lock brakes), your score drops. The goal is not necessarily 100%—some items may be too costly or not needed—but a higher score means a safer car. Similarly, Secure Score measures your security posture and guides you to improve it, but you must balance security with business needs.
What is Microsoft Secure Score?
Microsoft Secure Score is a measurement of an organization's security posture across Microsoft 365 services, including Azure Active Directory (Azure AD), Microsoft Defender for Office 365, Microsoft Defender for Identity, and more. It is found in the Microsoft 365 Defender portal (security.microsoft.com) and the Azure Security Center (now Microsoft Defender for Cloud). Secure Score provides a numerical score (0 to 100, or a percentage for some views) based on how many security controls are implemented. The higher the score, the better your security posture.
How Secure Score Works Internally
Secure Score evaluates your tenant against a set of improvement actions—specific security configurations or activities that reduce risk. Each improvement action has a maximum point value based on its importance, likelihood of breach, potential impact, and the number of users/devices affected. Points are awarded proportionally: if an action applies to 100 users and you have configured it for 70, you get 70% of the points. The score is calculated as:
Secure Score = (Achieved Points / Total Possible Points) * 100
Total possible points exclude actions that are not applicable (e.g., actions for services you don't subscribe to). The score updates every 24 hours or when you manually refresh.
Key Components
Improvement actions: Specific tasks like enabling multi-factor authentication (MFA), turning on audit logging, or configuring conditional access policies. Each has a category (Identity, Data, Device, Apps, Infrastructure), a point value, and an implementation status (Not started, In progress, Completed, Alternative risk accepted).
Score history: A graph showing your score over time (up to 90 days).
Comparison: Your score vs. other organizations of similar size/industry (anonymized).
License requirements: Some actions require specific licenses (e.g., Microsoft 365 E5). Secure Score shows which actions are available based on your licenses.
Categories: Identity, Data, Device, Apps, Infrastructure.
How Scores Are Calculated
Each improvement action has a maximum score determined by: - Impact on security posture: High impact actions get more points. - Implementation difficulty: Easier actions may have fewer points but are quick wins. - Coverage: Actions that protect more users/devices have higher potential points.
For example, enabling MFA for all users might be worth 10 points, while turning on auditing for SharePoint might be worth 2 points. If you have MFA enabled for 50% of users, you get 5 points. The total possible score is the sum of all maximum points for applicable actions.
Configuration and Monitoring
You access Secure Score via:
Microsoft 365 Defender portal: https://security.microsoft.com/securescore
Microsoft Defender for Cloud: https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/SecureScore
You can filter by category, status, or license. For each improvement action, you see:
Description of the action
Steps to implement
Points achieved and maximum
Status
Related users/devices
There is no command-line tool to directly change Secure Score; you implement the underlying security controls via Azure AD, Intune, Defender, etc. However, you can query Secure Score via the Microsoft Graph API:
GET https://api.security.microsoft.com/api/securescoresInteraction with Related Technologies
Secure Score integrates with: - Microsoft Defender for Cloud: Provides a unified view of security posture across Azure, on-premises, and other clouds. The Defender for Cloud Secure Score is similar but focused on cloud workloads. - Azure AD Identity Protection: Actions related to identity security (like MFA, risky user policies) appear in Secure Score. - Microsoft Defender for Office 365: Actions for email and collaboration security. - Microsoft Intune: Device compliance and management actions. - Microsoft Compliance Manager: Separate but complementary tool for regulatory compliance.
Default Values and Timers
Score refresh: Every 24 hours automatically, or manual refresh via the portal.
Improvement actions can take up to 48 hours to reflect after implementation.
Some actions have prerequisites (e.g., require a specific license or role).
Exam-Relevant Details
Secure Score is not a compliance tool; it measures security posture.
It is available in both Microsoft 365 Defender and Defender for Cloud (formerly Azure Security Center).
The score is a percentage of achieved points over total possible points.
Points decay if you disable a control.
You can accept risk for an action, which excludes it from the total possible points (but still shows as "Risk accepted").
The exam may ask about which actions are available based on license (e.g., some require Microsoft 365 E5).
Common Misconfigurations
Not reviewing improvement actions regularly.
Ignoring high-impact actions due to complexity.
Assuming 100% score is the goal (it's not; risk acceptance is valid).
Not understanding that Secure Score only measures configurations, not actual attacks.
Verification Commands (via Graph API)
# Install module
Install-Module -Name Microsoft.Graph
Connect-MgGraph -Scopes "SecurityEvents.Read.All"
# Get Secure Score
Get-MgSecuritySecureScoreThis returns the current score, maximum score, and other details. For improvement actions:
Get-MgSecuritySecureScoreControlProfileThese commands are useful for automation and reporting but are not directly tested on AZ-500.
Access Secure Score Portal
Navigate to the Microsoft 365 Defender portal (security.microsoft.com) and select Secure Score from the left navigation. Alternatively, use Defender for Cloud in Azure portal. Ensure you have the required permissions (Security Reader, Security Admin, or Global Reader). The portal displays your current score, score history, and top improvement actions.
Review Improvement Actions
Click on 'Improvement actions' to see a list of all available actions. Each action shows its category (Identity, Data, Device, Apps, Infrastructure), status, points achieved, maximum points, and implementation steps. Filter by status (e.g., 'Not started') to identify quick wins. Sort by points to prioritize high-impact actions.
Implement an Improvement Action
Select an action, e.g., 'Enable multi-factor authentication for all users'. Click 'Open' to go to the configuration page in Azure AD. Follow the steps to enable MFA via conditional access policies. After implementation, the action status updates to 'In progress' or 'Completed' within 48 hours. Your score will increase proportionally.
Accept Risk for an Action
If an action is not feasible, you can accept the risk. Click the three dots next to the action and select 'Accept risk'. Provide a justification. The action is then excluded from the total possible points, so your score does not decrease. However, it remains visible for audit purposes. This is important for the exam: risk acceptance does not lower your score but removes the action from the potential pool.
Monitor Score Over Time
Use the 'Score history' tab to view your score trend over the past 90 days. Compare your score to similar organizations (anonymized). Regularly review new improvement actions as Microsoft adds them. The exam may test that Secure Score updates every 24 hours and that manual refresh is possible. Also note that disabling a previously implemented control will decrease your score.
Enterprise Scenario 1: MFA Rollout
A large enterprise with 10,000 users wants to improve its security posture. The Secure Score shows a low score due to MFA not being enabled. The identity team creates a conditional access policy requiring MFA for all users. They implement it in stages: first for IT staff, then for executives, then for all users. After each stage, they check Secure Score to see the points increase. The score goes from 30 to 45 after full rollout. They also enable MFA for guest users, gaining additional points. The Secure Score helps justify the project to management by showing the quantifiable improvement.
Enterprise Scenario 2: Compliance vs. Security
A financial institution must comply with PCI DSS. They use Secure Score to identify gaps in data protection, such as unencrypted storage. They implement Azure Information Protection labels and enable auditing. However, some controls conflict with legacy applications. They use the 'Accept risk' feature for those specific actions, documenting the business reason. The Secure Score remains high because those actions are excluded. The compliance team also uses Compliance Manager for regulatory requirements, but Secure Score provides a broader security view.
Common Problems
Misinterpreting the score: A score of 70% does not mean 70% secure; it means 70% of recommended controls are implemented. Attackers may still exploit weaknesses not covered by Secure Score.
Over-reliance on Secure Score: Some organizations chase a high score without understanding the underlying risks. For example, enabling MFA is great, but if users can bypass it via trusted IPs, the score may still show points but the security is weaker.
Not updating after license changes: If a tenant adds E5 licenses, new improvement actions appear. The total possible points increase, so the score may drop temporarily. Teams must address these new actions to maintain the score.
Slow reflection: After implementing a control, the score may take up to 48 hours to update. This can cause confusion if teams expect immediate changes.
What AZ-500 Tests on Secure Score
Objective 4.3: Manage security posture. Specific focus: interpret Secure Score, recommend improvement actions, and understand score calculation. The exam expects you to know:
Secure Score is a percentage of achieved points over total possible points.
Improvement actions are specific configurations.
Risk acceptance removes an action from total possible points.
Score updates every 24 hours.
Secure Score is available in Microsoft 365 Defender and Defender for Cloud.
Common Wrong Answers
"Secure Score is a compliance score." Wrong – it measures security posture, not compliance. Compliance Manager is for regulatory compliance.
"Accepting risk reduces your score." Wrong – it excludes the action from total possible points, so your score does not decrease (it may even increase slightly because the denominator shrinks).
"Secure Score updates in real time." Wrong – it updates every 24 hours (or on manual refresh).
"You need Global Admin to view Secure Score." Wrong – Security Reader or Security Admin is sufficient.
Specific Numbers and Terms
Score range: 0 to 100 (or percentage).
Update interval: 24 hours.
Improvement action categories: Identity, Data, Device, Apps, Infrastructure.
Possible statuses: Not started, In progress, Completed, Alternative risk accepted.
The exam may present a scenario where an action is partially implemented and ask for the score contribution (proportional).
Edge Cases
If a license is removed, improvement actions may become unavailable, and total possible points decrease, potentially increasing the score.
If an action is marked as 'Not applicable' (e.g., because the service is not used), it is excluded from total possible points.
The exam might ask about the difference between Secure Score in Defender for Cloud vs. Microsoft 365 Defender. Defender for Cloud focuses on cloud workload protection (VMs, databases), while Microsoft 365 Defender covers identity, email, and collaboration.
How to Eliminate Wrong Answers
If an answer says 'Real-time' or 'Immediate', it's likely wrong because Secure Score updates every 24 hours.
If an answer says 'Compliance', it's probably wrong unless the question explicitly ties to regulatory standards.
If an answer says 'Global Admin required', check if a lesser role suffices (Security Admin).
If an answer involves 'deleting' an improvement action, remember you can only accept risk, not delete.
For calculation questions: Achieved Points / Total Possible Points * 100.
Secure Score is a percentage of achieved points over total possible points for applicable improvement actions.
Score updates every 24 hours; manual refresh is available.
Improvement actions are specific security configurations you can implement.
Accepting risk for an action removes it from total possible points, not decreasing your score.
Secure Score is available in both Microsoft 365 Defender and Defender for Cloud.
You need Security Reader or Security Admin to view Secure Score; Global Admin not required.
The goal is not 100% but a score that aligns with your risk tolerance.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Secure Score
Measures security posture based on improvement actions
Score is a percentage of achieved vs. total possible points
Focuses on security configurations (MFA, auditing, etc.)
Available in Microsoft 365 Defender and Defender for Cloud
Risk acceptance excludes actions from score calculation
Microsoft Compliance Manager
Measures compliance with regulatory standards (e.g., GDPR, HIPAA)
Score is based on actions mapped to specific controls and regulations
Focuses on compliance requirements and evidence collection
Available in Microsoft 365 compliance center
Actions can be marked as 'Alternative controls' or 'Not applicable'
Mistake
Secure Score is a real-time security monitoring tool.
Correct
Secure Score is a posture measurement tool that updates every 24 hours, not real-time. It reflects configurations, not ongoing attacks.
Mistake
Accepting risk for an improvement action decreases your Secure Score.
Correct
Accepting risk excludes the action from total possible points, so your score does not decrease. The denominator shrinks, potentially increasing the score percentage.
Mistake
A 100% Secure Score means your organization is perfectly secure.
Correct
A 100% score means you have implemented all applicable improvement actions, but this does not guarantee protection against all threats. Security is more than configuration; it includes user behavior, threat intelligence, and incident response.
Mistake
Secure Score is only available in Microsoft 365 Defender.
Correct
Secure Score is also available in Microsoft Defender for Cloud (formerly Azure Security Center) for cloud workloads. Both provide similar functionality but focus on different scopes.
Mistake
You need a Global Administrator role to view and manage Secure Score.
Correct
Security Reader can view scores and improvement actions; Security Admin can implement changes. Global Admin is not required.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Secure Score in Microsoft 365 Defender focuses on identity, data, devices, apps, and infrastructure related to Microsoft 365 services (e.g., Exchange, SharePoint, Teams). Defender for Cloud's Secure Score focuses on cloud workload protection: VMs, databases, storage accounts, and other Azure resources. Both use the same concept but cover different scopes. For AZ-500, know that both exist and that they are separate scores.
Accepting risk removes the action from the total possible points calculation. Your achieved points stay the same, but the denominator shrinks, so your score percentage may increase slightly. Your score does not decrease. This is a common exam point: risk acceptance is a legitimate way to handle actions you cannot implement.
Secure Score updates automatically every 24 hours. You can also manually refresh by clicking the refresh button in the portal. After implementing an improvement action, it may take up to 48 hours for the score to reflect the change. The exam tests that it is not real-time.
You need at least the Security Reader role to view Secure Score and improvement actions. Security Admin can also implement changes. Global Admin is not required. This is a common exam question—candidates often think Global Admin is needed.
Secure Score is primarily a security posture tool, not a compliance tool. For regulatory compliance, use Microsoft Compliance Manager, which maps controls to specific regulations. Secure Score can help improve security, which may indirectly support compliance, but it does not provide compliance evidence or reporting.
Your achieved points decrease by the proportional amount for that control, and your score goes down. For example, if you disable MFA for some users, the points for that improvement action decrease. The score updates within 24 hours.
New improvement actions are added periodically by Microsoft. Also, some actions may require licenses you don't have, but they are included in total possible points if applicable. Check for new actions or actions marked as 'Not started' that you may have missed.
You've just covered Microsoft Secure Score Strategy — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?