Microsoft 365 Security

Microsoft Secure Score: What It Means and How to Improve It

Microsoft Secure Score is a numerical measurement of your organisation's Microsoft 365 security posture. It works by assessing your tenant configuration against a set of recommended security actions and assigning points for each action completed. A h...

Overview

Microsoft Secure Score measures your M365 security configuration as a percentage of recommended settings implemented. The industry average is approximately 50%; above 70% indicates a well-hardened environment. High-impact improvements — MFA via Conditional Access, legacy authentication blocking, Defender for Business — should be prioritised over low-impact items that improve the score number without meaningfully reducing risk.

Learn about M365 security

You can see the live score in the Microsoft Defender portal, but the number is only useful once someone reads it the way an attacker would. That is the work this page explains — and it sits inside AMVIA's wider Microsoft 365 security service for UK SMEs, anchored to our Microsoft 365 security pillar.

What is Microsoft Secure Score?

Microsoft Secure Score measures your Microsoft 365 configuration against a set of recommended security actions, awarding points for each one you complete. It is shown as a fraction — for example, 245 of a possible 410 points — and as a percentage. A higher score signals a stronger configuration; a lower score points to specific, addressable gaps.

The score is available to every Microsoft 365 organisation through the Microsoft Defender portal (security.microsoft.com). It continuously assesses identity, devices, applications and data against Microsoft's recommended security practices. The total possible score varies by tenant, because it depends on which products and licences you have active — a Business Premium tenant has more available actions, and a higher ceiling, than a Business Standard one.

Secure Score is not a guarantee. A score of 80% does not mean you cannot be breached; it means your settings align well with Microsoft's guidance. A handful of identity and admin-protection actions carry far more real-world weight than their point value suggests, and those should be done first regardless of the number they move.

How is Microsoft Secure Score calculated?

Secure Score awards points for completing recommended actions, each with a point value set by its assessed security impact. Actions fall into three groups — identity, device, and application/data — and each one lists what it does, the effort to implement it, and a direct link to the right configuration page.

  • Identity actions (usually the highest value): enforce MFA for all users, require MFA for admins, block legacy authentication, enable Entra ID Protection risk policies, and cut the number of Global Administrators.
  • Device actions: enrol devices in Microsoft Intune, enforce compliance policies, enable BitLocker, keep Defender for Business active, and stay patched.
  • Application and data actions: enable Data Loss Prevention, configure Safe Links and Safe Attachments, restrict external sharing, and turn on audit logging.

Each action can be marked "planned", "risk accepted", or "resolved through third party" — so the score reflects deliberate decisions, not just unfinished work.

What is a good Microsoft Secure Score?

There is no universal "good" score, because the maximum varies by licence and tenant. As a working benchmark for UK SMEs, below 30% signals significant gaps that need urgent attention, 30–50% is typical of a tenant nobody has actively hardened, 50–70% is a reasonable baseline, and above 70% reflects an actively managed posture.

Score bandWhat it usually meansPriority
Below 30%Major controls missingUrgent
30–50%Default / unreviewed tenantHigh
50–70%Key controls in place, gaps remainMedium
Above 70%Actively managed postureMaintain
Above 80%Mature config, full Premium capabilityMaintain

Microsoft's data suggests the average score across its customer base is around 35–40% (2025 Microsoft data). Most UK SME tenants AMVIA audits come in between 25% and 50% on initial assessment in 2026, with MFA enforcement and device management the most common gaps. Fixing those two areas — through MFA setup in Microsoft 365 and Intune enrolment — moves the score more than any other change.

Which Secure Score actions have the highest impact for UK SMEs?

Not all actions are equal. A small set of identity and endpoint controls carries most of the real-world risk reduction, so prioritise these before chasing low-value points. The National Cyber Security Centre rates multi-factor authentication as one of the single most effective defences a business can deploy.

  • Require MFA for all users (very high impact). Enforcing MFA through Conditional Access is consistently the highest-impact action available. Microsoft's own research shows MFA blocks over 99.9% of automated credential attacks. This can add 10–20 points depending on tenant size.
  • Block legacy authentication (high impact). Basic auth on SMTP, POP3 and IMAP cannot support MFA, and attackers target it to slip past MFA you think is enforced. Blocking it typically adds 10–15 points.
  • Reduce Global Administrator accounts (high impact). Each admin account is a target; a compromised Global Admin owns the tenant. Keep two to four dedicated admin accounts and use Privileged Identity Management for just-in-time access.
  • Enrol devices in Microsoft Intune (high impact). Devices with verified encryption, patching and antivirus status feed multiple device-scoring actions.
  • Enable Microsoft Defender for Business (high impact). Defender must run in active mode — not passive — across all endpoints for these actions to score.
  • Configure Safe Links and Safe Attachments (medium impact). Defender for Office 365 (Plan 1), included in Business Premium, scans URLs in real time and sandboxes attachments. Enable these in protection mode, not audit mode.

Which Secure Score actions can SMEs safely decline?

Some actions suit large enterprises but add friction or risk for a 10–500 staff business. Secure Score's "risk accepted" option lets you formally record a reviewed decision not to implement an action, so it stops dragging your score down indefinitely without hiding the choice.

  • Excess Global Administrators: the right number is two to four — not one, and not ten. Use Conditional Access and PIM rather than spreading admin rights.
  • Unified Audit Log: always enable this — accept no risk here.
  • Blanket SharePoint external-sharing locks: scope restrictions to the data that needs them; the most restrictive setting can break legitimate workflows.

The point is to harden against real attacks, not to optimise a number for its own sake. That judgement is exactly what a managed provider brings.

How does AMVIA improve your Microsoft Secure Score?

AMVIA starts with a full Microsoft 365 security audit that captures your current score, the actions available in your tenant, and a prioritised roadmap ordered by security impact, business risk and effort. We then implement and maintain the configuration on an ongoing basis, tracking the score month over month and adding new recommendations as Microsoft releases them — one provider, security-first, Microsoft-certified.

Typical outcomes for AMVIA clients within the first 90 days:

  • Secure Score lifted from an average of 32% to above 65%
  • MFA enforced across all user accounts
  • Legacy authentication blocked
  • Device compliance policies active via Microsoft Intune
  • Defender for Business deployed across all endpoints
  • Safe Links and Safe Attachments in protection mode

These changes cut the risk of credential compromise, ransomware, phishing and data loss — and they sit alongside the round-the-clock monitoring in our broader managed cybersecurity service. AMVIA holds Cyber Essentials Plus, so the controls we recommend are the ones we run ourselves.

In-house vs AMVIA-managed Secure Score

In-house, ad hocAMVIA managed
Review cadenceWhen someone remembersMonthly, reported
Action prioritisationBy point valueBy real-world risk
New Microsoft recommendationsOften missedAssessed as released
ImplementationCompeting with day jobMicrosoft-certified engineers
Evidence for auditsReconstructed laterTracked month over month

Key Points

What UK businesses need to know about Microsoft Secure Score.

Score Reflects Configuration

Secure Score checks your actual M365 settings in real time — it increases immediately when you implement a recommendation and decreases if a control is removed.

Impact Matters More Than Score

MFA enforcement, legacy authentication blocking, and Defender for Business configuration are worth more in real security terms than optimising low-impact recommendations to chase a higher number.

Licence Tier Affects Maximum Score

Business Premium tenants have more available points than Business Basic — because Business Premium includes more security features that can be configured and scored.

Quarterly Review Keeps Score Current

Microsoft adds new recommendations over time. A score that was good six months ago may have slipped. Regular review ensures new recommendations are assessed and implemented.

Secure Score Improvement Checklist

MFA enabled for all users via Conditional Access — highest-impact single improvement

Legacy authentication blocked — eliminates the most common MFA bypass

MFA required for all admin roles — protects highest-value accounts

Defender for Business enabled and configured — not just installed

Safe Attachments and Safe Links enabled with appropriate policies

Anti-phishing policy configured with impersonation protection

Audit logging enabled with appropriate retention

Secure Score reviewed quarterly — new recommendations assessed and prioritised

Frequently Asked Questions

Improve Your Microsoft Secure Score

AMVIA reviews your M365 Secure Score, identifies the highest-impact improvements for your licence tier, and implements them as part of a structured M365 security engagement.