This chapter covers Microsoft Secure Score Improvements, a core component of Microsoft 365 Defender and a key topic for the SC-200 exam. Understanding how Secure Score is calculated, how to interpret improvement actions, and how to track progress is essential for security operations analysts. Expect approximately 5-10% of exam questions to touch on Secure Score, particularly its integration with other Microsoft 365 Defender tools and its role in measuring security posture.
Jump to a section
Imagine you are a facilities manager responsible for a large office building. Your boss asks for a daily 'security score' — a number from 0 to 100 that shows how well the building is protected. You have a checklist of 50 security controls: locks on doors, alarm systems, camera coverage, visitor logs, fire extinguisher inspections, etc. Each control has a maximum point value based on its importance. For example, a working alarm system is worth 10 points, while a fire extinguisher inspection is worth 2 points. Each day, you walk through the building and for each control, you assign a score: 100% if fully compliant, 50% if partially compliant (like a lock that works but is rarely used), and 0% if missing. Your overall score is the sum of (control weight × compliance percentage) divided by total possible points, multiplied by 100. But here's the catch: the checklist and point values are updated monthly by headquarters based on new threats. Last month, 'visitor badges' were worth 5 points; this month, they are worth 8 points because of a recent incident. Also, you can take actions to improve your score: installing a new lock adds points immediately, but some actions take a week to reflect because they require a follow-up inspection. Your goal is to reach a target score set by the board. This is exactly how Microsoft Secure Score works: a set of improvement actions (controls), each with a weight and a maximum score, that you implement to increase your overall score, with periodic updates to the control catalog and scoring logic.
What is Microsoft Secure Score?
Microsoft Secure Score is a measurement of an organization's security posture based on the configuration of Microsoft 365 services, Azure, and other connected workloads. It is a numerical score (0 to 100) that reflects how well you have implemented security recommendations, called 'improvement actions.' The higher the score, the better your security posture. Secure Score is available in the Microsoft 365 Defender portal (security.microsoft.com) and is used by security teams to prioritize and track security improvements.
How Secure Score is Calculated
The Secure Score is calculated using a weighted average of the scores for each improvement action. Each improvement action has a maximum score (e.g., 10 points) and a current score based on your compliance level. The formula is:
Secure Score = (Sum of (Max Score per Action × Compliance Percentage)) / (Sum of All Max Scores) × 100Compliance percentage is determined by how many users or devices meet the action's requirement. For example, if an action requires multi-factor authentication (MFA) for all users and you have 80% of users enabled, the compliance percentage is 80%. If the action's max score is 10, you get 8 points. The total possible score is the sum of all max scores (which can change as new actions are added or deprecated).
Key Components of Secure Score
Improvement Actions: These are specific recommendations, such as 'Enable MFA for all users,' 'Turn on auditing for Exchange Online,' or 'Enable Defender for Cloud for all subscriptions.' Each action has a status (Completed, Planned, Risk Accepted, etc.) and a score impact.
Score Impact: The number of points you gain by fully implementing the action. For example, 'Enable MFA' might have a score impact of 9.82 points.
Category: Actions are grouped into categories like Identity, Device, Apps, Data, Infrastructure, etc.
License Requirement: Some actions require specific licenses (e.g., Azure AD Premium P2 for Identity Protection).
Implementation Status: You can mark actions as Planned, Risk Accepted, or Completed via third-party tools (though third-party actions don't affect your score directly).
How Secure Score Changes Over Time
Your Secure Score is recalculated continuously as you implement actions. However, the score may also change when Microsoft updates the scoring model. For example, if a new improvement action is added with a high max score, your overall score may decrease temporarily because you haven't implemented it yet. Similarly, if an action's max score is adjusted, your score can change without any action on your part.
Secure Score and Microsoft 365 Defender
Secure Score is integrated into Microsoft 365 Defender, allowing you to see your score on the dashboard and drill into improvement actions. It also provides recommendations based on your environment. The Secure Score page shows:
Overall Score: Your current score out of 100.
Score Trend: A graph showing how your score has changed over time (e.g., 30 days, 90 days).
Top Improvement Actions: Actions with the highest potential score impact.
Comparison: Your score compared to organizations of similar size or industry (if you opt in).
Improvement Actions Deep Dive
Each improvement action includes:
Action Name: e.g., 'Enable MFA for all users'
Score Impact: e.g., 9.82 points
Category: e.g., Identity
State: Completed, Planned, Risk Accepted, or Not Started
Licenses Required: e.g., Azure AD Premium P1 or P2
Implementation Steps: Detailed instructions on how to complete the action.
Points Achieved: Current points earned for this action.
Max Points: Maximum possible points.
Compliance: Percentage of users/devices compliant.
Managing Improvement Actions
You can manage actions by:
Marking as Planned: Indicates you intend to implement it.
Marking as Risk Accepted: If you choose not to implement it, you can accept the risk, and the action will not affect your score (but you must provide a justification).
Completing via Third-Party: If you use a non-Microsoft tool to fulfill the action, you can mark it as completed via third-party, but it still won't count toward your score because Microsoft cannot verify compliance.
Secure Score APIs
Secure Score data can be accessed via the Microsoft Graph API. This is useful for reporting and automation. The API endpoints include:
GET /security/secureScores - Retrieve overall scores.
GET /security/secureScoreControlProfiles - Retrieve improvement actions.
Example API call:
GET https://graph.microsoft.com/v1.0/security/secureScoreControlProfiles
Authorization: Bearer {token}Default Values and Timers
Recalculation: Score updates typically within 24 hours of implementing an action.
Historical Data: Score history is retained for up to 90 days.
Max Points: Varies per action; typically ranges from 1 to 30 points.
Number of Actions: There are hundreds of improvement actions, updated monthly.
Interaction with Related Technologies
Secure Score works closely with:
Microsoft 365 Defender: Provides the dashboard and recommendations.
Azure Security Center / Defender for Cloud: Secure Score for Azure is separate but similar; the SC-200 exam focuses on Microsoft 365 Secure Score.
Microsoft Graph Security API: Allows integration with SIEM/SOAR.
Compliance Manager: Secure Score is sometimes confused with Compliance Manager scores, but Compliance Manager focuses on regulatory compliance (e.g., GDPR, ISO 27001), while Secure Score focuses on security posture.
Exam Tips
Know that Secure Score is NOT a guarantee of security; it measures configuration only.
Be aware that third-party actions marked as completed do NOT affect your score.
Remember that score can decrease when new actions are added.
Understand the difference between Secure Score and Compliance Manager.
Know that you can use APIs to retrieve Secure Score data programmatically.
Access the Secure Score Dashboard
Navigate to the Microsoft 365 Defender portal at security.microsoft.com. In the left navigation pane, select 'Secure Score' under the 'Assets' section. The dashboard displays your overall score, historical trend, and top improvement actions. You can filter by category (Identity, Device, Apps, etc.) and view actions that are 'Not started' or 'Planned'. The dashboard also shows your score compared to similar organizations if you have opted in.
Review Improvement Actions
On the Secure Score page, click 'View improvement actions' to see the full list. Each action shows its name, score impact, category, and status. Sort by 'Score impact' to prioritize actions that will give the biggest boost. Click on an action to see detailed information, including implementation steps, required licenses, and the current compliance percentage. For example, 'Enable MFA for all users' might show that 70% of users are compliant, and completing it adds 9.82 points.
Plan and Implement an Action
Select an action you want to implement. Review the implementation steps, which often include links to the relevant admin center. For example, to enable MFA, you might need to go to Azure AD > Security > MFA and configure policies. After implementing, the change is detected by Microsoft 365 Defender, and the action's status updates to 'Completed' within 24 hours. Your Secure Score recalculates automatically.
Mark Actions as Planned or Risk Accepted
If you cannot implement an action immediately, you can mark it as 'Planned' to track it. If you decide not to implement it, you can mark it as 'Risk accepted' and provide a justification. This removes the action from your score calculation. However, be aware that marking an action as risk accepted does not improve your score; it simply prevents it from lowering your score further if you are not compliant.
Monitor Score Trend and Report
Use the Secure Score dashboard to monitor your score over time. The trend graph shows changes over the last 30 or 90 days. You can export the data for reporting. For automated reporting, use the Microsoft Graph API to retrieve Secure Score data and integrate with SIEM tools. For example, you can create a Power BI dashboard that shows score trends and outstanding actions.
In a large enterprise with thousands of users, Secure Score is used by the security operations center (SOC) to prioritize security improvements. For example, a company might have a score of 60 and wants to reach 80. The SOC team reviews improvement actions sorted by score impact. They see that enabling MFA for all users adds 10 points, turning on auditing for Exchange adds 5 points, and configuring Defender for Office 365 policies adds 8 points. They create a project plan to implement these actions over the next quarter. They use the 'Planned' status to track progress and generate weekly reports for management using the Secure Score API.
Another scenario: a small business with limited IT staff uses Secure Score to identify quick wins. They see that enabling Azure AD Password Protection (banning common passwords) has a high score impact and is easy to implement. They also notice that some actions require licenses they don't have (e.g., Azure AD Premium P2). They decide to accept the risk for those actions by marking them as 'Risk accepted' with a justification.
A common misconfiguration is marking third-party actions as completed. For instance, a company uses a third-party MFA solution and marks the 'Enable MFA' action as 'Completed via third-party.' However, this does not count toward their Secure Score because Microsoft cannot verify compliance. The company's score remains low, and they mistakenly think they have addressed the issue. To correctly reflect their posture, they should ensure that the third-party solution is integrated with Azure AD via a supported connector, or they should accept the risk.
Performance considerations: Secure Score updates can take up to 24 hours, so teams should not expect immediate changes. Also, the number of improvement actions can be overwhelming; filtering by category and score impact helps focus efforts. When misconfigured, such as ignoring high-impact actions, the score stagnates, and the organization may miss critical security improvements.
The SC-200 exam tests your understanding of Microsoft Secure Score under objective '3.2 Manage security posture' (which includes Secure Score and related tools). Key areas include:
How Secure Score is calculated: You need to know the formula (weighted average) and that it measures configuration, not actual security incidents.
Improvement actions: Understand the different statuses (Completed, Planned, Risk Accepted, Not started) and that third-party completed actions do not affect the score.
Score impact: Know that actions have different point values and that the total possible score can change when new actions are added.
Integration: Secure Score is part of Microsoft 365 Defender and can be accessed via the portal or API.
Common wrong answers:
Candidates often confuse Secure Score with Compliance Manager. Remember: Secure Score = security posture; Compliance Manager = regulatory compliance.
Another trap: thinking that marking an action as 'Risk accepted' improves your score. It does not; it only prevents the action from counting against you (i.e., it is excluded from the calculation).
Some think that completing an action via third-party gives you the points. In reality, only actions completed using Microsoft services count toward the score.
Some believe the score updates instantly. It can take up to 24 hours.
Specific numbers/values: The score is 0-100. Historical data retained for 90 days. Score impact values vary (e.g., 9.82 for MFA). The number of actions is in the hundreds.
Edge cases: If a new improvement action is added with a high max score, your overall score may decrease even if you haven't changed anything. Also, if you disable a previously implemented action, your score drops.
How to eliminate wrong answers: Use the underlying mechanism: Secure Score is a weighted average. If an answer suggests that marking an action as 'Risk accepted' increases your score, eliminate it because risk acceptance only excludes the action, it doesn't add points. If an answer claims third-party actions count, eliminate it because Microsoft cannot verify compliance.
Secure Score is a weighted average of improvement action scores, ranging from 0 to 100.
Improvement actions have a max score and a compliance percentage; only Microsoft-verified actions count toward the score.
Third-party completed actions do not affect Secure Score.
Marking an action as 'Risk accepted' excludes it from the score calculation.
Score updates within 24 hours of implementing an action.
Historical score data is retained for 90 days.
New improvement actions can cause your score to decrease even if you haven't made changes.
Secure Score is part of Microsoft 365 Defender, not Compliance Manager.
Use the Microsoft Graph API to retrieve Secure Score data programmatically.
Filter improvement actions by score impact to prioritize high-value changes.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Secure Score
Focuses on Microsoft 365 services (Exchange, SharePoint, Teams, etc.).
Score range 0-100, based on improvement actions for cloud apps.
Accessible via Microsoft 365 Defender portal.
Includes actions for identity, devices, apps, data.
Integrated with Microsoft 365 Defender dashboard.
Azure Security Center Secure Score (Defender for Cloud)
Focuses on Azure resources (VMs, SQL databases, storage, etc.).
Score range 0-100, based on security recommendations for Azure resources.
Accessible via Azure Security Center / Defender for Cloud.
Includes actions for compute, networking, storage, etc.
Integrated with Azure Security Center.
Mistake
Secure Score is a measure of how many security incidents you have had.
Correct
Secure Score measures your security configuration, not actual incidents. It is based on improvement actions you have implemented, not on breaches or attacks.
Mistake
Marking an improvement action as 'Risk accepted' improves your score.
Correct
Marking as 'Risk accepted' excludes the action from the calculation, so it neither adds nor subtracts points. It simply removes the action's potential negative impact if you are not compliant.
Mistake
Completing an improvement action using a third-party tool gives you the same score points as using Microsoft tools.
Correct
Only actions completed using Microsoft services or verified via supported integrations count toward your Secure Score. Third-party actions marked as completed do not affect the score.
Mistake
Your Secure Score updates immediately after implementing an action.
Correct
Score updates typically within 24 hours. There is no real-time update; the system needs time to detect and verify the change.
Mistake
Secure Score and Compliance Manager are the same thing.
Correct
Secure Score focuses on security posture (configurations), while Compliance Manager focuses on regulatory compliance (e.g., GDPR, HIPAA). They are separate tools in the Microsoft 365 Defender portal.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Secure Score is recalculated continuously, but changes from implementing improvement actions typically reflect within 24 hours. The score may also update when Microsoft modifies the improvement action catalog (e.g., adding or deprecating actions). For the exam, remember that it is not real-time.
No, only improvement actions completed using Microsoft services or verified through supported integrations count toward your Secure Score. If you mark an action as 'Completed via third-party,' it does not affect your score. You must either implement the action using Microsoft tools or accept the risk.
Secure Score measures your security posture based on configuration of Microsoft 365 services (e.g., MFA, auditing). Compliance Manager measures your compliance with regulatory standards (e.g., GDPR, NIST). They are separate tools in the Microsoft 365 Defender portal, though both use improvement actions. The exam tests both, but ensure you know which is which.
Your score can drop if Microsoft adds new improvement actions with high max scores. Since the total possible score increases but you haven't implemented the new actions, your percentage decreases. Also, if an existing action's max score is increased, your compliance percentage may not keep up, causing a drop.
The Secure Score dashboard shows a trend graph for the last 30 or 90 days. You can also use the Microsoft Graph API to retrieve historical score data. For long-term tracking, export the data to Power BI or a SIEM tool.
Marking an action as 'Planned' does not change your score. It simply helps you track actions you intend to implement. The action remains in the calculation with its current compliance level. Only 'Completed' or 'Risk accepted' statuses affect the calculation (completed adds points, risk accepted excludes the action).
Yes, if you opt in, the Secure Score dashboard shows a comparison of your score to organizations of similar size and industry. This is optional and anonymous. You can disable it in settings.
You've just covered Microsoft Secure Score Improvements — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?