Posey's Tips & Tricks

Make Secure Score Work for You, Part 1: Shoot for Almost Perfect

Use Microsoft 365 Secure Score as a strategic guide rather than a numbers game, focusing on balance and meaningful risk reduction over chasing a perfect score.

• By Brien Posey
• 08/20/2025

Whenever someone asks me how best to secure their Microsoft 365 environment, I usually tell them to start by taking a look at Secure Score. For those who might not be familiar with Secure Score, it's a native Microsoft 365 tool that is designed to help organizations figure out what they can do to make their Microsoft 365 tenant more secure.

The tool provides various recommendations, each with a metric associated with it. This metric acts as an indication of how important Microsoft considers the recommendation to be. A recommendation with a lot of points associated with it for example, is arguably more important than a recommendation that comes with a lesser number of points.

While the points associated with Secure Score recommendations are undoubtedly useful, the point system often causes organizations to fall into the trap of trying to accumulate the highest possible number of points, rather than using Secure Score as a part of a broader initiative. In fact, it has been said that the organizations that make the best use of Secure Score aren't necessarily the ones who achieve the highest score. Instead, the organizations that receive the best outcomes are those who use Secure Score as a starting point, enabling them to have better security discussions and ultimately, to make better decisions based on perceived risk.

So why is going after a high score such a bad thing? Doesn't a higher score mean better overall security and better adherence to established best practices? In many cases, yes. But problems can arise when an organization's priority shifts from improving security to just improving the score.

In recent years, I have occasionally heard well intentioned IT pros say things like, “we turned on this particular setting because it raised our score by ten points”. This type of statement makes it almost seem like the organization is more interested in optics than outcome by enabling a security feature just to check a box, rather than doing so because of what enabling the feature accomplishes. Such situations also raise the question of whether the person who is enabling the feature fully understands the ramifications, or if they are trusting Secure Score to give them good advice.

Even though it is important to avoid treating Secure Score solely as a numbers game, that does not mean that the tool lacks value. At the very beginning of this blog post, I mentioned that when people ask me how best to secure their Microsoft 365 environment, I usually point them to Secure Score. Needless to say, I wouldn't make such a recommendation if I thought that the tool was worthless. The trick to getting value from Secure Score is to use it strategically as opposed to treating it like a checklist. So with that in mind, let's take a look at some best practices that can help you to make the most of Secure Score.

The first best practice that I want to mention is that it probably is not in your organization's best interest to get a score of 100 percent. If you lock down Microsoft 365 to the point where you are using every possible security mechanism, the platform will become significantly less usable. Rather than going after the highest possible score, it's better to approach Microsoft 365 security as a balancing act. You need to make the platform sufficiently secure to keep attackers at bay and to keep the auditors happy, but you must also avoid locking things down so tightly that it becomes impossible for end users to do their jobs.

And speaking of balancing acts, the second best practice is also all about achieving a balance. It's not uncommon for Secure Score to list dozens of recommended actions, especially when you are just starting out. A lot of organizations instinctively gravitate toward those recommendations that will yield the highest number of points or the recommendations that are likely going to be the easiest to implement. However, it is better to review all of the recommendations and prioritize those address a direct need. For example, you might choose to start with the actions that will best reduce the attack surface across identity and devices. Those particular actions probably aren't going to be quick and easy to implement. They might even require significant planning. Ultimately however, they will probably align more closely with your organization's security requirements than some of the other checklist items will.

There are actually quite a few more best practices that can help you to get the most out of Secure Score. I will explore some more of these recommendations in Part 2.