REDD’s take on Microsoft Secure Score and what it really means

Microsoft Secure Score is a measurement of an organisation’s security posture, with a higher number indicating more improvement actions taken. It can be found at https://security.microsoft.com/securescore in the Microsoft 365 Defender portal.

Following the Secure Score recommendations can protect your organisation from threats. From a centralised dashboard in the Microsoft 365 Defender portal, organisations can monitor and work on the security of their Microsoft 365 identities, apps, and devices.

What does it mean?

• Anything below a Secure Score of 30% means you are vulnerable.
• Anything below a Secure Score of 40% indicates that best practices have not been fully applied.
• Around 60% is the Secure Score you should expect for a tenant configured to best practices and with all security features enabled.
• Around 80% is the Secure score you should be aiming for, while being mindful of the fact that there will be additional required configurations and increased licensing cost to get to this level.
• A Secure Score of 100% should be the ultimate goal over time, but perhaps a better approach is to always be looking to improve your score above the 80%. This will require many fiddly and time consuming settings throughout your environment and will result in significant user and client impact, but each time you complete a step beyond 80% of these, your environment will be more secure and that fact should also be reflected in your Microsoft Secure Score.

Secure Score helps organisations:

• Report on the current state of the organisation’s security posture.
• Improve their security posture by providing discoverability, visibility, guidance, and control.
• Compare with benchmarks and establish key performance indicators (KPIs)

How does it work?

You’re given points for the following actions:

• Configuring recommended security features
• Doing security-related tasks
• Addressing the improvement action with a third-party application or software, or an alternate mitigation

Some improvement actions only give points when fully completed. Some give partial points if they’re completed for some devices or users. If you can’t or don’t want to enact one of the improvement actions, you can choose to accept the risk or remaining risk.

If you have a license for one of the supported Microsoft products, then you’ll see recommendations for those products. We show you the full set of possible improvements for a product, regardless of license edition, subscription, or plan. This way, you can understand security best practices and improve your score. Your absolute security posture, represented by Secure Score, stays the same no matter what licenses your organisation owns for a specific product. Keep in mind that security should be balanced with usability, and not every recommendation can work for your environment.

Your score is updated in real time to reflect the information presented in the visualisations and improvement action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.