Posey's Tips & Tricks

Make Secure Score Work For You, Part 2

Weigh Microsoft 365 Secure Score recommendations by balancing security impact, user experience, cost and acceptable risk to build a strategy that fits your organization.

• By Brien Posey
• 08/28/2025

In the first part of this article series, I began discussing some best practices that you can use to get the maximum benefit from Microsoft 365 Secure Score. Now, I want to continue the discussion by sharing some more best practices.

In my previous post, I mentioned that security usually involves a balancing act. You need to make things secure enough to keep the attackers out and to keep the auditors happy, but you also need to avoid configurations that will make it difficult for users to do their jobs. As important as these considerations might be however, there are some other things to consider as a part of this security balancing act.

When deciding whether or not to implement a Secure Score recommendation, there are several criteria that you should consider. These include the security impact, the user impact, the cost, and the level of risk.

It can be difficult to assess the true security impact associated with a Secure Score recommendation. That being the case, my advice would be to defer to Microsoft  for this part of the equation. If Microsoft has associated a lot of points with a particular recommendation then it is a good bet that implementing the recommendation is impactful from a security standpoint.

The second consideration that you have to take into account is the user impact. There are some security configuration changes that you can make that are entirely behind the scenes and that your users will be completely oblivious to. Other changes have a direct impact on users. For example, if you were to begin requiring multifactor authentication, then that change will require users to log into the platform in a way that is different from what has been done in the past. Of course, just because a change requires users to do things a little bit differently does not mean that the change is bad. You do however, need to make sure that any new security requirements are not overly burdensome on your end users.

The third consideration that must be taken into account when implementing a secure score recommendation is the cost associated with the action. Yes, you have to think about the administrative effort required and the amount of time that will need to be spent on implementing and testing the recommended action, but that is not really what I am talking about.

As I am sure you probably know, there is no such thing as an all-inclusive Microsoft 365 license. Microsoft offers numerous add-ons that can further enhance your security - for a price. At least some of the recommendations that are provided by Secure Score require add-on licenses. As such, you will have to consider whether the security benefit derived from purchasing additional licenses justifies the cost. In my own organization for example, I was receiving a lot of malicious email messages and there was a very real risk that I might accidentally click on something that I shouldn’t. As such, I purchased a Microsoft Defender for Office 365 (Plan 2) license. Even though this license presented an additional cost, the cost was easily justifiable when weighed against the cost of a ransomware attack.

Of course the opposite might be true as well. There may be add-on features that would do very little to help your organization based on the way that your organization operates. It’s ultimately up to you to figure out if a security add-on will be beneficial or not.

Finally, you will need to consider the level of risk that you are incurring by not implementing a particular security recommendation. You will then have to decide whether the organization is prepared to accept that risk, or if the risk needs to be mitigated.

When assessing risks, there are two main things that you need to consider. First, you have to think about what could potentially happen if a risk were to come to fruition. Second, you need to consider the likelihood of the risk occurring. Let me give you a really silly example. When I cook dinner, there is a risk that when I turn on the stove, the fire will burn my house down. When viewed purely through the “what could happen” lens, this risk seems catastrophic. At the same time however, you have to consider the likelihood of the risk coming to fruition. In this particular example, I have lived in my home for nearly 20 years, I use the stove every day, and igniting the burner has not caused a fire yet. As such, a potentially catastrophic risk does theoretically exist, but the odds of the worst case happening are miniscule. Therefore, I am willing to accept the risk.

This is the same sort of mindset that needs to be used when evaluating security risks. By not turning on multifactor authentication for example, there is a risk of an account takeover attack. Those types of attacks happen every day, so the chances of the risk coming to fruition are quite high. As such, enabling multifactor authentication is likely going to be a high priority.

At the same time though, don’t be afraid to accept the risk associated with ignoring a Secure Score recommendation, so long as you can justify your inaction. You might determine for instance, that a risk just isn’t serious enough, or that the implementation cost is too high. The important thing is to be able to provide a well documented explanation if someone were to question your decision.