Microsoft Secure Score, visible in the Microsoft 365 Defender portal, calculates a numerical score based on the security-relevant settings and configurations in your tenancy. A higher score generally indicates more recommended configurations are active. It is a useful tool — but the score is not the goal.
What Secure Score Measures
Secure Score assesses a defined set of recommended actions across identity, device, apps, and infrastructure. Each action has a point value weighted by its assessed security impact. Completing the action adds those points to your score. The actions include things like enabling MFA, blocking legacy authentication, configuring alert policies, and enabling audit logging.
What Secure Score Does Not Measure
Secure Score does not assess the quality of configurations — only their presence. A Conditional Access policy that technically exists but has significant exclusions and gaps will still register as complete. It does not cover backup quality, incident response capability, staff awareness, or the physical security layer. A high Secure Score and a weak overall security posture are not mutually exclusive.
Using It Productively
Use Secure Score as a checklist, not a metric. Work through the recommended actions by impact score, evaluate whether each action is appropriate for your environment, and implement those that are. The compare feature — benchmarking your score against similar organisations — provides useful context for prioritisation.
Our Secure Score is 40%. Is that bad?
Secure Score comparisons require context. A score of 40% in an environment where all high-impact actions are completed but optional or low-value actions are not is a stronger posture than an 80% score achieved by implementing low-impact actions while leaving high-impact gaps unaddressed. Focus on the specific actions, not the aggregate number.
