Microsoft Secure Score: What It Means and How to Improve It

What Is Microsoft Secure Score?

Microsoft Secure Score is a built-in measurement tool in the Microsoft 365 Defender portal (security.microsoft.com) that shows how well your Microsoft 365 environment is configured for security. It expresses your configuration as a numerical score and as a percentage of the maximum available points for your licence tier. The higher the score, the more recommended security actions you have completed.

Secure Score is free and available to every Microsoft 365 tenant. It covers identity security (Entra ID configuration), device security (Defender for Business and Intune), application security (Exchange Online, SharePoint, Teams), and data security (Microsoft Purview). The recommendations are drawn from Microsoft's own security guidance and are weighted by impact — more impactful actions are worth more points.

How Secure Score Is Calculated

Microsoft Secure Score works by checking your current M365 configuration against a set of recommended security actions. For each action, Microsoft checks whether it is configured correctly and awards points if it is. The score is the sum of points achieved divided by the maximum possible points, expressed as a percentage.

The maximum possible score varies by licence tier — a Business Premium tenant has more available points than a Business Basic tenant, because Business Premium includes additional security features (Conditional Access, Defender for Business, Intune) that can be configured. A Business Basic tenant that has implemented all available security actions may score 100% of its possible points, but the absolute score number will be lower than a Business Premium tenant that has implemented the same proportion of recommendations.

The score updates continuously as configurations change — enabling a new security policy immediately increases the score; removing a control immediately decreases it. This makes Secure Score a useful real-time monitoring tool for M365 security posture.

What a Good Score Looks Like

Microsoft's published data shows that the average Secure Score across all M365 tenants is approximately 50%. This means the typical Microsoft 365 organisation has implemented roughly half of the recommended security actions available to it. For most UK SMEs, a score above 50% indicates a better-than-average configuration; above 70% indicates a well-hardened environment.

However, the score number matters less than which specific recommendations are implemented. A tenant with a 60% score that has enabled MFA, blocked legacy authentication, and deployed Defender for Business is far more secure than a tenant with a 70% score that has implemented many low-impact recommendations but left MFA disabled. AMVIA focuses on implementing high-impact recommendations first, rather than optimising the score number.

High-Value Improvements for UK Businesses

The Secure Score improvement actions are categorised by impact and implementation effort. The highest security ROI improvements typically include:

• Enable MFA for all users via Conditional Access — highest impact, addresses 99%+ of account takeover attacks
• Block legacy authentication — eliminates the most common MFA bypass used in password spray attacks
• Require MFA for admin roles — protects the highest-value accounts in the tenant
• Enable Microsoft Defender for Business — provides endpoint protection and threat detection
• Configure Safe Attachments and Safe Links — protects against email-borne malware and phishing
• Configure anti-phishing policies with impersonation protection — protects against Business Email Compromise
• Enable audit logging — essential for incident investigation
• Restrict external sharing in SharePoint — prevents inadvertent data exposure

Improvements That Require Business Decisions

Some Secure Score recommendations have operational trade-offs that require business decisions rather than purely technical ones. Requiring device compliance before accessing M365 (which increases the score significantly) means that personal devices and unmanaged devices cannot access company data without being enrolled in Intune — a policy that needs to be communicated and managed, not just technically configured.

Similarly, restricting external sharing in SharePoint may affect how you collaborate with clients or partners. AMVIA reviews the impact of each high-value recommendation in the context of your specific business processes before implementing, ensuring that security improvements do not unnecessarily disrupt operations.

Using Secure Score for Ongoing Security Management

Secure Score is not a one-time exercise. Microsoft adds new recommendations as new security features are released and as the threat landscape evolves. A score that was good six months ago may have slipped relative to new recommendations. AMVIA includes quarterly Secure Score reviews in its managed M365 service — reviewing new recommendations, assessing their relevance for the client's environment, and implementing those that provide meaningful security improvement.

Secure Score also provides comparison data — showing how your score compares to other organisations of a similar size and industry. This peer comparison helps contextualise your position and can support board-level reporting on security posture.

How AMVIA Can Help

AMVIA provides a Secure Score review as part of its Microsoft 365 security service. For new clients, the review identifies the current score, maps the highest-impact improvement actions to the client's licence tier and environment, and produces a prioritised improvement plan. AMVIA then implements the improvements and monitors the score on an ongoing basis. Contact AMVIA on 0333 733 8050 to discuss a Secure Score review for your Microsoft 365 tenant.