Microsoft Secure Score, Simplified

A lot of people make assumptions about Microsoft’s tools. And sometimes, those assumptions can create some big blind spots. 

For example, because Microsoft spends over $1 billion dollars on cybersecurity every year, many assume that they don’t need to worry about their business data within their Microsoft environment. But just like a state-of-the-art security system, Microsoft’s security only works when you use it correctly. And by and large, that’s not what’s happening. 

Microsoft Security Statistics You Shouldn’t Ignore

Here are just a few statistics that we thought you should see: 

• The Azure storage account has a misconfiguration rate of 60.75%
• Azure App Service has a misconfiguration rate of 55.53%
• Roughly 23% of cloud security incidents are caused by misconfigurations
• Over 50% of organizations don’t have sufficient restrictions placed on access permissions

It’s not looking good. But to be fair, Microsoft is a robust platform, and that tends to come with complexity. And because everyone uses their Microsoft tools differently, there’s no simple 3-step solution that works for everyone. 

A few years ago, we compiled a list of tips to secure Microsoft according to the Center for Internet Security (CIS). Some of the tips are fairly simple. But many are not. And you’d need some knowledge of how Microsoft works in order to apply security settings correctly.  

What Is Microsoft Secure Score?

Microsoft Secure Score is like a security report card for your Microsoft 365 environment. 

It evaluates your user behavior, device security, and configurations and assigns you a number that shows how well-protected your organization is. Higher scores mean a better security posture. It also suggests ways to improve your security.

It originally came out in 2019 but has been updated and expanded quite a bit since then.

How To View Your Microsoft Secure Score for Devices and Tools

Go to the Microsoft Secure Score overview page within your Microsoft Defender portal and look for the Your Secure Score tile. 

Your score will be shown as a percentage that’s based on the number of possible security points and the number of points you’ve achieved. Want to see a little more about how that number was generated? Click the button next to your score to see your secure score displayed as a more comprehensive graph. 

You can also add more data to your overall score. Here’s how Microsoft groups this info: 

Planned Score

Hard work pays off! Use this data to show you what your score would be if you were to take certain steps. 

Current License Score

Not every organization needs to be Fort Knox, but advanced Microsoft security does require more advanced tools. Use this score to see what could be achieved with your current Microsoft license. 

Achievable Score

This score includes what can be achieved with your current Microsoft licenses and your current risk acceptance.

What Apps Does Microsoft Evaluate in Its Secure Score? 

Microsoft is still in the process of adding more apps to its secure score tool. Currently, here are the tools that Microsoft Secure Score includes as part of your overall percentage: 

• App governance
• Microsoft Entra ID
• Citrix ShareFile
• Microsoft Defender for Endpoint
• Microsoft Defender for Identity
• Microsoft Defender for Office
• Docusign
• Exchange Online
• GitHub
• Microsoft Defender for Cloud Apps
• Microsoft Purview Information Protection
• Microsoft Teams
• Okta
• Salesforce
• ServiceNow
• SharePoint Online
• Zoom

Using Your Microsoft 365 Secure Score To Make Improvements

This tool makes it easier to see where you have vulnerabilities and where you can make simple improvements. 

Here’s how: 

• It compares your security startup to best practices to give you your initial score
• It offers you specific recommendations to boost your score that are prioritized according to risk
• Your numbers go up in real-time when you take the actions it recommends, so you can track your progress

Using Your Microsoft 365 Secure Score To Make Improvements

In a perfect world, everyone would get 100%! But, like we said earlier, not every organization has to be Fort Knox. 

If Microsoft Secure Scores were graded, here’s how we’d break it down: 

Microsoft Secure Scores 

75-100% — A

60-75% — B

50-60% — C

30-40% — D

<30% — F

Most organizations tend to get a score of around 50%. A score below 50% means that significant improvements are needed. 

Also, keep in mind that not every organization has the same security needs. If your organization is heavily regulated, you really should aim for 75% or higher. Anything above that number is great, but the closer you get to 100%, the likelier you’ll see costlier improvements that only get you another percentage point or two. 

Additional Tips, Including Free Microsoft Secure Score Consulting

Cybersecurity is constantly evolving, and so is user behavior. Your score will change over time! So, while this tool is extremely helpful, don’t take a “set it and forget it” approach. Instead, you might want to check your score each month. 

If you’re struggling to implement any of Microsoft’s recommendations or you simply don’t have the time, we’d recommend getting some outside help. Many IT providers offer affordable options to help organizations boost their security on a budget. At Marco, we offer free Microsoft assessments, where a member of our Microsoft team will look into your Microsoft environment and offer recommendations and a few additional perks. A lot of organizations use these to jumpstart some security improvements quickly, and we’re fine with that! 

Click the link below to learn more about what’s included!