This chapter covers Microsoft Secure Score, a core component of the Microsoft 365 security posture management. Secure Score is a measurement of an organization's security posture based on configured settings, user behaviors, and other security-related actions. For the MS-102 exam, Secure Score appears in Domain 3.1 (Security Threats) and typically accounts for 5-10% of questions. You must understand how scores are calculated, how to interpret the metrics, and how to use the product recommendations to improve security. This chapter provides the depth needed to answer both conceptual and scenario-based exam questions.
Jump to a section
Imagine you are a facilities manager responsible for a large office building. Your goal is to ensure the building is as secure as possible against break-ins, fires, and other threats. However, you cannot implement every possible security measure at once due to budget and operational constraints. To help prioritize, you receive a monthly "Building Security Scorecard" from an independent auditor. The scorecard lists every possible security improvement—like installing motion sensors, reinforcing doors, adding security cameras, and training staff on emergency procedures. Each improvement has a point value based on its impact and cost. Your current score is calculated by summing the points for improvements you have already implemented. The scorecard also shows the maximum possible score and highlights the improvements that would give you the biggest point increase. You can then focus on the most impactful, cost-effective upgrades first. Over time, as you implement more improvements, your score rises, reflecting a more secure building. The scorecard itself does not enforce any security; it simply measures and guides your efforts. Microsoft Secure Score works exactly like this: it measures your tenant's security posture against Microsoft's recommended actions, assigns points for each action you complete, and helps you prioritize the most impactful improvements to reduce risk.
What is Microsoft Secure Score?
Microsoft Secure Score is a security analytics tool within the Microsoft 365 Defender portal (security.microsoft.com) that provides a numerical representation of an organization's security posture. It is not a static number; it changes as you implement or remove security controls. The score ranges from 0 to a maximum that varies per tenant based on available licenses and supported products. The goal is to help organizations identify and prioritize security improvements.
Secure Score is built on four core principles: - Measurable: Every recommended action has a quantifiable point value. - Prioritized: Actions are ranked by potential score improvement and ease of implementation. - Actionable: Each recommendation includes step-by-step guidance. - Transparent: All calculations and data sources are documented.
How Secure Score is Calculated
Secure Score aggregates data from multiple Microsoft 365 security services, including:
Microsoft Entra ID (formerly Azure AD)
Microsoft Defender for Office 365
Microsoft Defender for Endpoint
Microsoft Defender for Identity
Microsoft Defender for Cloud Apps
Microsoft Intune (mobile device management)
Microsoft 365 Apps (Office)
Each service contributes a set of improvement actions. Each improvement action has a maximum point value, typically between 5 and 30 points. The total achievable score is the sum of all maximum points for actions applicable to your tenant (based on licenses and enabled services).
Your current score is the sum of points for actions that are fully implemented. Partial implementation may yield partial points (e.g., enabling MFA for 50% of users gives 50% of the action's points).
Formula: \[ \text{Secure Score} = \frac{\sum \text{(Points earned for each action)}}{\sum \text{(Maximum points for all applicable actions)}} \times \text{Maximum possible score} \]
The maximum possible score is not fixed; it depends on your licensed products. For example, if you do not have Microsoft Defender for Identity licenses, actions related to that product are excluded from the denominator.
Key Components in the Secure Score Dashboard
The Secure Score dashboard (security.microsoft.com/securescore) includes:
Overall score: A percentage and numerical value (e.g., 72.5% or 245 out of 340).
Score breakdown by category: Identity, Device, Apps, Data, Infrastructure, and (optionally) Privileged Access Workstations.
Comparison to baseline: Your score compared to organizations with similar license profiles.
Trend: A graph showing score changes over the last 90 days.
Top improvement actions: Actions that would give the largest score increase.
License coverage: Which services are contributing data.
Improvement Actions
Improvement actions are the specific recommendations. Each action includes: - Title: e.g., "Require MFA for all users" - Category: e.g., Identity - Point value: e.g., 10 points (may be split into sub-points for partial implementation) - Status: Completed, Planned, Risk Accepted, or Not Applicable - Implementation steps: Link to configuration guides - License requirement: e.g., Requires Microsoft Entra ID P1 or P2
Score History and Trends
Secure Score retains data for 90 days. You can view daily snapshots and see how specific actions affected the score. The trend line helps you see if your security posture is improving or declining.
What Secure Score Does NOT Measure
Actual breaches or incidents: It measures configuration, not whether an attack has occurred.
User behavior beyond policy: For example, it measures if MFA is enforced, but not if users comply with training.
Third-party security tools: Only Microsoft services are included.
Network-level controls: Firewalls, IPS, etc., are not reflected.
How to Access Secure Score
Go to security.microsoft.com
Under Reports > Secure Score
Alternatively, use the Microsoft 365 Defender portal's Threat analytics > Secure Score
PowerShell and API Access
You can retrieve Secure Score data programmatically using the Microsoft Graph API or the Get-MgSecuritySecureScore cmdlet from the Microsoft Graph PowerShell SDK.
Example PowerShell command:
Connect-MgGraph -Scopes SecurityEvents.Read.All
Get-MgSecuritySecureScore | Select-Object Id, Score, CreatedDateTimeAPI endpoint:
GET https://graph.microsoft.com/v1.0/security/secureScoresIntegration with Other Microsoft 365 Tools
Microsoft 365 Defender: Secure Score is a core component of the Defender portal.
Microsoft 365 Lighthouse: For managed service providers (MSPs), Secure Score data from multiple tenants can be viewed in a unified dashboard.
Microsoft Compliance Manager: Although Compliance Manager focuses on regulatory compliance, it also uses improvement actions and shares some data with Secure Score.
Microsoft Entra Identity Protection: Identity-related improvement actions often align with Identity Protection risk policies.
How Secure Score Differs from Compliance Manager
Secure Score is about security posture (configurations that reduce risk of compromise). Compliance Manager is about meeting regulatory standards (e.g., GDPR, ISO 27001). Some actions overlap (e.g., enabling MFA), but they have different scoring systems and goals.
Default Values and Timers
Score refresh: The score updates every 24 hours, but changes may take up to 48 hours to reflect.
Historical data retention: 90 days.
Maximum score: Varies per tenant; typically between 200 and 500 points for a full E5 tenant.
Common Misconfigurations Affecting Score
Not enabling MFA for all users (especially admins).
Not enabling audit logging.
Not using Microsoft Defender for Office 365 Safe Attachments/Safe Links.
Not enabling conditional access policies.
Not applying security baselines in Intune.
Exam-Relevant Details
Secure Score is found in the Microsoft 365 Defender portal, not the Azure portal (though Azure Secure Score exists separately for Azure resources).
The score is a percentage of completed actions relative to total possible actions, multiplied by max possible score.
Actions can be categorized as Identity, Device, Apps, Data, Infrastructure.
You can accept risk for an action, which removes its points from the denominator and numerator.
The score does not guarantee security; it only measures configuration.
Exam questions often test the difference between Secure Score and Compliance Manager.
Access Secure Score Dashboard
Navigate to security.microsoft.com and sign in with appropriate permissions (Security Reader, Security Administrator, or Global Administrator). Under Reports, click Secure Score. The dashboard loads the overall score, category breakdown, and top improvement actions. The page displays a graph of score trends over the last 90 days. This is the starting point for all Secure Score interactions. The exam may test that Secure Score is accessed via the Microsoft 365 Defender portal, not the Azure portal or Microsoft 365 admin center.
Review Improvement Actions
Scroll down to see the list of improvement actions. Each action shows its title, point value, status (e.g., Completed, Planned, Risk Accepted), and category. Click on any action to see details including implementation steps, affected users/devices, and license requirements. The exam expects you to know that actions are grouped by category (Identity, Device, Apps, Data, Infrastructure) and that each action has a maximum point value that may be split for partial implementation.
Analyze Score Breakdown by Category
The dashboard displays a breakdown of your score by category (Identity, Device, Apps, Data, Infrastructure). You can see which categories are strongest and weakest. This helps prioritize where to focus efforts. For example, if Identity score is low, you should prioritize identity-related improvement actions like enabling MFA or conditional access. The exam may ask you to interpret a scenario where one category is underperforming and recommend appropriate actions.
Compare Your Score to Baseline
Secure Score provides a comparison to organizations with similar license profiles. This baseline helps you understand if your security posture is above or below average. The comparison is based on aggregated anonymous data. The exam may test that this comparison is available, but not the specific baseline numbers (which vary).
Implement an Improvement Action
Select an improvement action and follow the implementation steps provided. For example, to enable MFA, you might configure a conditional access policy in Microsoft Entra ID. After implementation, the change may take up to 48 hours to reflect in Secure Score. The exam expects you to know that changes are not immediate and that the score updates daily. Also, note that some actions require specific licenses (e.g., Microsoft Entra ID P1 for conditional access).
Monitor Score Trends and History
Use the trend graph to track score changes over time. You can view daily snapshots for the past 90 days. This helps you see the impact of implemented actions and identify declines (e.g., if a user disabled MFA). The exam may ask about the retention period (90 days) and that data is not available beyond that.
Enterprise Scenario 1: Large Multinational Corporation with Hybrid Identity
A global company with 50,000 users and a mix of on-premises and cloud identities uses Secure Score to track its security posture. Initially, their score was 45% (low). By focusing on the top improvement actions, they enabled MFA for all users, configured conditional access policies, and deployed Microsoft Defender for Endpoint. Over six months, their score rose to 78%. However, they faced challenges: some legacy applications did not support modern authentication, so they had to use app passwords or exclude those apps from MFA policies, which reduced the score for that action. They also had to manage risk acceptance for actions that were not feasible (e.g., requiring hardware tokens for all users). Secure Score helped them prioritize and justify budget for security investments. The IT team used the API to pull scores into their internal dashboard.
Enterprise Scenario 2: SMB with Limited IT Staff
A small business with 200 users and no dedicated security team uses Secure Score as a checklist. They have Microsoft 365 Business Premium licenses. Their initial score was 30%. The top recommendation was to enable MFA. They implemented MFA for all users, which boosted the score to 50%. Next, they enabled Safe Links and Safe Attachments in Defender for Office 365, pushing the score to 65%. They used the "Planned" status to track actions they intended to do later. The simplicity of Secure Score allowed non-technical staff to understand and act on recommendations. However, they mistakenly thought a high score meant they were fully secure, which is a common misconception.
Common Misconfigurations and Pitfalls
Ignoring partial points: Some administrators assume an action must be fully completed to earn any points. In reality, partial implementation (e.g., enabling MFA for 70% of users) earns proportional points. The exam may test this.
Risk acceptance without documentation: When you mark an action as "Risk Accepted," the points are removed from both numerator and denominator. However, you should document why the risk was accepted for audit purposes. The exam may ask about the effect of risk acceptance on the score.
Not checking license requirements: Some actions require higher-tier licenses (e.g., Microsoft Entra ID P2 for Identity Protection). Attempting to implement without the license will fail, and the action may not even appear in the list. The exam may test that actions are filtered by license.
Overlooking score history: The 90-day retention means you cannot compare beyond that. Organizations that want long-term trend analysis must export data regularly.
Performance and Scale Considerations
Secure Score is a SaaS feature and scales automatically. No on-premises infrastructure is needed. For tenants with hundreds of thousands of users, the score calculation may take longer but still updates within 24-48 hours. The API can handle high volume queries but should be used with pagination for large datasets.
Exactly What MS-102 Tests on Secure Score
Objective Code: 3.1 – Analyze security threats and recommend remediation actions using Microsoft Secure Score.
The exam expects you to:
Understand the purpose of Secure Score (measure security posture, prioritize actions).
Know where to access Secure Score (Microsoft 365 Defender portal).
Interpret the score breakdown by category (Identity, Device, Apps, Data, Infrastructure).
Explain how points are calculated (sum of points earned / sum of max points for applicable actions).
Describe the effect of risk acceptance (removes points from both numerator and denominator).
Differentiate Secure Score from Compliance Manager.
Identify the refresh interval (24 hours, up to 48 for changes to appear).
Know the historical data retention period (90 days).
Recognize that Secure Score does not measure actual breaches or user behavior.
Common Wrong Answers and Why Candidates Choose Them
1. Wrong: Secure Score is found in the Azure portal (Azure Security Center). - Why: Azure Security Center also has a Secure Score for Azure resources. Candidates confuse the two. The correct location for Microsoft 365 Secure Score is the Microsoft 365 Defender portal.
2. Wrong: Secure Score measures the number of security incidents. - Why: The name implies a "score" of security, but it measures configuration, not incidents. Candidates may think a high score means no breaches.
3. Wrong: Implementing an action immediately updates the score. - Why: The score refreshes daily, not in real time. Candidates assume instant feedback.
4. Wrong: Risk acceptance increases the score. - Why: Risk acceptance removes the action from scoring altogether, so the denominator shrinks, potentially increasing the percentage but not the raw score. Candidates may think it adds points.
5. Wrong: Secure Score includes on-premises security measures. - Why: Only Microsoft 365 cloud services are included. On-premises firewalls or antivirus are not measured.
Specific Numbers and Terms That Appear Verbatim on the Exam
Refresh interval: "every 24 hours" or "up to 48 hours for changes to reflect"
Retention: "90 days"
Categories: Identity, Device, Apps, Data, Infrastructure
Maximum score: varies, but typical E5 tenant max is around 400-500 points (not a fixed number)
Point values: each action typically 5-30 points
Risk Accepted: removes action from scoring
Comparison baseline: organizations with similar license profiles
Edge Cases and Exceptions the Exam Loves to Test
Partial implementation: If an action requires enabling MFA for all users, and only 50% of users have MFA, the action earns 50% of its points. The exam may present a scenario where a candidate assumes zero points for partial compliance.
License dependency: Some actions appear only if the tenant has the required license. For example, actions related to Microsoft Defender for Identity require that license. The exam may ask why an action is missing.
Multiple categories: An action may affect multiple categories. For example, enabling MFA is an Identity action but may also impact Apps if it applies to all cloud apps.
Score drop: If a user disables a security feature, the score drops. The exam may ask what caused a score decline.
How to Eliminate Wrong Answers Using the Underlying Mechanism
If an answer says Secure Score is in Azure portal, eliminate it.
If an answer says it measures actual attacks, eliminate it.
If an answer says immediate update, eliminate it.
If an answer says risk acceptance adds points, eliminate it.
If an answer includes on-premises controls, eliminate it.
Focus on the mechanism: Secure Score is a configuration measurement tool, not a threat detection tool.
Secure Score is accessed via security.microsoft.com (Microsoft 365 Defender portal).
Score = (points earned / max points for applicable actions) * max possible score.
Points are earned for each improvement action; partial implementation yields partial points.
Risk acceptance removes the action from scoring (both numerator and denominator).
Score refreshes every 24 hours; changes may take up to 48 hours to appear.
Historical data is retained for 90 days.
Categories: Identity, Device, Apps, Data, Infrastructure.
Secure Score does not measure actual breaches or user behavior.
Comparison baseline is against organizations with similar license profiles.
Some actions require specific licenses (e.g., Microsoft Entra ID P1/P2).
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Secure Score
Focuses on security posture (configurations that reduce risk of compromise).
Scoring based on improvement actions with point values (e.g., 10 points for enabling MFA).
Categories: Identity, Device, Apps, Data, Infrastructure.
Located in Microsoft 365 Defender portal (security.microsoft.com).
Does not map to specific regulatory standards.
Microsoft Compliance Manager
Focuses on regulatory compliance (e.g., GDPR, ISO 27001, NIST).
Scoring based on controls and assessments, not point-based improvement actions.
Organized by regulatory templates and customer-defined assessments.
Located in Microsoft 365 Compliance center (compliance.microsoft.com).
Provides detailed mapping to specific regulations and audit evidence.
Mistake
Secure Score measures how many security incidents have been detected.
Correct
Secure Score measures only the configuration of security controls (e.g., whether MFA is enabled), not actual breaches or incidents. A high score does not mean no attacks have occurred.
Mistake
Changes to security settings instantly update the Secure Score.
Correct
The score refreshes every 24 hours, and changes may take up to 48 hours to appear. There is no real-time update.
Mistake
Marking an action as 'Risk Accepted' increases your score.
Correct
Risk acceptance removes the action from both the numerator and denominator of the score calculation. This may increase the percentage but does not add points; the raw score may stay the same or decrease if other actions change.
Mistake
Secure Score includes all security controls, including on-premises firewalls.
Correct
Secure Score only measures controls within Microsoft 365 and Microsoft Entra ID. On-premises infrastructure, third-party tools, and network devices are not included.
Mistake
The maximum possible Secure Score is 100% for all tenants.
Correct
The maximum score varies based on licensed products and services. A tenant with only Exchange Online will have a lower maximum than a tenant with E5 licenses.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Microsoft Secure Score is located in the Microsoft 365 Defender portal at security.microsoft.com. Under Reports, click Secure Score. It is not in the Azure portal (Azure Security Center has a separate Secure Score for Azure resources). The exam tests this location explicitly.
Secure Score updates every 24 hours, but changes to your security configurations may take up to 48 hours to be reflected. This is because the data is aggregated from multiple services and calculated overnight. Do not expect real-time updates.
Secure Score measures security posture (configurations that reduce risk of compromise) using improvement actions with point values. Compliance Manager measures compliance with regulatory standards (e.g., GDPR, ISO 27001) using controls and assessments. They are separate tools in different portals (Defender vs. Compliance).
No. Marking an action as 'Risk Accepted' removes that action from the scoring calculation entirely (both numerator and denominator). This may increase your percentage if the denominator shrinks, but it does not add points. In fact, you lose the opportunity to earn those points.
No. Secure Score only measures security controls within Microsoft 365 and Microsoft Entra ID. On-premises infrastructure, third-party firewalls, and network devices are not included. The exam may present a distractor that includes on-premises controls.
You earn proportional points. For example, if an action requires enabling MFA for all 100 users and you enable it for 50 users, you earn 50% of the action's maximum points. The exam tests this partial credit concept.
Historical data is retained for 90 days. You can view daily snapshots and trends within that period. Data older than 90 days is not available. The exam may ask about this retention period.
You've just covered Microsoft Secure Score — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?