200+
Recommended actions across identity, device, app, and data categories
100%
MFA coverage for admin accounts: the single highest-impact action
93%
Of Microsoft 365 account compromises prevented by MFA per Microsoft data
Score
Is a directional metric; point value does not equal security impact

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Microsoft Secure Score is one of the most misused security metrics in Microsoft 365 environments. The problem is the point allocation: some recommendations with 10 to 20 point values address critical attack vectors that should be addressed immediately; some recommendations with 3 to 5 point values are low-effort quick wins that genuinely improve security posture; and some recommendations with high point totals provide limited real security benefit while requiring significant operational disruption.

Chasing the highest-point recommendations first produces a score improvement without a corresponding security improvement. This guide provides a prioritization framework based on actual attack frequency and defensive impact, not point value.

Tier 1: Implement these immediately regardless of point value

These recommendations address the most commonly exploited attack vectors in Microsoft 365 environments. Implement them before anything else, regardless of their Secure Score point contribution.

Require MFA for all administrators (Entra ID): Account for the point value: varies, but this is the single highest-impact security control in the Microsoft ecosystem. Microsoft data shows 99.9 percent of compromised Microsoft accounts did not have MFA enabled. Implement MFA for every account with a privileged Entra ID role: Global Administrator, Privileged Role Administrator, Security Administrator, Exchange Administrator, SharePoint Administrator. Use Conditional Access policies, not per-user MFA (per-user MFA is legacy and harder to manage at scale). Require phishing-resistant MFA (FIDO2 hardware key or Microsoft Authenticator with number matching) for Global Administrators.

Enable Privileged Identity Management (PIM) for all privileged roles: PIM requires eligible users to activate their privileged role with justification and approval before it is assigned. This means a compromised Global Administrator account is not permanently in the Global Administrator role; the attacker must also complete the PIM activation workflow. Combined with MFA, PIM on privileged roles is the strongest identity control in the Entra ID toolkit.

Block legacy authentication protocols: Basic authentication (SMTP AUTH, IMAP, POP3, Exchange ActiveSync with basic credentials) does not support MFA and is the primary attack vector for password spray attacks. Block legacy authentication via Conditional Access policy: Clients Authentication Methods condition targeting Exchange ActiveSync and Other clients. Microsoft shows that 99 percent of password spray attacks use legacy authentication protocols.

Enable Entra ID Identity Protection: Identity Protection evaluates each sign-in for risk signals (leaked credentials, impossible travel, anonymous IP, malware-linked IP, Entra ID threat intelligence) and can block or require MFA step-up for risky sign-ins automatically. Enable user risk and sign-in risk policies. Set risky sign-in policy to require MFA (not block, which disrupts legitimate users). This automates a detection and response loop that would otherwise require analyst review of every sign-in risk alert.

Tier 2: High-value recommendations with moderate implementation effort

These recommendations provide meaningful security improvement with manageable implementation complexity. Target within 30 to 60 days of completing Tier 1.

Enable Microsoft Defender for Office 365 Safe Links and Safe Attachments: Safe Links rewrites URLs in emails and documents and evaluates the link at click time against Microsoft's threat intelligence. Safe Attachments detonates email attachments in a sandbox before delivery. Both address phishing and malware delivery, the leading initial access vector for business email compromise and ransomware. In Defender for Office 365 Plan 2, enable these policies for all users in the default global policy and supplement with strict policies for executive and finance users.

Configure Conditional Access to block authentication from high-risk locations or non-compliant devices: Conditional Access policies can require compliant devices (Intune-enrolled and meeting compliance policy) or hybrid Entra ID joined devices for access to corporate resources. This prevents credential theft attacks from being operationalized from unmanaged attacker-controlled devices. Start with requiring compliant devices for access to sensitive data stores (SharePoint sites containing confidential data, Exchange Online for executive mailboxes).

Enable audit logging in Exchange Online and SharePoint: Audit logs are required for incident investigation, insider threat detection, and compliance. Exchange Online audit logging should capture mailbox access, message sending (from delegated accounts), and admin actions. SharePoint audit logging should capture file access, download, sharing, and permission changes. Audit logs are not enabled by default at all required levels in some licensing tiers; verify coverage.

Enable Microsoft Defender for Endpoint on all Windows devices: Defender for Endpoint is included with Microsoft 365 E5 or available as an add-on. It provides endpoint detection and response (EDR), attack surface reduction rules, and network protection. If you have the license, enabling Defender for Endpoint and onboarding all Windows devices to it provides more security improvement than any 10 lower-tier Secure Score recommendations.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Tier 3: Point-heavy recommendations with limited real-world security impact

These recommendations frequently appear near the top of organizations' Secure Score action lists because of high point values, but their marginal security improvement for most organizations is low. Do them if you have capacity after completing Tiers 1 and 2, not before.

Turn on mailbox auditing for all users (if already covered by unified audit log): If you have unified audit log enabled (covered by Tier 2), per-mailbox auditing provides marginal additional detail for most organizations. The Secure Score recommendation is often already met by unified audit log policies. Check before implementing separately.

Set outbound spam filter policies: Outbound spam filtering catches compromised accounts sending spam, which protects your email domain reputation. Important to implement, but it addresses a consequence of account compromise rather than preventing account compromise. It should not be higher priority than MFA or legacy auth blocking.

Do not allow users to grant consent to unmanaged applications: Disabling user consent for non-Microsoft applications prevents OAuth token theft from phishing attacks that trick users into consenting to a malicious app. This is a genuinely valuable control, but it requires building an app governance workflow to approve legitimate third-party app integrations that users previously consented to individually. The implementation effort is higher than the Secure Score point value suggests, and the user experience impact is significant without careful planning.

Enable DMARC, DKIM, and SPF: All three email authentication standards are important for protecting your domain from spoofing. However, they are often already implemented as part of basic email configuration. If not implemented, do them. If they are partially implemented (SPF and DKIM but not DMARC with enforcement), completing DMARC to p=quarantine or p=reject is the meaningful action.

Using Secure Score as a program measurement tool rather than a target

The most valuable use of Secure Score is not chasing a specific number but tracking trend over time and comparing your score against your industry peer group. Secure Score provides both capabilities natively.

Trend tracking: Review Secure Score monthly. A declining score without a deliberate exception process indicates that security configurations are drifting toward less-secure states, which happens when admins make configuration changes without security review, when new Microsoft features are deployed with default-insecure settings, or when old policies are deprecated without replacement.

Peer comparison: The Secure Score dashboard shows your score relative to similar-sized organizations in the same industry sector (based on anonymized Microsoft data). A score significantly below peer median indicates you are missing controls that similar organizations have implemented, which is useful for board-level security program reporting.

Risk acceptance and exceptions: Not all Secure Score recommendations are appropriate for every organization. Legacy ERP systems may require specific authentication methods that conflict with Conditional Access policies. Block legacy authentication wholesale can break production applications that cannot be updated quickly. Use the 'Resolve through third party,' 'Alternate mitigation,' and 'Risk accepted' options in Secure Score to document exceptions rather than ignoring recommendations without record.

Secure Score is not a security audit outcome. A score of 100 percent does not mean the organization is secure. It means the organization has enabled the Microsoft controls that Secure Score measures. Critical controls outside the Microsoft ecosystem (network security, endpoint agents for non-Windows devices, backup integrity) are not reflected in the score.

The bottom line

Prioritize Microsoft Secure Score recommendations by attack frequency, not point value. MFA for all administrators, blocking legacy authentication, enabling Identity Protection, and activating PIM for privileged roles are the four highest-impact actions regardless of their point contribution. After completing these, work through Defender for Office 365 and Conditional Access device compliance before focusing on the numerically large but marginally impactful recommendations. Use the score as a trend and peer comparison tool, not as an absolute target.

Frequently asked questions

What is Microsoft Secure Score?

Microsoft Secure Score is a measurement of an organization's Microsoft 365 and Entra ID security posture expressed as a numeric score. It evaluates whether specific security controls are enabled across identity (Entra ID), devices (Intune and Defender for Endpoint), applications (Defender for Office 365), and data (Microsoft Purview) categories. Each recommended action has a point value; the total score represents how many of the available points have been achieved. Secure Score is available at security.microsoft.com and is included with Microsoft 365 Business Premium and above.

What is a good Microsoft Secure Score?

Microsoft reports the average Secure Score for organizations of similar size and industry via the peer comparison feature in the Secure Score dashboard. A score above the 75th percentile for your peer group indicates a mature Microsoft security posture. However, absolute score number is less important than: (1) whether the highest-impact controls (MFA for admins, legacy auth blocking, Identity Protection) are implemented regardless of their point value, and (2) whether the score trend is stable or improving over time. A score of 60 with all Tier 1 controls implemented outperforms a score of 80 that is high because of low-impact quick wins.

Does a high Microsoft Secure Score mean we are secure?

No. Secure Score measures whether specific Microsoft 365 and Entra ID controls are enabled. It does not measure: network security architecture, endpoint security for non-Windows devices, application security for custom applications, backup and recovery posture, third-party SaaS security configurations, or physical security. A Secure Score of 100 percent means all Microsoft-measured controls are enabled. An organization can have a high Secure Score and still be successfully breached through a phishing attack that targets a non-Microsoft service, a vulnerability in a third-party application, or a supply chain compromise.

How do I increase my Microsoft Secure Score quickly?

The fastest score increases come from enabling features that are already licensed but not configured. For most M365 Business Premium and E3 tenants: enable Microsoft Defender for Office 365 Safe Links and Safe Attachments if not already active (significant point gain, already licensed), enable Entra ID Identity Protection sign-in risk policy (large point contribution, already licensed in P2), and block legacy authentication via Conditional Access (large point contribution). Check your 'Recommended actions' list sorted by 'Points achieved/Points available' to identify the highest-ratio quick wins. Run through all actions labeled 'Not addressed' before reviewing 'Risk accepted' or 'Resolved through third party' items.

What Microsoft Secure Score recommendations should I prioritize for compliance?

For common compliance frameworks, the highest-mapping Secure Score recommendations are: for SOC 2 Type II (CC6.x controls), MFA for all users and administrators, audit logging for all services, and Conditional Access blocking high-risk sign-ins are the most direct mappings. For ISO 27001 (A.9 Access Control), PIM for privileged roles, legacy authentication blocking, and guest access restriction map directly. For HIPAA (Technical Safeguards), audit logging, MFA, and automatic session timeout controls are the primary mapping points. Run your Secure Score recommendations through the Compliance Manager in the Microsoft Purview portal to see compliance framework mappings for each control.

How does Microsoft Secure Score relate to Microsoft Defender for Cloud?

Microsoft Secure Score (in the Microsoft Defender portal at security.microsoft.com) measures Microsoft 365 and Entra ID security posture for the productivity and identity stack. Microsoft Defender for Cloud (at portal.azure.com) has its own separate Secure Score that measures Azure infrastructure security posture, covering Azure workloads, containers, databases, and hybrid resources. They are two separate scores in two separate portals. Organizations using both Azure infrastructure and Microsoft 365 need to monitor both scores and treat them as complementary rather than overlapping coverage.

Sources & references

  1. Microsoft Secure Score Documentation
  2. CIS Microsoft 365 Foundations Benchmark
  3. Microsoft Entra ID Security Operations Guide

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.