Understanding Microsoft Secure Score: A Comprehensive Guide

Discover how Microsoft Secure Score can help you review and improve your organisation's security posture.

Microsoft Secure Score is a measurement tool that displays an easy-to-understand number to help you understand and enhance your security posture within Microsoft 365. The higher the score the better. It provides an excellent 'at a glance' summary of the effectiveness of your Microsoft 365 security measures.

• Why is Secure Score important?
• How is Secure Score calculated?
• What is a good Microsoft Secure Score?
• How to view your Secure Score
• How to improve your Secure Score
• Licence requirements and exemptions
• How to set up alert policies
• Best practice for maximising your Secure Score

Why is Secure Score important?

Understanding your Secure Score is crucial for maintaining a robust security framework.

It acts as a benchmark, helping you identify areas where your security could be improved and providing specific recommendations on how to do so.

Being aware of your Secure Score allows you to prioritise security tasks more effectively, ensuring that your resources are directed towards the most impactful actions. This can make a significant difference in protecting your organisation from potential threats.

How is Secure Score calculated?

The score is calculated by evaluating your configurations, behaviours, and other security-related activities against a set of best practices defined by Microsoft.

The evaluated metrics measured are broken down into 4 core groups 

• Identity - which looks at Microsoft accounts & roles
• Device - which is primarily concerned with Microsoft Defender
• Apps - which is focussed on email and cloud apps, including Office 365
• Data - evaluates protections using Microsoft's Information Protection

Each action taken to improve security across these categories increases your score, giving you a clear and actionable way to bolster your defences.

Note that this is not a one-time activity and it needs to be reviewed on a regular basis.

What is a good Microsoft Secure Score?

We believe that aiming for a Secure Score of at least 80% represents a realistic and achievable goal for most businesses. Reaching this threshold means that you have implemented a robust set of security measures that significantly reduce your vulnerability to cyber threats.

While achieving a perfect score is often not feasible for many organisations, hitting the 80% mark puts you in a strong position. It demonstrates a commitment to security that not only protects your data but also builds trust with clients and stakeholders.

How to view your Secure Score

To view the Microsoft Secure Score, you need to have the Security Reader role in Microsoft Entra ID (formerly Azure AD) or equivalent permissions. If you don't have access, you might need to speak to your IT administrator or Managed IT Service Provider.

You can access it through the Microsoft 365 security centre by visiting security.microsoft.com/securescore. 

Your Secure Score dashboard will display your current score along with a concise summary of the items that need attention and are impacting your score.

The graph underneath your Secure Score shows you how your score has changed over time. This is because either you have changed something to reduce your security, or best practice has altered. Microsoft adds new controls on a regular basis meaning your Secure Score may decrease without regular review and action. 

The 'Actions to review' section to the right shows, at a glance, how many actions are outstanding in various statuses. 

• Regressed - these are actions that were previously completed but have since been undone. This might have been through troubleshooting steps, but the restoration of the control was overlooked after finding a solution.
• To address - this lists all the issues identified by Secure Score as needing attention but that haven't yet been processed.
• Planned - if you mark an action as planned it will be removed from the 'To address' category and moved here.
• Risk accepted - shows all the actions you have opted not to implement, often because the specific licence requirements make them impractical to pursue. These recommended actions are then excluded from your calculated Secure Score.
• Recently added - this lists any new actions that Microsoft have added to the platform that have yet to be addressed.
• Recently updated - here you'll see any actions that have been modified to reflect new insights, technologies, or best practices that require attention.

How to improve your Secure Score

To improve your Secure Score, you need to understand the actions that are available to you. That is where the Recommended Actions tab comes in.

It provides detailed recommendations across your entire 365 environment.

Not all actions carry the same weight. Actions that have a bigger impact on your security have a greater number of points attached to them. This can help you identify quick wins and high-priority tasks that will yield the most significant improvements.

If the recommendations are unclear, there's a possibility of causing disruptions that could affect your users. If you're uncertain, it's advisable to consult your IT Support partner, as they should ideally be handling this for you as part of a managed service.

Licence requirements and exemptions

It's important to note that some Secure Score metrics can only be achieved with specific licences. We recommend Microsoft 365 Business Premium and Microsoft 365 E5 tailored to your organisation's size, as these have the most comprehensive security features as standard.

Many actions also expect you to be using Microsoft's own suite of products like Defender as your endpoint protection. If you use a third-party security product your Secure Score will not take account of this.

If your organisation does not have these licences or products, these metrics can skew your score and make it seem lower than it actually is.

Fortunately, Microsoft allows you to ignore these unattainable metrics. This ensures that your score accurately reflects the security measures you can realistically implement, providing a more accurate and actionable assessment of your security posture. 

How to set up alert policies

You can set up alerting for Microsoft Secure Score to stay informed about changes in your organisation's security posture. Here are the steps to configure alerts:

1. Access your Secure Score: visit the Microsoft 365 Security Centre at security.microsoft.com/securescore. 

2. Set Up Alerts:

   • Go to the Settings section.
   • Select Alert policies.
   • Create a new alert policy by specifying the conditions under which you want to be alerted (e.g., changes in Secure Score, specific security recommendations).

3. Configure Notification Settings: Define how you want to receive alerts (e.g., email notifications) and who should receive them.

By setting up these alerts, you can proactively monitor and respond to changes in your Secure Score, helping to maintain and improve your organisation's security posture

Best practice for maximising your Secure Score

Here are our essential tips for maximising your score:

1. Make sure you have access to Microsoft's Security Centre
2. Ensure you have Microsoft Business Premium or higher
3. Review your Secure Score regularly (at least once per month)
4. Follow Microsoft's suggested list of prioritised actions
5. Regularly communicate the changes and best practice to your staff
6. Regularly review accepted risks to ensure they are still appropriate
7. Ensure you have alerts set up to notify you of changes

If you're not comfortable managing your own security, engage with a managed IT support partner like IT Foundations who can set up and monitor your Microsoft 365 in line with best practice, leaving you to focus on what you do best.

Next steps...?

If you'd like to learn more about Secure Score and how we can help you manage and protect your Microsoft 365 environment get in touch today. Our team of Edinburgh-based experts can help companies all across Scotland stay safe and secure.