This chapter covers the Microsoft 365 Security Center, a unified portal for managing security across Microsoft 365 workloads. For the MS-900 exam, this is a core topic under domain 3.1 (Security and Compliance). Approximately 10-15% of exam questions touch on security center capabilities, Secure Score, and incident response. You will learn the portal's architecture, key components, and how to interpret security metrics. The exam expects you to know what the Security Center is, its main features (Secure Score, incident management, threat analytics), and how it integrates with other Microsoft security tools like Microsoft 365 Defender and Azure AD Identity Protection.
Jump to a section
Imagine a major international airport. The airport has multiple layers of security: perimeter fences, ID checks at entrances, baggage screening, passenger screening, and random patrols. The Microsoft 365 Security Center is like the central security command center for the airport. It aggregates data from all these layers—video feeds, badge swipes, sensor alerts—into a unified dashboard. Security analysts (like the airport security team) can see a live map of all flights (users), gates (applications), and terminals (devices). The command center provides tools to investigate suspicious behavior, like a passenger loitering near a restricted area (anomalous sign-in), and to respond automatically, such as locking down a gate if a threat is detected (conditional access policy). Just as airport security uses threat intelligence about known terrorists (global threat feeds), the Security Center uses Microsoft's global threat intelligence to identify known malicious IPs, domains, and file hashes. The Security Center's Secure Score is like the airport's overall security rating—it shows how well the airport is protected and gives recommendations to improve, like adding more cameras or enforcing stricter ID checks. Without the command center, security would be siloed and reactive; with it, the airport can proactively defend against threats by correlating data from all sources and automating responses.
What is the Microsoft 365 Security Center?
The Microsoft 365 Security Center (security.microsoft.com) is a web-based portal that provides a centralized view of the security health of your Microsoft 365 tenant. It aggregates data from Exchange Online Protection (EOP), Microsoft Defender for Office 365 (MDO), Azure Active Directory (Azure AD) Identity Protection, Microsoft Defender for Identity (formerly Azure Advanced Threat Protection), Microsoft Defender for Endpoint, and Microsoft Cloud App Security. The portal is the primary interface for security administrators to monitor threats, investigate incidents, and improve the security posture.
Why it exists
Before the Security Center, administrators had to log into multiple separate portals (Exchange admin center, Azure AD, Security & Compliance Center, etc.) to get a complete picture. This was inefficient and led to missed correlations—for example, a phishing email detected by EOP might be linked to a compromised account detected by Azure AD Identity Protection, but without a unified view, the connection could be missed. The Security Center solves this by correlating alerts across services into incidents, providing a single pane of glass.
How it works internally
The Security Center uses a backend service called the Microsoft 365 Security Graph, which ingests telemetry from all Microsoft 365 services. This telemetry includes sign-in logs, audit logs, email traffic metadata, device signals, and threat intelligence feeds. The data is processed by machine learning models to detect anomalies and generate alerts. Alerts from different services are correlated into incidents based on common entities (e.g., same user, same IP, same file hash). Incidents are displayed in the portal with severity levels (Low, Medium, High, Critical) and a timeline of events.
The portal itself is a web application that communicates with the backend via REST APIs. When you load the dashboard, it queries the Security Graph for aggregated metrics like Secure Score, active alerts, and user risk levels. The portal supports role-based access control (RBAC) via Azure AD roles (e.g., Security Administrator, Security Reader, Global Administrator).
Key components
Secure Score: A numeric representation of your security posture, ranging from 0 to 100. It is calculated based on the configuration of security features in Microsoft 365. Each improvement action contributes a specific number of points (e.g., enabling MFA for all users adds 10 points). The score is updated daily. The exam may ask you to identify actions that improve Secure Score, such as enabling MFA, enabling audit logging, or turning on Defender for Office 365 policies.
Incidents & Alerts: Incidents are groups of related alerts that represent a potential attack. For example, an incident might include alerts for a suspicious sign-in (Azure AD Identity Protection), a malware detection (Defender for Endpoint), and a phishing email (MDO). Alerts are individual security signals. The exam expects you to know that incidents are the primary way to investigate threats.
Threat Analytics: A section that provides threat intelligence reports from Microsoft’s security research team. These reports include details about active threat actors, techniques, and recommended mitigations. The exam may test your understanding that Threat Analytics is updated with new content as threats evolve.
Actions: The Security Center provides recommended actions to improve security, often linked to Secure Score improvement actions. These include configuring policies, enabling services, and adjusting settings.
Hunting: Advanced hunting allows security analysts to query raw telemetry using Kusto Query Language (KQL). This is more advanced and less likely to be tested on MS-900, but you should know it exists.
Configuration and verification
The Security Center is enabled by default for all Microsoft 365 tenants with an active subscription (E3, E5, or Business Premium). No additional setup is required to access the portal, but some features require specific licenses (e.g., Defender for Office 365 Plan 2 for threat hunting). To verify the Secure Score, navigate to security.microsoft.com > Secure Score. To view incidents, go to Incidents & alerts > Incidents.
Interaction with related technologies
The Security Center is the top-level portal that integrates with: - Microsoft 365 Defender (defender.microsoft.com): This is a separate portal focused on endpoint, email, and identity protection. The Security Center pulls data from Defender for Office 365 and Defender for Endpoint. - Azure AD Identity Protection: Provides user and sign-in risk data. The Security Center displays these risks under Users > Risky users. - Microsoft Cloud App Security: Provides app discovery and cloud app governance. Alerts from Cloud App Security appear in the Security Center. - Microsoft Purview Compliance Portal: While the Security Center focuses on security, the Compliance Portal (compliance.microsoft.com) focuses on data compliance, eDiscovery, and DLP. The two portals are separate but share some data (e.g., audit logs).
Values and defaults
Secure Score defaults: Initial score varies based on tenant configuration. A typical new tenant starts around 30-40.
Alert severity levels: Low (informational), Medium (suspicious), High (likely malicious), Critical (confirmed attack).
Incident correlation window: Alerts are correlated into incidents if they occur within 48 hours of each other and share common entities.
Secure Score update frequency: Every 24 hours.
Exam note
The MS-900 exam does not require deep technical configuration steps. Focus on the purpose of the Security Center, the meaning of Secure Score, the types of data it aggregates, and the difference between incidents and alerts. Be aware that Secure Score is NOT a real-time metric—it updates daily. Also, know that the Security Center is different from the Azure Security Center (now Microsoft Defender for Cloud), which focuses on Azure resources.
Access the Security Center Portal
Navigate to https://security.microsoft.com and sign in with a global administrator or security administrator account. The portal will load the Home dashboard, which shows a summary of Secure Score, top incidents, and active alerts. The dashboard is customizable. If you do not have a Microsoft 365 subscription, you cannot access the portal. The exam may ask which portal to use for security management—this is the correct answer.
Review Secure Score and Improvement Actions
Click on 'Secure Score' in the left navigation. The Secure Score page displays your current score (0-100) and a list of improvement actions. Each action has a potential point increase and a status (Completed, Planned, Risk accepted). Click on an action to see configuration steps. For example, 'Enable MFA for all users' shows which users are not yet protected. The score is calculated based on the percentage of completed actions weighted by their point value.
Investigate an Incident
Navigate to 'Incidents & alerts' > 'Incidents'. The list shows all active incidents with severity, name, and affected assets. Click on an incident to open its details. The incident page shows a timeline of alerts, entities involved (users, IPs, devices), and a graph of the attack chain. You can manage the incident by changing its status (Active, Resolved) or assigning it to an analyst. The exam may test that incidents group related alerts.
Review Threat Analytics Reports
Click on 'Threat Analytics' in the left navigation. This section displays reports from Microsoft's security research team. Each report covers a threat actor, campaign, or vulnerability. Reports include a summary, recommended actions, and impacted products. The exam may ask where to find information about the latest threats—Threat Analytics is the correct answer.
Configure Security Policies
Under 'Policies & rules', you can configure policies for various services. For example, 'Anti-phishing' policy under 'Email & collaboration'. These policies are also configurable in their respective portals (e.g., Exchange admin center), but the Security Center provides a unified view. The exam does not require detailed policy configuration steps, but you should know that policies can be managed from the Security Center.
Enterprise Scenario 1: Incident Response for a Phishing Attack
A large enterprise with 10,000 users receives a phishing email that bypasses Exchange Online Protection. The email contains a link to a credential harvesting site. Several users click the link and enter their credentials. Azure AD Identity Protection detects the anomalous sign-ins from a new IP and generates a medium-severity alert. Simultaneously, Defender for Office 365 detects the malicious URL after the user clicks it (due to URL detonation). The Security Center correlates these alerts into a single incident. The security team views the incident, sees the affected users, and triggers an automated response using a playbook: the users are forced to reset their passwords via a Conditional Access policy, and the malicious email is quarantined across all mailboxes. The Secure Score may drop if the incident reveals a configuration gap (e.g., anti-phishing policy not enabled).
Enterprise Scenario 2: Secure Score Improvement
A mid-size company wants to improve its security posture. The security administrator logs into the Security Center and sees a Secure Score of 45. The improvement actions list shows that enabling MFA for all users would add 10 points, enabling audit logging would add 5 points, and enabling Defender for Office 365 for all users would add 8 points. The administrator prioritizes these actions. After implementing MFA and audit logging, the score increases to 60 within 24 hours. The company also uses the Threat Analytics section to read about a new ransomware campaign targeting their industry and applies recommended mitigations.
What goes wrong when misconfigured
If the Security Center is not used, or if alerts are ignored, incidents can escalate. For example, a single alert for a suspicious sign-in might be dismissed as a false positive, but when combined with a subsequent malware detection, it becomes a full compromise. Without incident correlation, the connection is missed. Also, if Secure Score improvement actions are not implemented, the tenant remains vulnerable. Common misconfigurations include not enabling audit logging (which prevents detection of certain attacks) and not assigning security reader roles to the appropriate staff (so they cannot view incidents).
MS-900 Exam Focus
This topic is covered under objective 3.1: 'Describe the capabilities of Microsoft 365 security center and secure score.' The exam expects you to:
Identify the Microsoft 365 Security Center as the unified portal for security management.
Understand that Secure Score is a measurement of security posture based on configuration.
Know that Secure Score updates every 24 hours (not real-time).
Differentiate between incidents (grouped alerts) and alerts (individual signals).
Recognize that Threat Analytics provides threat intelligence reports.
Common Wrong Answers
'Secure Score is a real-time metric.' This is false. Secure Score updates daily. Candidates often assume it is real-time because the dashboard looks live.
'The Security Center replaces the Azure Security Center.' This is incorrect. Azure Security Center (now Microsoft Defender for Cloud) focuses on Azure workloads, while the Microsoft 365 Security Center focuses on Microsoft 365 services. They are separate.
'Secure Score measures how many threats have been blocked.' This is false. Secure Score measures configuration posture, not actual threat activity. A tenant with a high Secure Score can still be attacked.
'The Security Center is only available with E5 licenses.' This is false. The Security Center is available with E3, E5, and Business Premium, though some features require higher licenses.
Numbers and Terms
Secure Score range: 0-100.
Update frequency: Daily.
Severity levels: Low, Medium, High, Critical.
Portal URL: security.microsoft.com.
Key roles: Security Administrator, Security Reader, Global Administrator.
Edge Cases
If a tenant has no active users, Secure Score may be undefined.
Some improvement actions require specific licenses (e.g., Defender for Office 365 Plan 2 for threat hunting).
The Security Center does not manage on-premises resources; for that, use Microsoft Defender for Cloud.
How to Eliminate Wrong Answers
If a question asks about improving security posture, look for answers that involve configuration changes (e.g., enabling MFA, enabling audit logging) rather than operational actions (e.g., blocking an IP). If a question asks about a real-time security dashboard, it is likely referring to the Security Center, but be careful—the dashboard is not real-time for Secure Score. For incident management, the correct answer is the Security Center, not the Compliance Portal or Azure AD.
The Microsoft 365 Security Center is the unified portal at security.microsoft.com for managing security across Microsoft 365.
Secure Score is a numeric representation of your security posture, ranging from 0 to 100, updated daily.
Secure Score measures configuration, not actual threat activity.
Incidents group related alerts to help investigate attacks.
Threat Analytics provides threat intelligence reports from Microsoft's security research team.
The Security Center is available with E3, E5, and Business Premium licenses.
Key roles to access the Security Center include Security Administrator and Security Reader.
The Security Center is different from the Azure Security Center (Microsoft Defender for Cloud).
These come up on the exam all the time. Here's how to tell them apart.
Microsoft 365 Security Center
Focuses on Microsoft 365 services (Exchange, SharePoint, Teams, etc.)
Provides Secure Score for Microsoft 365 configuration
Integrates with Defender for Office 365, Defender for Identity, Cloud App Security
Portal URL: security.microsoft.com
Used for identity and access management threats
Azure Security Center (Defender for Cloud)
Focuses on Azure resources (VMs, SQL, storage, etc.)
Provides Secure Score for Azure resources (now called Microsoft Defender for Cloud)
Integrates with Azure Defender plans for workload protection
Portal URL: portal.azure.com (Azure Security Center blade)
Used for infrastructure-level threats
Security Center Incidents
Group of related alerts
Represent a full attack story
Have a severity based on the highest severity alert in the group
Can be managed (resolved, assigned)
Provide a timeline of events
Alerts
Individual security signal
Represent a single suspicious event
Have their own severity
Can be dismissed or investigated individually
Do not provide a timeline
Mistake
Secure Score is updated in real-time as you make changes.
Correct
Secure Score updates only once every 24 hours. Changes you make today will be reflected in the score tomorrow.
Mistake
The Microsoft 365 Security Center is the same as the Azure Security Center.
Correct
They are different portals. The Microsoft 365 Security Center (security.microsoft.com) covers Microsoft 365 services. Azure Security Center (now Microsoft Defender for Cloud) covers Azure resources.
Mistake
Secure Score measures how many attacks were blocked.
Correct
Secure Score measures the configuration of security features, not the number of blocked attacks. It reflects your potential to prevent attacks, not actual threat activity.
Mistake
The Security Center requires an E5 license to access.
Correct
The Security Center is available with E3, E5, and Business Premium licenses. However, some features like threat hunting require E5 or add-on licenses.
Mistake
Incidents and alerts are the same thing.
Correct
Alerts are individual security signals. Incidents are groups of related alerts that indicate a potential attack. Incidents provide a consolidated view.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The Microsoft 365 Security Center (security.microsoft.com) is the unified portal for security management across all Microsoft 365 services. Microsoft 365 Defender (defender.microsoft.com) is a separate portal focused on endpoint, email, and identity protection. The Security Center pulls data from Defender for Office 365 and Defender for Endpoint. For the exam, know that the Security Center is the main portal for security administration, while Defender is more focused on advanced threat protection.
Secure Score updates once every 24 hours. If you make configuration changes, you will see the updated score the next day. The exam may test this fact, so do not assume it is real-time.
No. You need an active Microsoft 365 subscription (E3, E5, or Business Premium) and appropriate permissions (e.g., Global Administrator, Security Administrator). The portal is not available for free or trial tenants without a subscription.
An alert is a single security signal, such as 'Suspicious sign-in detected'. An incident is a collection of related alerts that together indicate a potential attack. For example, an incident might include alerts for a phishing email, a compromised account, and malware installation. The exam expects you to know that incidents provide a consolidated view for investigation.
Implement the improvement actions listed in the Secure Score page. Common actions include enabling multi-factor authentication (MFA), enabling audit logging, enabling Defender for Office 365 policies, and enabling self-service password reset (SSPR). Each action has a point value. The exam may ask which actions improve Secure Score.
No. The Security Center (security.microsoft.com) focuses on security threats and posture. The Compliance Center (compliance.microsoft.com) focuses on data compliance, eDiscovery, and data loss prevention (DLP). They are separate portals but share some data like audit logs.
The Security Center is available with Microsoft 365 E3, E5, and Business Premium. Some features, such as threat hunting and advanced analytics, require E5 or add-on licenses like Microsoft 365 E5 Security. The exam may test that basic access is available with E3.
You've just covered Microsoft 365 Security Center — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?