Microsoft Secure Score: What It Means and How to Improve It
Microsoft Secure Score is a numerical measurement of your organisation's Microsoft 365 security posture. It works by assessing your tenant configuration against a set of recommended security actions and assigning points for each action completed. A h...
Overview
Microsoft Secure Score measures your M365 security configuration as a percentage of recommended settings implemented. The industry average is approximately 50%; above 70% indicates a well-hardened environment. High-impact improvements — MFA via Conditional Access, legacy authentication blocking, Defender for Business — should be prioritised over low-impact items that improve the score number without meaningfully reducing risk.
Learn about M365 securityYou can see the live score in the Microsoft Defender portal, but the number is only useful once someone reads it the way an attacker would. That is the work this page explains — and it sits inside AMVIA's wider Microsoft 365 security service for UK SMEs, anchored to our Microsoft 365 security pillar.
What is Microsoft Secure Score?
Microsoft Secure Score measures your Microsoft 365 configuration against a set of recommended security actions, awarding points for each one you complete. It is shown as a fraction — for example, 245 of a possible 410 points — and as a percentage. A higher score signals a stronger configuration; a lower score points to specific, addressable gaps.
The score is available to every Microsoft 365 organisation through the Microsoft Defender portal (security.microsoft.com). It continuously assesses identity, devices, applications and data against Microsoft's recommended security practices. The total possible score varies by tenant, because it depends on which products and licences you have active — a Business Premium tenant has more available actions, and a higher ceiling, than a Business Standard one.
Secure Score is not a guarantee. A score of 80% does not mean you cannot be breached; it means your settings align well with Microsoft's guidance. A handful of identity and admin-protection actions carry far more real-world weight than their point value suggests, and those should be done first regardless of the number they move.
How is Microsoft Secure Score calculated?
Secure Score awards points for completing recommended actions, each with a point value set by its assessed security impact. Actions fall into three groups — identity, device, and application/data — and each one lists what it does, the effort to implement it, and a direct link to the right configuration page.
- Identity actions (usually the highest value): enforce MFA for all users, require MFA for admins, block legacy authentication, enable Entra ID Protection risk policies, and cut the number of Global Administrators.
- Device actions: enrol devices in Microsoft Intune, enforce compliance policies, enable BitLocker, keep Defender for Business active, and stay patched.
- Application and data actions: enable Data Loss Prevention, configure Safe Links and Safe Attachments, restrict external sharing, and turn on audit logging.
Each action can be marked "planned", "risk accepted", or "resolved through third party" — so the score reflects deliberate decisions, not just unfinished work.
What is a good Microsoft Secure Score?
There is no universal "good" score, because the maximum varies by licence and tenant. As a working benchmark for UK SMEs, below 30% signals significant gaps that need urgent attention, 30–50% is typical of a tenant nobody has actively hardened, 50–70% is a reasonable baseline, and above 70% reflects an actively managed posture.
| Score band | What it usually means | Priority |
|---|---|---|
| Below 30% | Major controls missing | Urgent |
| 30–50% | Default / unreviewed tenant | High |
| 50–70% | Key controls in place, gaps remain | Medium |
| Above 70% | Actively managed posture | Maintain |
| Above 80% | Mature config, full Premium capability | Maintain |
Microsoft's data suggests the average score across its customer base is around 35–40% (2025 Microsoft data). Most UK SME tenants AMVIA audits come in between 25% and 50% on initial assessment in 2026, with MFA enforcement and device management the most common gaps. Fixing those two areas — through MFA setup in Microsoft 365 and Intune enrolment — moves the score more than any other change.
Which Secure Score actions have the highest impact for UK SMEs?
Not all actions are equal. A small set of identity and endpoint controls carries most of the real-world risk reduction, so prioritise these before chasing low-value points. The National Cyber Security Centre rates multi-factor authentication as one of the single most effective defences a business can deploy.
- Require MFA for all users (very high impact). Enforcing MFA through Conditional Access is consistently the highest-impact action available. Microsoft's own research shows MFA blocks over 99.9% of automated credential attacks. This can add 10–20 points depending on tenant size.
- Block legacy authentication (high impact). Basic auth on SMTP, POP3 and IMAP cannot support MFA, and attackers target it to slip past MFA you think is enforced. Blocking it typically adds 10–15 points.
- Reduce Global Administrator accounts (high impact). Each admin account is a target; a compromised Global Admin owns the tenant. Keep two to four dedicated admin accounts and use Privileged Identity Management for just-in-time access.
- Enrol devices in Microsoft Intune (high impact). Devices with verified encryption, patching and antivirus status feed multiple device-scoring actions.
- Enable Microsoft Defender for Business (high impact). Defender must run in active mode — not passive — across all endpoints for these actions to score.
- Configure Safe Links and Safe Attachments (medium impact). Defender for Office 365 (Plan 1), included in Business Premium, scans URLs in real time and sandboxes attachments. Enable these in protection mode, not audit mode.
Which Secure Score actions can SMEs safely decline?
Some actions suit large enterprises but add friction or risk for a 10–500 staff business. Secure Score's "risk accepted" option lets you formally record a reviewed decision not to implement an action, so it stops dragging your score down indefinitely without hiding the choice.
- Excess Global Administrators: the right number is two to four — not one, and not ten. Use Conditional Access and PIM rather than spreading admin rights.
- Unified Audit Log: always enable this — accept no risk here.
- Blanket SharePoint external-sharing locks: scope restrictions to the data that needs them; the most restrictive setting can break legitimate workflows.
The point is to harden against real attacks, not to optimise a number for its own sake. That judgement is exactly what a managed provider brings.
How does AMVIA improve your Microsoft Secure Score?
AMVIA starts with a full Microsoft 365 security audit that captures your current score, the actions available in your tenant, and a prioritised roadmap ordered by security impact, business risk and effort. We then implement and maintain the configuration on an ongoing basis, tracking the score month over month and adding new recommendations as Microsoft releases them — one provider, security-first, Microsoft-certified.
Typical outcomes for AMVIA clients within the first 90 days:
- Secure Score lifted from an average of 32% to above 65%
- MFA enforced across all user accounts
- Legacy authentication blocked
- Device compliance policies active via Microsoft Intune
- Defender for Business deployed across all endpoints
- Safe Links and Safe Attachments in protection mode
These changes cut the risk of credential compromise, ransomware, phishing and data loss — and they sit alongside the round-the-clock monitoring in our broader managed cybersecurity service. AMVIA holds Cyber Essentials Plus, so the controls we recommend are the ones we run ourselves.
In-house vs AMVIA-managed Secure Score
| In-house, ad hoc | AMVIA managed | |
|---|---|---|
| Review cadence | When someone remembers | Monthly, reported |
| Action prioritisation | By point value | By real-world risk |
| New Microsoft recommendations | Often missed | Assessed as released |
| Implementation | Competing with day job | Microsoft-certified engineers |
| Evidence for audits | Reconstructed later | Tracked month over month |
Key Points
What UK businesses need to know about Microsoft Secure Score.
Score Reflects Configuration
Secure Score checks your actual M365 settings in real time — it increases immediately when you implement a recommendation and decreases if a control is removed.
Impact Matters More Than Score
MFA enforcement, legacy authentication blocking, and Defender for Business configuration are worth more in real security terms than optimising low-impact recommendations to chase a higher number.
Licence Tier Affects Maximum Score
Business Premium tenants have more available points than Business Basic — because Business Premium includes more security features that can be configured and scored.
Quarterly Review Keeps Score Current
Microsoft adds new recommendations over time. A score that was good six months ago may have slipped. Regular review ensures new recommendations are assessed and implemented.
Secure Score Improvement Checklist
MFA enabled for all users via Conditional Access — highest-impact single improvement
Legacy authentication blocked — eliminates the most common MFA bypass
MFA required for all admin roles — protects highest-value accounts
Defender for Business enabled and configured — not just installed
Safe Attachments and Safe Links enabled with appropriate policies
Anti-phishing policy configured with impersonation protection
Audit logging enabled with appropriate retention
Secure Score reviewed quarterly — new recommendations assessed and prioritised
Frequently Asked Questions
Microsoft Secure Score is a numerical measure of your Microsoft 365 security configuration. It awards points for completed security actions — settings, policies and features Microsoft recommends enabling — and shows the result as a fraction of the total points available for your licence tier. A higher score means more recommended controls are in place.
For a Business Premium tenant, above 65% is a reasonable target showing major controls are in place, and above 75% reflects a strong, actively managed configuration. Most UK SMEs start lower on their first audit. The exact target depends on your licence, because the maximum possible score changes with the products you have active.
No single number guarantees security. A high score means your Microsoft 365 configuration aligns with Microsoft's recommended practices, which meaningfully shrinks your attack surface. It does not cover risks outside Microsoft 365 — unmanaged devices, network security, or physical security — so treat it as one important indicator within a broader security programme.
Enforcing MFA, blocking legacy authentication, and reducing Global Administrator accounts carry the highest combined security impact and point value for most tenants. Microsoft Intune device enrolment and Defender for Business deployment are the next tier. Prioritising these protects the accounts and endpoints attackers target first, rather than chasing low-value points.
Microsoft Secure Score updates continuously — most actions reflect a configuration change within 24 hours of detection. Some device-related actions can take up to 48 hours to appear. Because Microsoft adds new recommendations over time, a score that looked healthy six months ago can slip, so review it on a regular cadence.
Yes. Secure Score monitoring and improvement are a standard part of AMVIA's managed Microsoft 365 service. We review the score monthly, implement recommended actions, and provide a report showing score progression and the security improvements made — so you see both the number moving and the risk it reflects coming down.
Improve Your Microsoft Secure Score
AMVIA reviews your M365 Secure Score, identifies the highest-impact improvements for your licence tier, and implements them as part of a structured M365 security engagement.
Related Resources
Microsoft 365 Security Services
Microsoft 365 Security Services
Microsoft 365 Security Audit
Microsoft 365 Security Audit
Conditional Access in Microsoft 365
Conditional Access in Microsoft 365
Microsoft Intune for Business
Microsoft Intune for Business