Microsoft Secure Score: What It Is, What's a Good Score, and What It Misses

Almost every Microsoft 365 administrator has seen their Secure Score. It is the first number Microsoft puts in front of you when you ask "how secure are we?" — a single percentage, sitting in the Defender portal, that feels like a grade. The problem is that most people read it as a security score when it is really a configuration score. A tenant sitting at 72% can still have a Global Administrator with no MFA, and a tenant at 55% can be tighter than one at 80%.

This guide explains what Microsoft Secure Score actually measures, where to find it, how it is calculated, and — the question everyone asks — what counts as a good score. It also covers the gaps Secure Score cannot see, and how a CIS Microsoft 365 Foundations Benchmark assessment answers the question Secure Score only gestures at: is this tenant actually configured securely, control by control?

What Is Microsoft Secure Score?

Microsoft Secure Score is a measurement of your organisation's security posture, shown in the Microsoft Defender portal. It looks at a catalogue of recommended security configurations and features across identity, devices, and apps, awards points for the ones you have adopted, and expresses your total as a percentage of the points available to your tenant.

Each recommendation is called an improvement action. Every improvement action carries the number of points it is worth, the product or licence it applies to, the user impact of turning it on, and the steps to implement it. Enable multi-factor authentication for all users, turn on Safe Links, block legacy authentication — each is an improvement action with points attached.

The headline number is deliberately simple: one percentage, trending over time, with a breakdown by category. That simplicity is what makes it useful as a conversation-starter with management — and also what makes it easy to over-trust.

Where to Find Your Microsoft Secure Score

Sign in to the Microsoft Defender portal at security.microsoft.com and open Secure score from the left-hand navigation (in the current portal it sits under Exposure management). You will see your current percentage, your points history, a list of improvement actions ranked by the points on offer, and a comparison against organisations of similar size and industry.

To view Secure Score you need a role with read access to the security data — Security Reader or Global Reader is enough to look without being able to change anything. Acting on the recommendations themselves generally requires the relevant admin role for the product in question (Exchange, Entra, Intune, and so on).

How Microsoft Secure Score Is Calculated

Your score is, at its simplest, your achieved points ÷ the total points applicable to your licences × 100. A few mechanics are worth understanding, because they explain a lot of the confusion around the number:

• It is relative to your licensing. The denominator is not a fixed maximum — it is the points available for the improvement actions that apply to your product set. A tenant on Business Premium and a tenant on E5 are scored against different totals.
• Partial credit exists. Many actions are scored proportionally. Enabling MFA for 80% of your users earns roughly 80% of that action's points, not nothing and not everything.
• Actions are ranked by points, not by risk. The list is sorted by how many points you can gain, which is correlated with — but not the same as — how much real risk each change removes.
• It is a moving target. Microsoft regularly adds new improvement actions, which expands the denominator. (More on why that matters below.)

What Counts as a "Good" Microsoft Secure Score?

This is the most-searched question about Secure Score, and the honest answer is: there is no universal pass mark. Because the score is relative to your licences and the actions that apply to you, "75%" means something different for every tenant.

That said, here is a realistic frame:

• Most organisations land somewhere in the 40–60% range before any deliberate hardening, simply because the default tenant leaves a lot of recommended controls switched off.
• A well-hardened tenant on a mature licence often sits in the 70s or low 80s — and rarely needs to chase higher, because the remaining points come from actions that may not fit the organisation (deploying a product you do not own, or a control that conflicts with a legitimate workflow).
• Chasing 100% is the wrong goal. Some improvement actions will never apply to you, and accepting a few of them as "risk accepted" is a valid, documented decision — not a failure.

The two numbers that actually matter are your trend (is the score climbing as you harden, or quietly sliding?) and your peer comparison (are you above or below similar organisations?). A single snapshot percentage, with no context, tells you very little.

Why Your Secure Score Drops When You Haven't Changed Anything

A common and unsettling experience: you log in, and your Secure Score has fallen — but nobody touched the tenant. This is almost always because Microsoft added new improvement actions. When new recommendations enter the catalogue, the total available points grow, so your existing achieved points now represent a smaller slice of a bigger pie. Your configuration did not get worse; the yardstick got longer.

This is a feature, not a bug — it keeps the score aligned with an evolving threat landscape — but it is also a reminder that the percentage is a relative, shifting measure, not an absolute statement of how secure you are.

What Microsoft Secure Score Doesn't Tell You

Here is where the "configuration score, not a security score" distinction earns its keep. Secure Score is genuinely useful, but it has structural blind spots:

• It scores Microsoft's recommendations, not an independent standard. Secure Score is Microsoft grading you against Microsoft's own catalogue of features. It is not measured against a consensus security baseline, and it is weighted by Microsoft's priorities rather than an external auditor's.
• A single number hides which specific controls fail. Two tenants at 70% can have completely different risk profiles. The percentage cannot tell you whether the missing 30% is a handful of low-impact settings or a wide-open admin account.
• "Enabled" is not the same as "correctly scoped." This is the most dangerous gap. Secure Score often credits you for having a feature switched on — but a Conditional Access policy that requires MFA while quietly excluding three Global Administrators can still look healthy from the score's point of view. Exclusions like these accumulate silently, and a posture number rarely surfaces them.
• It does not see attacks that walk through correctly-licensed features. Techniques such as device-code phishing succeed against tenants that look fine on paper, because they abuse legitimate authentication flows rather than missing settings.
• It is not audit evidence. You cannot hand an auditor a "72% Secure Score" as proof that a specific control is in place. Auditors want control-by-control results with the actual configuration value and a timestamp — which is a different artefact entirely.

None of this makes Secure Score worthless. It makes it a starting point — a directional dashboard, not a verdict.

Microsoft Secure Score vs. a CIS Benchmark Assessment

The cleanest way to understand Secure Score's place is to put it next to a formal assessment standard.

Microsoft Secure Score

• Microsoft scoring your tenant against Microsoft's recommended configurations.
• Output: a single percentage, trended over time, grouped by identity, devices, and apps.
• Strengths: free, built in, fast to read, good for tracking direction and briefing management.
• Limits: relative and shifting, hides per-control detail, credits "enabled" over "correctly scoped", and is not audit-ready.

CIS Microsoft 365 Foundations Benchmark assessment

• Your tenant measured against the CIS Microsoft 365 Foundations Benchmark v5.0.0 — an independent, consensus-developed standard.
• Output: a pass / fail / partial result for each of 129 controls across 9 sections — the Microsoft 365 admin center, Microsoft Entra, Microsoft Defender, Microsoft Purview, Microsoft Intune, Exchange Online, SharePoint & OneDrive, Microsoft Teams, and Microsoft Fabric / Power BI — with severity tagged per control.
• Strengths: control-by-control detail, severity to prioritise, the actual configuration value evaluated, and audit-ready evidence.
• Limits: it is a structured assessment rather than a live dashboard number — which is exactly why it pairs well with Secure Score.

They are complementary. Use Secure Score for a quick, directional read and to keep momentum visible to leadership. Use a CIS Benchmark assessment when you need to know — and prove — which specific controls pass and fail. For the bigger picture of what an assessment covers end to end, see our Microsoft 365 security assessment guide; for the step-by-step procedure, the Microsoft 365 security audit guide.

How to Turn Your Secure Score Into a Real Assessment

If Secure Score is your starting point, here is how to get from a number to a posture you can actually trust:

1. Read the improvement actions, not just the percentage. Open the list, sort by points, and treat it as a to-do list of Microsoft's recommendations — but read each one for fit, not just for the points on offer.
2. Validate scoping, not just status. For every "enabled" control, confirm it is scoped correctly — no admins excluded from MFA, no policy applied to a pilot group and never rolled out to everyone.
3. Measure against a real standard. Run your tenant against the CIS Microsoft 365 Foundations Benchmark so you get pass / fail per control with severity, not a single blended number.
4. Produce evidence. Capture the actual configuration values and a timestamp, so you have something an auditor or a client will accept.
5. Monitor for drift. A score or an assessment is a photograph; what you need is a live feed that tells you the moment a control regresses.

Run a Real Assessment with ConfigCobra

ConfigCobra picks up exactly where Secure Score stops. It connects to your tenant using read-only Microsoft Graph permissions — no agents, no scripts running in your environment, no admin password shared — and runs the full CIS Microsoft 365 Foundations Benchmark v5.0.0 assessment, all 129 controls across 9 sections, in 20–25 minutes.

For every finding you get a pass / fail / partial status, the actual configuration value that was evaluated, the affected scope, severity tagged from the benchmark, and a copy-paste remediation script (PowerShell or admin-portal steps) — plus a CIS-certified PDF report with a timestamped tenant snapshot for your audit file. After the first assessment, continuous monitoring runs on the cadence you choose and alerts you the moment a control regresses, so the gap Secure Score would never have shown you is caught when it appears.

It is built for more than one tenant, too — assess subsidiaries or client tenants from a single workspace, and invite a read-only auditor seat for clients or external auditors. And for teams using AI assistants, the ConfigCobra MCP server lets you query your live posture data in plain language — "which of my admin accounts are excluded from Conditional Access?" — answered from your actual scan data rather than a static dashboard.

You can run a free assessment that checks 15 of the 129 controls against your own tenant right now, or book a demo to see the full 129-control assessment — and exactly which findings your Secure Score is hiding.

Frequently Asked Questions

What is a good Microsoft Secure Score?

There is no universal pass mark, because the score is relative to your licences and the improvement actions that apply to you. Most tenants start in the 40–60% range; a well-hardened tenant often sits in the 70s or low 80s. The numbers that matter most are your trend over time and your comparison against similar organisations — not a single snapshot percentage.

Where do I find my Microsoft Secure Score?

In the Microsoft Defender portal at security.microsoft.com, open Secure score from the left-hand navigation (under Exposure management in the current portal). A Security Reader or Global Reader role is enough to view it.

Why did my Microsoft Secure Score go down on its own?

Almost always because Microsoft added new improvement actions to the catalogue. That increases the total available points, so your existing points now represent a smaller percentage — even though your configuration did not change.

Is Microsoft Secure Score the same as a security assessment?

No. Secure Score measures how much of Microsoft's recommended configuration you have enabled, as a single weighted percentage. A security assessment — such as one against the CIS Microsoft 365 Foundations Benchmark — evaluates your tenant control by control against an independent standard, with pass/fail results, severity, and audit-ready evidence. See the Microsoft 365 security assessment guide.

Does a high Secure Score mean I'm CIS compliant?

Not necessarily. The two overlap, but Secure Score can credit a feature as "enabled" while it is incorrectly scoped — for example, an MFA policy that excludes several admins. A CIS Benchmark assessment checks each control specifically, so it catches gaps a high Secure Score can mask.

Related reading

• Microsoft 365 Security Assessment: The Complete Guide for 2026
• Microsoft 365 Security Audit: A Complete Step-by-Step Guide
• CIS Microsoft 365 Foundations Benchmark — all 9 sections explained
• Conditional Access exclusions: the quiet gap in your MFA rollout