Microsoft Secure Score: Which Recommendations to Prioritize and Which to Ignore

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Microsoft Secure Score is one of the most misused security metrics in Microsoft 365 environments. The problem is the point allocation: some recommendations with 10 to 20 point values address critical attack vectors that should be addressed immediately; some recommendations with 3 to 5 point values are low-effort quick wins that genuinely improve security posture; and some recommendations with high point totals provide limited real security benefit while requiring significant operational disruption.
Chasing the highest-point recommendations first produces a score improvement without a corresponding security improvement. This guide provides a prioritization framework based on actual attack frequency and defensive impact, not point value.
Tier 1: Implement these immediately regardless of point value
These recommendations address the most commonly exploited attack vectors in Microsoft 365 environments. Implement them before anything else, regardless of their Secure Score point contribution.
Require MFA for all administrators (Entra ID): Account for the point value: varies, but this is the single highest-impact security control in the Microsoft ecosystem. Microsoft data shows 99.9 percent of compromised Microsoft accounts did not have MFA enabled. Implement MFA for every account with a privileged Entra ID role: Global Administrator, Privileged Role Administrator, Security Administrator, Exchange Administrator, SharePoint Administrator. Use Conditional Access policies, not per-user MFA (per-user MFA is legacy and harder to manage at scale). Require phishing-resistant MFA (FIDO2 hardware key or Microsoft Authenticator with number matching) for Global Administrators.
Enable Privileged Identity Management (PIM) for all privileged roles: PIM requires eligible users to activate their privileged role with justification and approval before it is assigned. This means a compromised Global Administrator account is not permanently in the Global Administrator role; the attacker must also complete the PIM activation workflow. Combined with MFA, PIM on privileged roles is the strongest identity control in the Entra ID toolkit.
Block legacy authentication protocols: Basic authentication (SMTP AUTH, IMAP, POP3, Exchange ActiveSync with basic credentials) does not support MFA and is the primary attack vector for password spray attacks. Block legacy authentication via Conditional Access policy: Clients Authentication Methods condition targeting Exchange ActiveSync and Other clients. Microsoft shows that 99 percent of password spray attacks use legacy authentication protocols.
Enable Entra ID Identity Protection: Identity Protection evaluates each sign-in for risk signals (leaked credentials, impossible travel, anonymous IP, malware-linked IP, Entra ID threat intelligence) and can block or require MFA step-up for risky sign-ins automatically. Enable user risk and sign-in risk policies. Set risky sign-in policy to require MFA (not block, which disrupts legitimate users). This automates a detection and response loop that would otherwise require analyst review of every sign-in risk alert.
Tier 2: High-value recommendations with moderate implementation effort
These recommendations provide meaningful security improvement with manageable implementation complexity. Target within 30 to 60 days of completing Tier 1.
Enable Microsoft Defender for Office 365 Safe Links and Safe Attachments: Safe Links rewrites URLs in emails and documents and evaluates the link at click time against Microsoft's threat intelligence. Safe Attachments detonates email attachments in a sandbox before delivery. Both address phishing and malware delivery, the leading initial access vector for business email compromise and ransomware. In Defender for Office 365 Plan 2, enable these policies for all users in the default global policy and supplement with strict policies for executive and finance users.
Configure Conditional Access to block authentication from high-risk locations or non-compliant devices: Conditional Access policies can require compliant devices (Intune-enrolled and meeting compliance policy) or hybrid Entra ID joined devices for access to corporate resources. This prevents credential theft attacks from being operationalized from unmanaged attacker-controlled devices. Start with requiring compliant devices for access to sensitive data stores (SharePoint sites containing confidential data, Exchange Online for executive mailboxes).
Enable audit logging in Exchange Online and SharePoint: Audit logs are required for incident investigation, insider threat detection, and compliance. Exchange Online audit logging should capture mailbox access, message sending (from delegated accounts), and admin actions. SharePoint audit logging should capture file access, download, sharing, and permission changes. Audit logs are not enabled by default at all required levels in some licensing tiers; verify coverage.
Enable Microsoft Defender for Endpoint on all Windows devices: Defender for Endpoint is included with Microsoft 365 E5 or available as an add-on. It provides endpoint detection and response (EDR), attack surface reduction rules, and network protection. If you have the license, enabling Defender for Endpoint and onboarding all Windows devices to it provides more security improvement than any 10 lower-tier Secure Score recommendations.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Tier 3: Point-heavy recommendations with limited real-world security impact
These recommendations frequently appear near the top of organizations' Secure Score action lists because of high point values, but their marginal security improvement for most organizations is low. Do them if you have capacity after completing Tiers 1 and 2, not before.
Turn on mailbox auditing for all users (if already covered by unified audit log): If you have unified audit log enabled (covered by Tier 2), per-mailbox auditing provides marginal additional detail for most organizations. The Secure Score recommendation is often already met by unified audit log policies. Check before implementing separately.
Set outbound spam filter policies: Outbound spam filtering catches compromised accounts sending spam, which protects your email domain reputation. Important to implement, but it addresses a consequence of account compromise rather than preventing account compromise. It should not be higher priority than MFA or legacy auth blocking.
Do not allow users to grant consent to unmanaged applications: Disabling user consent for non-Microsoft applications prevents OAuth token theft from phishing attacks that trick users into consenting to a malicious app. This is a genuinely valuable control, but it requires building an app governance workflow to approve legitimate third-party app integrations that users previously consented to individually. The implementation effort is higher than the Secure Score point value suggests, and the user experience impact is significant without careful planning.
Enable DMARC, DKIM, and SPF: All three email authentication standards are important for protecting your domain from spoofing. However, they are often already implemented as part of basic email configuration. If not implemented, do them. If they are partially implemented (SPF and DKIM but not DMARC with enforcement), completing DMARC to p=quarantine or p=reject is the meaningful action.
Using Secure Score as a program measurement tool rather than a target
The most valuable use of Secure Score is not chasing a specific number but tracking trend over time and comparing your score against your industry peer group. Secure Score provides both capabilities natively.
Trend tracking: Review Secure Score monthly. A declining score without a deliberate exception process indicates that security configurations are drifting toward less-secure states, which happens when admins make configuration changes without security review, when new Microsoft features are deployed with default-insecure settings, or when old policies are deprecated without replacement.
Peer comparison: The Secure Score dashboard shows your score relative to similar-sized organizations in the same industry sector (based on anonymized Microsoft data). A score significantly below peer median indicates you are missing controls that similar organizations have implemented, which is useful for board-level security program reporting.
Risk acceptance and exceptions: Not all Secure Score recommendations are appropriate for every organization. Legacy ERP systems may require specific authentication methods that conflict with Conditional Access policies. Block legacy authentication wholesale can break production applications that cannot be updated quickly. Use the 'Resolve through third party,' 'Alternate mitigation,' and 'Risk accepted' options in Secure Score to document exceptions rather than ignoring recommendations without record.
Secure Score is not a security audit outcome. A score of 100 percent does not mean the organization is secure. It means the organization has enabled the Microsoft controls that Secure Score measures. Critical controls outside the Microsoft ecosystem (network security, endpoint agents for non-Windows devices, backup integrity) are not reflected in the score.
The bottom line
Prioritize Microsoft Secure Score recommendations by attack frequency, not point value. MFA for all administrators, blocking legacy authentication, enabling Identity Protection, and activating PIM for privileged roles are the four highest-impact actions regardless of their point contribution. After completing these, work through Defender for Office 365 and Conditional Access device compliance before focusing on the numerically large but marginally impactful recommendations. Use the score as a trend and peer comparison tool, not as an absolute target.
Frequently asked questions
What is Microsoft Secure Score?
Microsoft Secure Score is a measurement of an organization's Microsoft 365 and Entra ID security posture expressed as a numeric score. It evaluates whether specific security controls are enabled across identity (Entra ID), devices (Intune and Defender for Endpoint), applications (Defender for Office 365), and data (Microsoft Purview) categories. Each recommended action has a point value; the total score represents how many of the available points have been achieved. Secure Score is available at security.microsoft.com and is included with Microsoft 365 Business Premium and above.
What is a good Microsoft Secure Score?
Microsoft reports the average Secure Score for organizations of similar size and industry via the peer comparison feature in the Secure Score dashboard. A score above the 75th percentile for your peer group indicates a mature Microsoft security posture. However, absolute score number is less important than: (1) whether the highest-impact controls (MFA for admins, legacy auth blocking, Identity Protection) are implemented regardless of their point value, and (2) whether the score trend is stable or improving over time. A score of 60 with all Tier 1 controls implemented outperforms a score of 80 that is high because of low-impact quick wins.
Does a high Microsoft Secure Score mean we are secure?
No. Secure Score measures whether specific Microsoft 365 and Entra ID controls are enabled. It does not measure: network security architecture, endpoint security for non-Windows devices, application security for custom applications, backup and recovery posture, third-party SaaS security configurations, or physical security. A Secure Score of 100 percent means all Microsoft-measured controls are enabled. An organization can have a high Secure Score and still be successfully breached through a phishing attack that targets a non-Microsoft service, a vulnerability in a third-party application, or a supply chain compromise.
How do I increase my Microsoft Secure Score quickly?
The fastest score increases come from enabling features that are already licensed but not configured. For most M365 Business Premium and E3 tenants: enable Microsoft Defender for Office 365 Safe Links and Safe Attachments if not already active (significant point gain, already licensed), enable Entra ID Identity Protection sign-in risk policy (large point contribution, already licensed in P2), and block legacy authentication via Conditional Access (large point contribution). Check your 'Recommended actions' list sorted by 'Points achieved/Points available' to identify the highest-ratio quick wins. Run through all actions labeled 'Not addressed' before reviewing 'Risk accepted' or 'Resolved through third party' items.
What Microsoft Secure Score recommendations should I prioritize for compliance?
For common compliance frameworks, the highest-mapping Secure Score recommendations are: for SOC 2 Type II (CC6.x controls), MFA for all users and administrators, audit logging for all services, and Conditional Access blocking high-risk sign-ins are the most direct mappings. For ISO 27001 (A.9 Access Control), PIM for privileged roles, legacy authentication blocking, and guest access restriction map directly. For HIPAA (Technical Safeguards), audit logging, MFA, and automatic session timeout controls are the primary mapping points. Run your Secure Score recommendations through the Compliance Manager in the Microsoft Purview portal to see compliance framework mappings for each control.
How does Microsoft Secure Score relate to Microsoft Defender for Cloud?
Microsoft Secure Score (in the Microsoft Defender portal at security.microsoft.com) measures Microsoft 365 and Entra ID security posture for the productivity and identity stack. Microsoft Defender for Cloud (at portal.azure.com) has its own separate Secure Score that measures Azure infrastructure security posture, covering Azure workloads, containers, databases, and hybrid resources. They are two separate scores in two separate portals. Organizations using both Azure infrastructure and Microsoft 365 need to monitor both scores and treat them as complementary rather than overlapping coverage.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
