Scoring the Stack

In this episode, we’re covering Microsoft Secure Score, what it is, why and when it’s used, and why it can be valuable for your business. My background is primarily in MSP environments, with a strong focus on Microsoft Modern Work, including Intune, Entra ID, and some Azure, particularly Azure Virtual Desktop. I’ve worked across roles from help desk through to solutions consultant and architect, and now work with Enforcer helping MSPs get real operational value from the Microsoft stack in practical, scalable ways.

Microsoft Secure Score is a way of measuring a Microsoft 365 tenant’s security posture using a percentage score from zero to one hundred. That score reflects how well the tenant is configured based on Microsoft’s security recommendations and highlights risks caused by misconfigurations such as missing controls or weak policy settings. As recommendations are implemented, Secure Score awards points and increases the overall percentage. The framework aligns with Zero Trust principles under Microsoft’s Secure Future Initiative, focusing on verifying identity, enforcing least privilege, and assuming breach as a baseline security mindset. The score itself is calculated based on completed actions versus the total available actions, with weighting applied so higher-impact controls contribute more to the overall result.

Secure Score groups recommendations into categories such as identity, devices, data, apps, and infrastructure, each contributing differently depending on risk and impact. It also benchmarks your tenant against others of a similar size within Microsoft’s ecosystem, allowing you to understand how your security posture compares to peers with similar user counts.

Secure Score matters because it provides a simple, non-technical metric that makes security progress easy to communicate to customers and stakeholders. Instead of walking non-technical audiences through concepts like conditional access or EDR, you can show improvement through a single score that increases over time. It highlights low-effort, high-impact improvements, such as MFA adoption, which alone can reduce account compromise risk by approximately ninety-nine percent. The recommendations also support alignment with common frameworks like ISO, CIS, and NIS by guiding tenants toward broadly accepted security best practices, even where direct one-to-one framework mapping does not exist.

Secure Score enables MSPs to demonstrate continuous value by tracking ongoing improvements, responding to new Microsoft security recommendations, and adapting to new products such as Copilot and AI-related controls. It is increasingly relevant in cyber insurance scenarios, where insurers may assess Secure Score as part of renewal underwriting, potentially affecting premium costs if minimum benchmarks are not met.

Score calculation prioritises impact, meaning controls like enforcing MFA score higher than lower-impact settings such as mailbox auditing. As actions are completed, Microsoft detects the configuration change and awards points automatically. Scores can also regress if settings are removed, policies drift, or new Microsoft recommendations are introduced that are not yet implemented. The maximum achievable score represents full completion of all applicable recommendations, although reaching one hundred percent may not always be realistic due to licensing constraints or legitimate business requirements.

Within the Secure Score portal, tenants can view overall score, progress over time, benchmarks against similar organisations, top recommendations ranked by impact, and detailed history showing gains and regressions. Each recommendation shows its status, impact score, licensing requirements, associated product, and last verification time. Selecting an individual recommendation provides a clear explanation of the risk, current implementation state, prerequisites, and step-by-step remediation guidance, with direct links to the relevant configuration areas.

Secure Score allows recommendations to be marked as planned, risk accepted, or mitigated via third-party controls where appropriate, though only Microsoft-based remediation contributes points. History and metrics views provide deeper insight into score trends, regressions, accepted risks, and comparison against peer organisations over time. This makes Secure Score a powerful operational and reporting tool rather than a one-off assessment.

The key takeaway is that Secure Score is not just a number but a practical way to guide security improvement, demonstrate progress, support framework alignment, and communicate value to customers. Whether Secure Score is already part of your customer conversations or something you plan to introduce, it plays an increasingly important role in security maturity and cyber insurance discussions. The next episode will focus on how additional licensing can unlock further Secure Score improvements and how to manage scenarios where licensing introduces limitations.