This chapter covers how to assess and improve your Microsoft 365 security posture using Secure Score, identity and device configuration baselines, threat analytics, and incident response readiness. For the MS-102 exam, approximately 15-20% of questions in the 'Security Threats' domain (Objective 3.1) focus on posture improvement, including interpreting Secure Score, implementing security baselines, and using Microsoft 365 Defender recommendations. Mastering these concepts is critical because they form the foundation for proactive threat mitigation and compliance in enterprise environments.
Jump to a section
Imagine your house has a home security system with sensors on doors, windows, and motion detectors. A security auditor visits and gives you a score out of 100 based on how many sensors are active and properly configured. You can improve your score by enabling more sensors, setting stronger alarm codes, or adding cameras. However, some improvements might be too expensive or inconvenient—like installing a reinforced safe in every room. The auditor doesn't force you to make changes, but you can see exactly which actions raise your score and by how much. In Microsoft 365, Secure Score works identically: it audits your tenant's security posture based on recommended actions (like enabling multi-factor authentication or auditing logs), assigns points per action, and calculates a percentage score. Just as you can ignore the auditor's advice, you can choose not to implement certain actions. The score reflects your overall security level, and you can track improvement over time. Microsoft 365 Secure Score is the auditor, not the police—it measures and advises, but doesn't enforce compliance.
What is Security Posture and Why It Matters
Security posture refers to the overall cybersecurity strength of an organization, encompassing policies, controls, and configurations that defend against threats. In Microsoft 365, posture improvement is a continuous process of measuring current security state, identifying gaps, and implementing controls to reduce risk. The exam tests your ability to use tools like Microsoft Secure Score, identity secure score, and device configuration baselines to systematically harden a tenant.
Microsoft Secure Score: The Central Measurement Tool
Microsoft Secure Score is a representation of an organization's security posture, expressed as a percentage of total possible points. It is calculated based on the implementation of recommended security actions (called 'improvement actions') across Microsoft 365 services including Azure AD, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft 365 Apps.
How Secure Score is Calculated: - Each improvement action has a maximum point value based on its impact on security (e.g., enabling MFA for all users is worth ~30 points, while auditing mailbox login activity might be ~5 points). - Points are awarded proportionally based on coverage. For example, if an action requires enabling MFA for all users and only 80% of users have MFA, you get 80% of the points for that action. - The score is calculated as: (Achieved Points / Total Possible Points) * 100. Total possible points exclude actions that are not applicable (e.g., if you don't use a particular service). - The score updates every 24 hours, but some actions reflect changes within 48 hours.
Key Components: - Improvement Actions: Specific, actionable recommendations such as 'Enable multi-factor authentication for all users' or 'Enable mailbox auditing for all users'. Each has a description, point value, implementation steps, and potential user impact. - Score History: A graph showing score changes over the last 90 days, helping track progress. - Comparison: You can compare your score against the average of similar organizations (by industry, size, or region). - License Requirements: Some actions require specific licenses (e.g., E5 or add-ons). The tool shows which actions are available based on your licensing.
Exam Tip: The exam often tests that Secure Score is a measurement tool, not a compliance or enforcement tool. It does not automatically apply settings; it only recommends. Also, point values are not additive across all tenants—they are normalized to a maximum of 100%.
Identity Secure Score and Device Secure Score
In addition to the overall Microsoft Secure Score, Microsoft 365 includes category-specific scores: - Identity Secure Score: Focuses on Azure AD identity security, including MFA, conditional access policies, password policies, and privileged identity management. - Device Secure Score: Part of Microsoft Defender for Endpoint, measures device configuration against security baselines (e.g., Windows 10 security baseline).
These scores are integrated into the overall Secure Score but can be viewed separately for granular analysis.
Security Baselines and Configuration
Security baselines are pre-defined sets of recommended security settings for Microsoft 365 services, Azure AD, and Windows devices. They are based on industry best practices and Microsoft's own security research. Key baselines include: - Azure AD Security Baseline: Includes settings like requiring MFA for admins, enabling Identity Protection, and configuring password hash sync. - Microsoft 365 Security Baseline: Covers settings for Exchange Online, SharePoint Online, Teams, and Office apps. - Windows Security Baselines: For devices managed by Intune or Group Policy, covering BitLocker, firewall, antivirus, and user account control.
How to Apply Baselines: In the Microsoft 365 admin center or Microsoft 365 Defender portal, you can review and apply baseline settings. For devices, use Intune security baselines. The exam expects you to know that baselines are a starting point—they can be customized but should align with organizational needs.
Threat Analytics and Posture Improvement
Microsoft 365 Defender provides threat analytics that give actionable intelligence about active threats and vulnerabilities. This directly feeds into posture improvement by highlighting which improvement actions are most relevant to current threats. For example, if a new ransomware variant exploits a specific misconfiguration, threat analytics will flag that configuration and recommend the corresponding Secure Score improvement action.
Incident Response and Posture
Posture improvement also involves preparing for incidents. This includes: - Attack Simulation Training: Microsoft's built-in tool to simulate phishing attacks and train users. Results can identify weak spots that need policy changes. - Automated Investigation and Response (AIR): In Microsoft 365 Defender, automated playbooks can be configured to respond to incidents. Posture improvement includes ensuring these playbooks are enabled and properly scoped.
Integration with Microsoft 365 Defender
Secure Score is deeply integrated with Microsoft 365 Defender's dashboard. From the Defender portal, you can access Secure Score, view improvement actions, and drill into specific recommendations. The exam may present scenarios where you need to use Defender's unified view to assess posture across identities, endpoints, email, and apps.
Common Misconfigurations That Lower Score
Not enabling MFA for all users (especially non-admin users)
Not enabling audit logging in Exchange Online (mailbox audit is off by default for some tenants)
Not enabling Microsoft Defender for Office 365 Safe Attachments or Safe Links
Not enabling Microsoft Defender for Identity
Using legacy authentication protocols (e.g., IMAP, POP)
Not applying conditional access policies for risky sign-ins
Verification Commands
While most posture assessment is done via GUI, you can use PowerShell to retrieve Secure Score data:
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "SecurityEvents.Read.All"
# Get Secure Score
Get-MgSecuritySecureScore
# Get improvement actions
Get-MgSecuritySecureScoreControlProfileFor Azure AD Identity Secure Score:
Get-MgIdentityProtectionRiskyUserKey Defaults and Timers
Secure Score updates every 24-48 hours.
Improvement action point values are static but may be adjusted by Microsoft.
License requirements: Some actions require Azure AD Premium P2, Microsoft 365 E5, or add-ons.
The maximum achievable score is 100%, but some actions may be excluded if not applicable.
Interaction with Related Technologies
Conditional Access: Enabling policies directly impacts Secure Score (e.g., requiring MFA for all users).
Microsoft Defender for Cloud Apps: App governance controls affect Secure Score.
Microsoft Intune: Device compliance policies and baselines contribute to device secure score.
Azure AD Identity Protection: Risk policies and user risk remediation affect identity secure score.
Assess Current Secure Score
Navigate to the Microsoft 365 Defender portal (https://security.microsoft.com) and select 'Secure Score' from the left navigation. The dashboard displays your overall score, score history, and top improvement actions. Note the current percentage and compare it to the industry average. Identify the top 5 improvement actions with the highest point impact. This step establishes a baseline for measuring progress.
Prioritize High-Impact Actions
Review the list of improvement actions sorted by point value. Focus on those that are 'unscored' or 'partially scored' and have high point values (e.g., enabling MFA for all users, enabling mailbox auditing). Consider the effort and user impact. For example, enabling MFA for all users may require user training and conditional access policies. Use the 'Impact' column to gauge user disruption. This step ensures you get the most security benefit per effort.
Implement Selected Actions
For each chosen improvement action, follow the detailed implementation steps provided in the Secure Score portal. For example, to enable MFA for all users, you might create a conditional access policy requiring MFA for all cloud apps. Use Azure AD admin center or Microsoft 365 admin center. After implementation, the Secure Score will update within 24-48 hours. Verify that the action status changes to 'Completed' or 'Scored'.
Monitor Score and Threat Analytics
After implementing changes, monitor the Secure Score graph for upward trends. Also, check Threat Analytics in Microsoft 365 Defender to see if any active threats are related to the actions you've implemented. For instance, if a new phishing campaign targets organizations without MFA, your score improvement directly reduces risk. Set up automated alerts for score drops using Microsoft 365 Defender alert policies.
Repeat and Refine
Security posture improvement is an ongoing process. Revisit Secure Score monthly to address new improvement actions that Microsoft adds (e.g., when new services are enabled). Adjust baselines and policies based on changes in your environment, such as new user onboarding or mergers. Use attack simulation training results to identify areas where user behavior needs policy reinforcement. Continuously iterate to maintain a high score.
Scenario 1: Financial Services Firm Achieving Compliance
A mid-size bank needed to meet regulatory requirements for MFA and audit logging. They used Secure Score to identify that they were missing 40 points due to not enabling mailbox auditing and not enforcing MFA for all users (only admins had MFA). The security team created a conditional access policy requiring MFA for all users, which initially caused helpdesk calls. They phased rollout using pilot groups. They also enabled mailbox auditing via Exchange Online PowerShell (Set-OrganizationConfig -AuditDisabled $false). Within 48 hours, their Secure Score jumped from 62% to 84%. The bank now uses Secure Score quarterly to prepare for audits.
Scenario 2: Healthcare Organization with Legacy Protocols A hospital discovered that their Secure Score was low (45%) due to legacy authentication (IMAP, POP) being enabled. Attackers were using password spray attacks against these protocols. Using Secure Score's improvement action 'Block legacy authentication', they created a conditional access policy to block all legacy auth. They also enabled Microsoft Defender for Office 365 Safe Links and Safe Attachments. The score rose to 78%, and the number of successful credential attacks dropped to zero. However, they had to ensure some legacy devices (e.g., older printers) were upgraded or replaced.
Scenario 3: Tech Startup with Rapid Growth A fast-growing startup had no centralized security policies. Secure Score showed a score of 35%. They implemented baselines using Intune for devices and Azure AD for identities. They enabled self-service password reset (SSPR) and combined registration for SSPR and MFA. They also enabled Microsoft Defender for Cloud Apps to detect shadow IT. Over six months, their score improved to 88%, and they avoided a ransomware incident because of early detection via Defender. The key challenge was user adoption; they used attack simulation training to educate employees.
Common Pitfalls: - Over-relying on Secure Score as a sole metric; it does not measure all aspects of security (e.g., physical security, third-party risk). - Ignoring user impact; aggressive policies can lead to productivity loss and shadow IT. - Not updating baselines after Microsoft releases new versions. - Failing to exclude break-glass accounts from MFA policies, causing lockout.
What MS-102 Tests on This Topic (Objective 3.1) The exam focuses on your ability to interpret Secure Score, identify improvement actions, and apply security baselines. Specific sub-objectives include: - 'Describe the purpose and functionality of Microsoft Secure Score.' - 'Identify improvement actions to increase the Secure Score.' - 'Implement security baselines for Microsoft 365 services.' - 'Use threat analytics to prioritize security improvements.' - 'Plan and implement attack simulation training.'
Common Wrong Answers and Why Candidates Choose Them 1. 'Secure Score enforces security policies.' Candidates confuse measurement with enforcement. Secure Score only recommends and measures; it does not automatically apply settings. 2. 'Improvement actions are all mandatory for compliance.' Many think all actions must be implemented to be compliant. In reality, actions are optional and may not be applicable. 3. 'Secure Score is only for Microsoft 365 E5 tenants.' While some actions require E5, the core Secure Score is available for all Microsoft 365 subscriptions, though point totals vary. 4. 'You can achieve 100% Secure Score easily.' Candidates underestimate the effort. 100% is often unattainable due to licensing limitations or business constraints.
Specific Numbers and Terms on the Exam - Secure Score range: 0% to 100%. - Update frequency: every 24-48 hours. - Point values: e.g., enabling MFA for all users is worth approximately 30 points. - Key terms: 'Improvement action', 'Score history', 'Comparison benchmark'. - Baselines: 'Azure AD security baseline', 'Windows security baseline', 'Microsoft 365 security baseline'.
Edge Cases and Exceptions - If a tenant does not use a service (e.g., SharePoint Online), related improvement actions are excluded from total possible points. - Some actions require additional licensing (e.g., Azure AD P2 for Identity Protection actions). The exam may present a scenario where a customer has E3 but wants to implement a P2-dependent action; the correct answer is that they cannot without upgrading. - Break-glass accounts should be excluded from MFA policies to avoid lockout; the exam expects you to know this.
How to Eliminate Wrong Answers - If an answer says 'Secure Score automatically applies settings,' eliminate it—Secure Score is advisory only. - If an answer claims a specific action is mandatory for all tenants, eliminate it unless it's a regulatory requirement (but Secure Score itself doesn't enforce). - If an answer suggests that Secure Score is only available in certain portals, remember it's in Microsoft 365 Defender portal, not just the admin center.
Secure Score is a measurement tool, not an enforcement mechanism.
Improvement actions have point values that are proportional to security impact.
Secure Score updates every 24-48 hours after changes are made.
Some improvement actions require specific licenses (e.g., Azure AD P2, E5).
Security baselines (Azure AD, Windows, Microsoft 365) provide pre-configured recommended settings.
Threat analytics in Microsoft 365 Defender helps prioritize improvement actions based on active threats.
Attack simulation training improves user awareness and can influence Secure Score indirectly.
Break-glass accounts must be excluded from MFA policies to avoid lockout.
Secure Score comparison shows your score relative to similar organizations.
Achieving 100% is often impractical; focus on high-impact actions first.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Secure Score
Covers Microsoft 365 services (Exchange, SharePoint, Teams, etc.)
Provides a percentage score (0-100%)
Includes improvement actions with point values
Updates every 24-48 hours
Integrated into Microsoft 365 Defender portal
Azure Security Benchmark
Covers Azure infrastructure (VMs, storage, networking)
Provides compliance controls and regulatory mappings
Includes Azure Policy initiatives and built-in policies
Evaluated continuously via Azure Policy
Available in Azure Security Center / Defender for Cloud
Mistake
Secure Score automatically applies recommended settings.
Correct
Secure Score is a measurement and recommendation tool only. It does not automatically apply any settings. Administrators must manually implement improvement actions.
Mistake
All improvement actions are available in every Microsoft 365 subscription.
Correct
Some improvement actions require specific licenses such as Azure AD Premium P2, Microsoft 365 E5, or add-ons. The Secure Score interface shows only actions applicable to your licensed services.
Mistake
A 100% Secure Score means the tenant is fully secure and compliant.
Correct
Secure Score measures only the specific actions Microsoft recommends. It does not cover all security aspects (e.g., physical security, third-party risk, custom configurations). 100% may also be unattainable due to excluded actions.
Mistake
Secure Score updates in real-time after making a change.
Correct
Secure Score updates every 24-48 hours. Changes made today may not reflect in the score until the next day or even two days later.
Mistake
Secure Score is only accessible from the Microsoft 365 admin center.
Correct
Secure Score is primarily accessed via the Microsoft 365 Defender portal (security.microsoft.com), not the admin center. It may also be available via Microsoft Graph API.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Secure Score updates every 24 to 48 hours. Changes you make today may take up to two days to reflect in your score. This is because Microsoft aggregates data from multiple services and performs calculations asynchronously. For exam purposes, remember that it is not real-time.
While theoretically possible, achieving 100% is extremely rare and often impractical. Some improvement actions may be excluded due to licensing limitations, business requirements, or technical constraints. Additionally, Microsoft may add new actions over time. The exam may present a scenario where a tenant cannot achieve 100% because a specific action requires a license they don't have.
No. Secure Score only measures your current security posture and provides recommendations. It does not automatically apply any settings. You must manually implement improvement actions through the appropriate admin centers (Azure AD, Exchange, Intune, etc.). This is a common exam trap.
Secure Score focuses on Microsoft 365 services (Exchange, SharePoint, Teams, etc.) and provides a percentage score with improvement actions. Azure Security Benchmark (now part of Microsoft Defender for Cloud) focuses on Azure infrastructure (VMs, storage, networking) and provides compliance controls mapped to regulatory standards. They are complementary but cover different scopes.
When creating a conditional access policy that requires MFA, add a user exclusion group containing your break-glass accounts. Ensure these accounts have strong passwords and are monitored. The exam expects you to know that break-glass accounts should be excluded to prevent lockout during emergencies.
Check the Secure Score history to identify which improvement actions lost points. Common causes include users being added without MFA, a service being disabled, or a policy change. Use the 'Score history' graph to pinpoint the date of the drop and correlate with recent changes. Then, address the specific action.
Yes, you can use the Microsoft Graph PowerShell SDK to retrieve Secure Score and improvement actions. For example: Get-MgSecuritySecureScore. However, the exam primarily tests GUI-based navigation. Knowing PowerShell is a plus but not required for the core objective.
You've just covered Microsoft 365 Security Posture Improvement — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?