Microsoft Secure Score: What It Means and How to Improve It

Microsoft Secure Score is a numerical measurement of your organisation's Microsoft 365 security posture. It works by assessing your tenant configuration against a set of recommended security actions and assigning points for each action completed. A higher score indicates a stronger security configuration — and a lower score indicates specific, addressable gaps that attackers could exploit.

What Is Microsoft Secure Score?

Microsoft Secure Score is available to all Microsoft 365 organisations via the Microsoft Defender portal (security.microsoft.com). It continuously evaluates your tenant configuration across identity, devices, applications, and data, comparing your settings against Microsoft's recommended security practices.

The score is expressed as a fraction — for example, 245 of a possible 410 points — and as a percentage. The total possible score varies by tenant because it depends on which Microsoft 365 products and licences you have active. A Business Premium tenant will have access to more security actions — and therefore a higher possible maximum score — than a Business Standard tenant.

Secure Score is not a guarantee of security. A score of 80% does not mean your organisation cannot be breached. It means your configuration aligns well with Microsoft's recommended practices. However, specific high-impact actions — particularly those related to MFA and admin account protection — have an outsized effect on real-world attack resistance, and these should be prioritised regardless of the score they contribute.

How Microsoft Secure Score Is Calculated

Secure Score awards points for completing recommended security actions. Each action has a defined point value based on its assessed security impact. Actions fall into three categories:

Identity actions (typically highest value): Enabling MFA for all users, requiring MFA for administrators, blocking legacy authentication, enabling Entra ID Protection risk policies, reducing Global Administrator role assignments.

Device actions: Enrolling devices in Microsoft Intune, enforcing device compliance policies, enabling BitLocker encryption, ensuring Defender for Business is active on all endpoints, keeping operating systems patched.

Application and data actions: Enabling Data Loss Prevention policies, configuring Safe Links and Safe Attachments in Defender for Office 365, restricting external sharing in SharePoint and OneDrive, enabling audit logging.

Each action in the Secure Score portal includes a description of what it does, its point value, the implementation effort required, and a direct link to the relevant configuration page. Some actions can be marked as "planned" (you intend to implement them), "risk accepted" (you have decided not to implement them), or "resolved through third party" (a third-party tool covers the risk).

What Is a Good Microsoft Secure Score?

There is no universally "good" score because the maximum possible score varies by licence and tenant configuration. As a benchmark:

• Below 30% indicates significant security gaps and should be treated as urgent
• 30–50% is typical for organisations that have not actively reviewed their security configuration
• 50–70% represents a reasonable baseline — key controls are in place but opportunities remain
• Above 70% indicates a strong, actively managed security posture
• Above 80% is achievable with full Business Premium capability and reflects a mature security configuration

Microsoft's data suggests the average Secure Score across its customer base is around 35–40%. Most UK SME tenants AMVIA audits come in between 25% and 50% on initial assessment, with MFA enforcement and device management being the most common gaps.

The Highest-Impact Secure Score Actions for UK SMEs

Not all Secure Score actions are equally valuable. The following actions have the highest security impact and should be prioritised.

Require MFA for All Users (Very High Impact)

Enforcing MFA via Conditional Access is consistently the highest-impact security action available. Microsoft's own research attributes 99.99% of automated credential attacks being blocked by MFA. This single action can contribute 10–20 points to your Secure Score depending on your tenant size.

Block Legacy Authentication Protocols (High Impact)

Legacy authentication protocols (basic auth on SMTP, POP3, IMAP) cannot support MFA. Attackers specifically target these protocols to bypass MFA on tenants where it has been configured but not fully enforced. Blocking legacy authentication closes this bypass and typically contributes 10–15 points.

Reduce Global Administrator Accounts (High Impact)

Having more than four Global Administrator accounts is flagged by Secure Score as a risk. Each admin account is a potential attack target — a compromised Global Admin grants unrestricted tenant access. Reducing to two to four dedicated admin accounts and using Privileged Identity Management (PIM) for just-in-time access contributes points and meaningfully reduces risk.

Enroll Devices in Microsoft Intune (High Impact)

Enrolling Windows and mobile devices in Microsoft Intune and enforcing compliance policies provides a significant Secure Score improvement. Devices with verified encryption, patching, and antivirus status contribute to device-related scoring actions.

Enable Microsoft Defender for Business (High Impact)

Ensuring Microsoft Defender for Business is deployed and actively monitoring all endpoints contributes multiple points across endpoint-related actions. Defender for Business must be in active mode — not passive — for these actions to score.

Configure Safe Links and Safe Attachments (Medium Impact)

Defender for Office 365 (Plan 1) — included in Business Premium — provides Safe Links (real-time URL scanning) and Safe Attachments (sandboxing of email attachments). Enabling these policies in protection mode, rather than audit mode, contributes points and provides meaningful phishing protection.

Common Secure Score Actions That Should Be Declined

Some Secure Score actions are appropriate for enterprise environments but create unnecessary friction or risk for SMEs. Actions worth considering declining or accepting risk on include:

Designate more than one Global Administrator: Secure Score recommends at least two Global Admins. However, it may also flag having too many. The recommendation is two to four — not one, and not ten.

Enable Unified Audit Log: This should always be enabled — accept no risk here.

Some SharePoint external sharing restrictions: Blanket restrictions on external sharing may break legitimate business workflows. Scope restrictions carefully rather than applying the most restrictive setting because Secure Score rewards it.

The Secure Score "risk accepted" option allows you to formally record that you have reviewed an action and made an informed decision not to implement it, without it dragging your score down indefinitely.

How AMVIA Improves Your Microsoft Secure Score

AMVIA's Microsoft 365 security audit begins with a full Secure Score review — identifying your current score, the actions available in your tenant, and a prioritised implementation roadmap based on security impact, business risk, and implementation effort.

Our managed Microsoft 365 service then implements and maintains your security configuration on an ongoing basis, tracking Secure Score changes month over month and implementing new recommended actions as Microsoft releases them.

Typical outcomes for AMVIA clients within the first 90 days:

• Secure Score improvement from an average of 32% to above 65%
• MFA enforcement across all user accounts
• Legacy authentication blocked
• Device compliance policies active via Intune
• Defender for Business deployed across all endpoints
• Safe Links and Safe Attachments in protection mode

These improvements directly reduce the risk of credential compromise, ransomware, phishing, and data loss — not just increase a number.