The number everyone quotes

Microsoft Secure Score, explained, with real UK benchmarks

Microsoft Secure Score is a percentage rating of your tenant against Microsoft's recommended security actions. Useful, misunderstood, and meaningless without context. This page explains what it measures, publishes what real UK tenants actually score, and ranks the improvements that move it for the right reasons.

What it measures

A score of recommendations, not of security

Secure Score lives in the Microsoft Defender portal and awards points for each of Microsoft's recommended actions your tenant satisfies: enforcing MFA, blocking legacy authentication, enabling auditing and a few hundred others across identity, devices, apps and data. Your percentage is points earned over points available.

Two things follow. First, the denominator depends on your licences, so scores are only comparable between similar tenants. Second, the score measures adoption, not correctness: it cannot see that a policy exists but excludes half the company, or that your SharePoint sharing would horrify your clients. Both are routine findings in tenants with respectable scores.

The question nobody answers

What is a good Microsoft Secure Score?

Microsoft publishes no target and most guides dodge the question. We assess UK tenants continuously, so we publish what we see. Figures are anonymised medians across assessed tenants, refreshed quarterly.

REPLACE_WITH_BENCHMARK_MEDIAN

Median UK SME tenant, first assessment

REPLACE_WITH_BENCHMARK_RANGE

Typical range across assessed tenants

REPLACE_WITH_BENCHMARK_AFTER

Median after the priority fixes land

Read the numbers with the licensing caveat above: a tenant with more Microsoft security products owns a bigger denominator, so identical percentages on different licence tiers mean different things. The assessment reports your score against tenants like yours.

Moving it properly

How to improve your Secure Score, ranked by real impact

Microsoft's own list weights by its point values. This ranking weights by what reduces breach likelihood in the tenants we assess.

1

Enforce MFA properly, not nominally

The single largest score movement in most tenants: registered MFA is not enforced MFA. Conditional Access policies that require it everywhere, with legacy authentication blocked, move both the score and the actual risk.

2

Close the legacy authentication door

Old protocols like IMAP and SMTP basic auth bypass MFA entirely. Blocking them is high-scoring, high-impact and occasionally breaks an ancient scanner or copier, which is why it needs a considered rollout rather than a switch-flip.

3

Rein in admin roles

Global Administrator counts creep upward in every tenant we assess. Trimming to the few who need it, with emergency access accounts done properly, scores well and matters more.

4

Turn on the recording

Unified audit logging and mailbox auditing cost nothing and score quickly. More importantly, they are the difference between investigating an incident and guessing about one.

5

Be sceptical of licence-shaped points

Some recommendations exist mainly to sell a higher licence tier. A consultant's read separates the points worth buying from the points worth skipping, which is exactly where the score alone misleads.

Quick answers

Secure Score questions, answered

What is a Microsoft Secure Score?

A percentage Microsoft calculates for your tenant against its catalogue of recommended security actions: the more recommendations you satisfy, the higher the score. It lives in the Microsoft Defender portal and covers identity, devices, apps and data. It is a useful directional signal, not a security guarantee.

What is a good Microsoft Secure Score?

Microsoft publishes no target, and the real answer depends on licence tier, workloads and size, because the denominator changes with what you own. That is why we publish real benchmark figures from assessed UK tenants on this page rather than repeating a folk number. Anything below the typical range we see deserves attention; well above it, the remaining points are usually licence-driven.

How do I improve my Microsoft Secure Score?

Start with the five improvements on this page: enforced MFA, legacy authentication blocked, admin roles trimmed, auditing on, and a sceptical eye on licence-shaped recommendations. Then work the remaining actions by impact and effort rather than by Microsoft's point values, which weight some low-risk items generously.

Does a high Secure Score mean the tenant is secure?

No. The score measures adoption of Microsoft's recommendations, not the correctness of your configuration in context: a tenant can score respectably while an over-shared SharePoint estate leaks client files. That gap between score and reality is precisely what an expert assessment examines.

What the assessment covers

What about the Azure secure score?

Defender for Cloud maintains a separate score for your Azure estate, built on the same idea with the same caveats. The Azure assessment page covers it in context.

The Azure assessment

3D illustration of a rocket launching, representing a Microsoft 365 security assessment getting started

Beyond the percentage

Get your score put into context

The assessment benchmarks your Secure Score against comparable UK tenants and tells you which of your missing points actually matter. Book a free 45 minute scoping call.