This chapter covers Microsoft Secure Score, a key component of the Microsoft 365 Defender portal that quantifies your organization's security posture. For the SC-200 exam, understanding Secure Score controls and recommendations is crucial because it appears in multiple objective areas, including Cloud Security (Objective 3.2) and Threat Management. Approximately 10-15% of exam questions touch on Secure Score, its controls, and how to interpret recommendations. You will learn the mechanics of how Secure Score is calculated, how to navigate the controls, and how to prioritize actions to improve your score.
Jump to a section
Imagine your organization's security posture as a financial credit score. Secure Score is like a credit bureau that aggregates data from various sources—your credit cards, loans, payment history—to calculate a single number between 300 and 850. In security, Secure Score aggregates data from Microsoft 365 Defender, Microsoft Defender for Cloud, and Microsoft Defender for Identity. Each security control is like a specific financial action: paying bills on time (enabling multifactor authentication), keeping credit utilization low (reducing exposed secrets), or having a long credit history (using extended detection and response). Just as a credit score improves when you take recommended actions, your Secure Score increases when you implement security controls. The score is calculated as a percentage of completed controls out of total possible points. However, unlike a credit score, Secure Score does not penalize you for missing controls—it only reflects the percentage of controls you have implemented. The score is also dynamic: when Microsoft adds new controls or changes point values, your score adjusts automatically. This analogy helps you understand that Secure Score is a relative, not absolute, measure of security health, and that focusing on high-impact controls (like enabling multi-factor authentication) yields the greatest score improvement.
What is Microsoft Secure Score?
Microsoft Secure Score is a measurement of an organization's security posture based on the configuration of Microsoft 365 services, Azure Active Directory, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. It is represented as a percentage of total possible points, with higher percentages indicating better adherence to security best practices. The score is calculated from a set of 'improvement actions'—specific security configurations or features that can be enabled or implemented.
Secure Score is not a real-time measure; it updates within 24-48 hours after a change is made. The score is designed to help organizations prioritize security investments by showing which actions yield the highest point increase per effort.
How Secure Score Works Internally
Secure Score aggregates data from multiple Microsoft security products through the Microsoft Graph Security API. For each product, a set of 'controls' is defined. A control is a specific security configuration, such as 'Enable multifactor authentication for all users' or 'Turn on audit logging in Exchange Online'. Each control has a maximum point value, which is determined by the security impact and the number of users or resources affected.
The calculation occurs as follows:
For each control, the system checks whether the organization has implemented the configuration. If yes, the control is marked as 'completed' and the organization earns the full points for that control.
If partially implemented (e.g., MFA enabled for only 50% of users), the control earns partial points proportional to the coverage.
The total earned points are divided by the total possible points (sum of max points for all controls) to get the percentage.
The score is then displayed as a number from 0 to 100%.
Controls are categorized by product and by risk level (Critical, Important, Moderate, Low). The exam expects you to know that 'Critical' controls have the highest point values and should be prioritized.
Key Components, Values, and Defaults
Improvement Actions: Individual steps you can take to improve your score. Each action has a title, description, potential points, implementation status, and category.
Score History: A trend line showing your score over the past 30, 90, or 365 days.
Licensed vs Unlicensed Score: Secure Score shows both your current score based on your licensed users and what your score could be if you had all licenses (e.g., E5 vs E3). This helps justify license upgrades.
Point Values: Typical point values range from 1 to 60 per control. For example, 'Enable MFA for all users' might be worth 60 points, while 'Enable mailbox auditing' might be worth 5 points.
Default Score: A new tenant starts with a low score (around 10-20%) because many security features are not enabled by default.
Update Frequency: Score updates within 24-48 hours, but improvement actions may take up to 72 hours to reflect after implementation.
Configuration and Verification
To view Secure Score: 1. Navigate to the Microsoft 365 Defender portal (https://security.microsoft.com). 2. Under 'Home', select 'Secure Score'. 3. The dashboard shows your overall score, trending, and a list of improvement actions.
You can filter actions by product, status, and risk level. Export the list using PowerShell:
Install-Module -Name Microsoft.Graph.Security
Connect-MgGraph -Scopes "SecurityEvents.Read.All"
Get-MgSecuritySecureScoreControlProfile | Export-Csv -Path "secure_score.csv"To check current score via Graph API:
GET https://graph.microsoft.com/v1.0/security/secureScoresInteraction with Related Technologies
Secure Score integrates with: - Microsoft 365 Defender: Shows improvement actions for Defender for Office 365, Defender for Endpoint, etc. - Microsoft Defender for Cloud: Provides a separate Secure Score for Azure resources, but the Microsoft 365 Secure Score is the one tested on SC-200. - Microsoft 365 Lighthouse: For Managed Service Providers (MSPs), Secure Score can be viewed across multiple tenants. - Compliance Manager: Similar concept but focuses on regulatory compliance rather than security best practices.
The exam may ask you to differentiate between Secure Score and Compliance Manager. Secure Score is for security posture; Compliance Manager is for regulatory compliance (e.g., GDPR, ISO 27001).
Common Pitfalls
Assuming Secure Score is a real-time metric: It is not; updates can take up to 48 hours.
Confusing Secure Score with Azure Secure Score: Azure Secure Score is part of Microsoft Defender for Cloud and focuses on Azure resources. The SC-200 exam primarily tests Microsoft 365 Secure Score.
Thinking partial implementations yield no points: They yield partial points proportional to coverage.
Believing a high score means complete security: Secure Score only measures configuration; it does not account for active threats or user behavior.
Access Secure Score Dashboard
Navigate to the Microsoft 365 Defender portal (https://security.microsoft.com) and sign in with Global Admin or Security Admin credentials. From the left navigation pane, select 'Secure Score' under 'Home'. The dashboard displays your overall score as a percentage, a trend graph over the last 30 days, and a list of improvement actions. You can filter by product (e.g., Microsoft 365 Defender, Azure AD) and by status (Completed, Not started, In progress). The exam expects you to know that the Secure Score is located in the Microsoft 365 Defender portal, not in the Azure portal.
Review Improvement Actions
The improvement actions list is the core of Secure Score. Each action includes a title, description, potential points, current status, and category (Critical, Important, Moderate, Low). Click on any action to see details, including how to implement it, affected users or resources, and related documentation. The exam may present a scenario where you need to identify which improvement action would yield the highest point increase. Prioritize Critical and Important actions. Note that some actions require specific licenses (e.g., MFA requires Azure AD Premium).
Filter and Sort Actions
Use the filters to narrow down actions by product, risk level, or status. Sorting by 'Potential points' descending helps identify high-impact actions. The exam may ask you to find actions that are 'Not started' or 'Partially completed'. You can also export the list to CSV for offline analysis. Remember that filtering does not affect the score calculation; it only changes the display.
Implement an Improvement Action
Select an action to implement. The details pane provides step-by-step instructions, often with direct links to the configuration page. For example, to enable MFA, you might be directed to Azure AD > Users > Per-user MFA. After implementation, the action status will eventually change to 'Completed' (after up to 48 hours). The exam may test your understanding that some actions require administrative consent or licensing changes.
Monitor Score Changes
After implementing actions, monitor the score trend on the dashboard. The score updates within 24-48 hours, but the improvement action list may update sooner. Use the 'Score history' tab to view changes over 30, 90, or 365 days. The exam may ask about the update frequency or how to verify that an action has been completed.
Enterprise Scenario 1: MFA Rollout
A large enterprise with 10,000 users wants to improve its Secure Score from 30% to 60%. The highest-impact action is enabling MFA for all users, worth 60 points. The security team uses Secure Score to identify that MFA is only enabled for 20% of users (partial implementation). They create a phased rollout plan: first enable MFA for IT admins, then for executives, then for all users. After full rollout, the score updates to reflect the completed control. Common issues: users complain about friction, so the team implements conditional access policies to require MFA only from untrusted locations. Secure Score shows the control as 'Completed' only when all users are covered.
Enterprise Scenario 2: Mailbox Auditing
A mid-size company (500 users) notices a low Secure Score due to missing mailbox auditing. The improvement action 'Enable mailbox auditing' is worth 10 points. The admin navigates to Exchange Admin Center and enables auditing for all mailboxes. However, the score does not change immediately. After 24 hours, the score increases by 10 points. The team learns that mailbox auditing is enabled by default for new tenants but not for older ones. They also discover that auditing logs can be viewed in the Microsoft 365 Defender portal under 'Audit'.
Enterprise Scenario 3: License Upgrade Justification
A finance department questions the cost of upgrading from Microsoft 365 E3 to E5. The security team uses Secure Score to show that the current score is 40%, but if the organization had E5 licenses, the potential score would be 75%. This is because E5 includes advanced security features like Defender for Office 365 Plan 2 and Cloud App Security. The team presents a report showing specific improvement actions that are only available with E5, such as 'Enable Safe Attachments for SharePoint, OneDrive, and Teams'. This helps justify the upgrade cost. Misconfiguration: if the licenses are assigned but features are not enabled, the score does not improve.
What SC-200 Tests on Secure Score
The SC-200 exam covers Secure Score under Objective 3.2: 'Deploy and manage Microsoft 365 Defender workload capabilities'. Specifically, you need to:
Navigate and interpret Secure Score in the Microsoft 365 Defender portal.
Identify improvement actions and prioritize based on risk level and potential points.
Understand the relationship between Secure Score and other security features (e.g., MFA, conditional access).
Differentiate between Secure Score and Compliance Manager.
Know the update frequency (24-48 hours) and that partial implementations yield partial points.
Common Wrong Answers
'Secure Score is real-time' – Candidates often assume changes reflect immediately. The correct answer is that it updates within 24-48 hours.
'Secure Score is based on actual attacks detected' – Secure Score measures configuration, not threat activity. A high score does not mean no threats.
'All improvement actions are free' – Some actions require premium licenses (e.g., Azure AD P2 for Identity Protection). Candidates may overlook licensing requirements.
'Secure Score and Azure Secure Score are the same' – They are separate; Azure Secure Score is in Defender for Cloud. The exam focuses on Microsoft 365 Secure Score.
Exam Numbers and Values
Update interval: 24-48 hours (or 'within 48 hours').
Point ranges: Typically 1-60 points per action.
Risk levels: Critical, Important, Moderate, Low.
Score is a percentage (0-100%).
Default score for a new tenant: ~10-20%.
Edge Cases
Partial implementation: If MFA is enabled for 50% of users, you earn 50% of the points. The exam might ask what happens when only some users have MFA.
Licensed vs unlicensed score: The exam may show two scores and ask why they differ.
Actions that require admin consent: Some actions require Global Admin privileges; the exam may test that Security Admins cannot complete certain actions.
Eliminating Wrong Answers
When you see a question about Secure Score, eliminate answers that:
Mention real-time updates (unless it's about the dashboard refresh, which is real-time, but the score itself is not).
Confuse Secure Score with Compliance Manager.
Suggest that Secure Score measures attack success.
Assume all actions are available without licensing.
Secure Score is located in the Microsoft 365 Defender portal, not in the Azure portal.
Score updates within 24-48 hours after configuration changes.
Partial implementations yield partial points proportional to coverage.
Critical and Important improvement actions have the highest point values and should be prioritized.
Secure Score is a configuration measurement, not a threat detection metric.
Some improvement actions require premium licenses (e.g., Azure AD P1/P2, E5).
Secure Score and Compliance Manager serve different purposes: security posture vs. regulatory compliance.
You can export improvement actions using PowerShell or Graph API.
The score is a percentage, not an absolute number (e.g., 72% not 72 points).
A new tenant typically starts with a Secure Score around 10-20%.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Secure Score
Focuses on security posture based on configuration best practices.
Uses improvement actions with point values (1-60) and risk levels (Critical, Important, etc.).
Score is a percentage of completed controls out of total possible points.
Located in Microsoft 365 Defender portal under 'Secure Score'.
Updates within 24-48 hours after changes.
Compliance Manager
Focuses on regulatory compliance (e.g., GDPR, ISO 27001, NIST).
Uses assessments with controls mapped to specific regulations, no point values.
Score is a percentage of compliance actions completed, but calculated differently.
Located in Microsoft 365 Compliance Center under 'Compliance Manager'.
Updates based on assessment completion, not automatically.
Mistake
Secure Score updates in real time after you make a change.
Correct
Secure Score updates within 24-48 hours. The dashboard may refresh immediately, but the score calculation lags. You must wait up to 48 hours to see the score change.
Mistake
A high Secure Score means your organization is completely secure.
Correct
Secure Score only measures configuration of certain security features. It does not account for user behavior, zero-day attacks, or misconfigurations not covered by the controls. It is a relative benchmark, not an absolute security guarantee.
Mistake
Secure Score and Azure Secure Score are the same metric.
Correct
They are separate. Microsoft 365 Secure Score (in the Microsoft 365 Defender portal) covers Microsoft 365 services. Azure Secure Score (in Microsoft Defender for Cloud) covers Azure resources. The SC-200 exam focuses on the former.
Mistake
All improvement actions are available without additional licensing.
Correct
Many actions require premium licenses such as Azure AD Premium P1/P2, Microsoft 365 E5, or Defender for Office 365 Plan 2. For example, 'Enable conditional access policies' requires Azure AD P1.
Mistake
If an improvement action shows as 'Completed', you have earned the full points immediately.
Correct
Even if the status shows 'Completed', the score may take up to 48 hours to reflect the points. Also, if the action is partially implemented, you only get partial points.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Secure Score updates within 24-48 hours after a configuration change. The dashboard may refresh immediately, but the score calculation itself is not real-time. If you implement an improvement action, wait up to 48 hours to see the score change. The exam may test this exact interval.
Secure Score measures security posture by evaluating the implementation of security best practices (e.g., enabling MFA, auditing). Compliance Manager measures compliance with regulatory standards (e.g., GDPR, HIPAA). Secure Score uses point values and risk levels; Compliance Manager uses assessments and regulatory controls. Both are in the Microsoft 365 compliance/security portals but serve different purposes.
Some improvement actions require premium licenses. For example, enabling conditional access requires Azure AD Premium P1. However, many actions like enabling mailbox auditing or configuring spam policies are available with standard licenses. Always check the 'Licensing' section in the improvement action details. The exam may present a scenario where a license upgrade is needed to achieve a higher score.
You earn partial points proportional to the coverage. For example, if a control is worth 20 points and you enable it for 50% of users, you earn 10 points. The status may show as 'Partially completed'. The exam may test this concept with a calculation.
If you are a Managed Service Provider (MSP), you can use Microsoft 365 Lighthouse to view Secure Score across multiple tenants. Alternatively, you can use the Graph API to aggregate scores. The exam may mention Lighthouse as a tool for multi-tenant management.
Common reasons: (1) Some controls are not applicable due to licensing, (2) Partial implementations yield fewer points, (3) New controls have been added by Microsoft, lowering your percentage, (4) Recent configuration changes have not yet been reflected (wait 48 hours). Check the 'Score history' to see trends.
No. Secure Score is a configuration benchmark, not a detection tool. It does not alert you to active threats. For incident detection, use Microsoft 365 Defender alerts and incidents. Secure Score helps you harden your environment proactively.
You've just covered Secure Score: Controls and Recommendations — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?