
Most SMEs do not know how secure their Microsoft 365 environment really is. Microsoft Secure Score gives a concrete number, a priority list, and a roadmap. Read how to interpret your score, which five actions have the most impact, and how to steer monthly.
Most SMEs have Microsoft 365 and are convinced they are safe because Microsoft manages the cloud. What they often do not know is that a large share of the available security settings are either off by default or set to an insecure level. Microsoft Secure Score makes that gap visible — in one number you can look up in under a minute.
Secure Score is a free security meter that Microsoft has built into the Defender portal. It measures how many of the available recommendations your tenant has enabled, and returns a score expressed as a percentage of the achievable maximum. The higher the score, the smaller the attack surface you present to adversaries.
The score is built from three main categories. First, identity security: is multi-factor authentication enabled, are weak passwords blocked, are secure sign-in settings active in Entra ID? Second, device and application security: are devices enrolled in Intune, are there device compliance requirements, are suspicious applications blocked? Third, data policy: are sensitive files labelled, are rules in place to prevent data leaks, is audit logging active?
Each recommendation carries a point weight based on its protective value. A measure like enabling multi-factor authentication for all users yields more points than removing inactive test accounts. That weight helps you prioritise when you cannot address everything at once.
Open the Microsoft Defender portal at security.microsoft.com and go to Secure score in the left menu. You immediately see your current score, a historical graph, and the full list of recommended actions. That list is sorted by impact by default: how many points you gain by completing the action, set against the effort required.
Note the distinction between 'Action required' and 'Resolved through third party'. Some security measures are already handled by an external solution, such as a third-party spam filter or a separate endpoint security product. Microsoft lets you mark those as resolved, so they still count towards your score without having to implement them twice.
Five recommendations deliver the largest score increase for most SME environments relative to the effort involved.
First: enable multi-factor authentication for all administrators and users. This is the single most effective measure your tenant can take and it also yields the most Secure Score points. If you have not done this yet, start here. Every other security investment has limited value as long as accounts remain accessible without a second verification step.
Second: activate Microsoft Entra ID Protection, the risk detection for sign-ins. This feature detects impossible travel, sign-ins from suspicious locations, or login attempts with passwords that have appeared on the dark web, and automatically blocks them when the risk level is too high. For most Microsoft 365 Business Premium licences, this is available at no extra cost.
Third: enable the unified audit log via the Compliance portal. Without log records, you cannot reconstruct what happened after a security incident, when it happened, or who was involved. The setting is off by default in older tenants and can be activated with a single click.
Fourth: block legacy authentication protocols such as Basic Auth, POP3, and IMAP without modern authentication. These protocols do not support multi-factor authentication and are a frequently exploited attack route for automated password attempts. The block is configured via Conditional Access in Entra ID.
Fifth: set up a password policy that blocks weak and previously leaked passwords via Entra Password Protection. This applies to on-premises Active Directory in hybrid environments as well, where the protection is deployed to local domain controllers via an agent.
Two mistakes appear again and again in organisations actively working on their Secure Score. The first is score optimisation without real security gain. Some administrators quickly click through recommendations and mark them as accepted risk or resolved through a third party without any concrete measure behind it. The score rises; the security does not.
The second mistake is rolling out changes without testing the impact on users. Some recommendations, such as blocking legacy authentication protocols, can directly affect existing integrations or workflows — for example, a printer that sends email via SMTP with Basic Auth. Always test in a small group or test environment before deploying a change broadly.
The Secure Score portal shows a comparison with similar organisations by industry and size. A score above seventy percent is a realistic and achievable target for most SMEs. A score below forty percent points to fundamental gaps that deserve immediate attention, regardless of the comparison with others.
Keep in mind that the maximum score depends on your licence type. A Microsoft 365 Business Basic tenant has fewer available measures than a Business Premium tenant, which also includes Defender for Business, Intune, and Entra ID P1. The score is always relative to what is available and applicable within your environment.
Three actions for the next five working days. Open the Defender portal and note your current Secure Score and the ten recommendations with the highest point yield. Discuss with your IT administrator or partner which of the five actions listed above you can implement immediately without disrupting users. Then set a target: reach a specific percentage level within sixty days, and schedule a monthly review to track progress.
Microsoft Secure Score is not a destination but a compass. The security landscape changes, new recommendations are added, and your organisation grows. Those who review and discuss the score monthly keep their security current without needing a large project every time. Want help interpreting your Secure Score, executing the highest-return actions, or setting up a monthly security programme? Contact Zarioh for a no-obligation conversation.
Zarioh Digital Solutions
IT specialists from Utrecht, the Netherlands. We help businesses with Microsoft 365, AI agents, hosting and telephony — and share what we learn in practice. Follow us on LinkedIn

Security

Security

Security