Microsoft Secure Score Explained: What We Find in Every Tenant Audit

Microsoft gives every tenant a Secure Score. It's a number, updated every day, that tells you how far off you are from Microsoft's own security recommendations. Most business owners have never opened it. Most IT companies don't bring it up because they don't want you to see it.

If you've got a 30, you can see your problem. If you've got a 90, congrats. You nailed the Microsoft side. That's about 10% of the real picture though, and we'll get to that part too.

Every single thing in this article is something we've found on a real tenant. Not once, multiple times. Same patterns over and over. Of every Microsoft 365 tenant I've personally walked into, I've yet to find one that's perfect. Some are bad, some are pretty good, but none have been fully dialed in.

What Microsoft Secure Score Actually Is

Microsoft is basically grading you every day on how far off you are from their own recommendations. Free. Built right in. Live updates. The score shows up two ways: a percentage, and a raw point total. The total possible varies a little depending on what licenses you've got, but the scale is the same idea everywhere.

The points come from things Microsoft calls "recommended actions." Turn on MFA for all admins, several points. Kill legacy authentication, more points. Require compliant devices, more still. Your score is the sum of what you've done over the sum of what they're recommending.

Most of the small businesses we audit have never opened the page. A lot of the IT companies we replace can't pull the number up either, or they can but they don't want to.

How to Check Your Score

Takes about thirty seconds:

1. Sign in to security.microsoft.com with an admin account.
2. Left nav, click Exposure management, then Secure score.
3. You'll see your number on the dashboard, both as a percentage and a point total.
4. Click Recommended actions for the full list, ranked by impact.
5. Filter by category (Identity, Device, Apps, Data) to see where the gaps are.

That's it. If your IT guy can't pull this up on a screen share with you, that's its own answer.

What a Good Score Looks Like

There's no magic number, but here's roughly what we see in the wild:

• Under 40%: Default. This is what we walk into almost every time. Hundreds of recommendations sitting there and nobody touched any of them.
• 40 to 60%: Somebody got around to the basics. MFA's on for some folks. Legacy auth is probably off. The admin list never got cleaned up. This is where a half-engaged IT provider leaves most clients.
• 60 to 80%: Somebody's actually doing the work. Conditional access is in place, MFA's enforced, the admin list got pruned. That's where we try to land our managed clients.
• 80% and up: Rare unless you're regulated. CMMC, HIPAA, finance shops. Phishing-resistant auth on privileged accounts, device compliance, the whole thing.

Don't get hung up on the number though. A 72 on a tenant somebody's actually watching beats an 85 nobody's looked at in six months. Every time.

Why the Score Doesn't Tell the Whole Story

Here's what Microsoft won't put on their own page. Secure Score is just the Microsoft 365 side of your security. That's it. It doesn't see your network, your workstations, your backups, your EDR, or whether anyone's actually trained your people. So you can have a perfect Secure Score and still be one bad click away from a ransomware call.

The score is a great starting line. It shows you, with no ambiguity, whether anyone is taking the Microsoft side seriously. But it's not a finish line. A perfect Secure Score with no backup, no EDR, and untrained users is still a tenant waiting to get breached.

So with that out of the way, here's the rest of what we actually look at when we audit a new client's tenant, using Secure Score as the entry point and going deeper than the dashboard ever does.

Security Defaults Are Almost Always Still On

First thing Eric checks when he's looking at a new tenant is whether it still says "Security Defaults." That's literally one spot in the admin portal, and you can see it in five seconds. If it still says defaults, nobody's touched it. Period.

Microsoft's defaults aren't bad. They're the free baseline that ships on every new tenant, and they cover basic MFA enforcement. But the defaults are the floor. Microsoft themselves tell you to move to Conditional Access for anything more than the basics, and that covers most of you.

Eric's seen it for years now. "Every single client we're brought into, everything is as default. They don't know."

Tenants stuck on defaults usually score in the low 30s to low 40s. Moving off defaults, even partway, is the single biggest jump any tenant will see on their score. So if your number's under 40, that's almost always why.

Global Admins: The Single Biggest Win

This is the most common dangerous thing we find. Global Admin is basically the keys to the kingdom in Microsoft 365. Full control over every user, mailbox, setting. Microsoft's own guidance is to keep it under five people, plus two cloud-only "break-glass" emergency accounts that nobody touches unless something's on fire.

What we actually walk into is more like ten, fifteen, sometimes more. Secure Score docks you hard for that, and cleaning the list up is usually the single biggest point gain in any remediation.

The patterns we see, every time:

• Former employees still on the admin list. Worst Eric has personally seen was about ten outdated admin accounts on one tenant, most of them people who don't even work there anymore.
• "Superman" accounts. Same tenant had a Global Admin account literally named Superman. When the hacker got in, that's the one they went for. Of course it was.
• Business owners who insist on being Global Admin. Eric on this one: "You're the last person that should have Global Admin rights, because you're the one that's going to be targeted the most." The owner is the most phished, most impersonated person in the company. Make them Global Admin and a single bad click hands the whole building over.
• The "I just need to reset passwords" trap. Microsoft has more than ten different admin roles. Most of the time when somebody asks for admin rights, all they actually want to do is reset a password. That's a Helpdesk Admin role. Handing them Global Admin because they didn't know which one to ask for is how the list grows in the first place.

We run least-privilege. Each person gets exactly the role they need, nothing extra. I don't have Global Admin on any client tenant either. We use a third-party management tool to do most of what we need so nobody on our team has to walk around with a master key.

MFA Is "On" but Not Enforced

I've never walked into a new tenant that was fully compliant on multi-factor. Not once.

It's never clean. Half the company has it. The executives have it but the shop floor doesn't. Or it's turned on for everyone but not enforced, meaning people can just click past the prompt and log in anyway. Or it's enforced but legacy phone-call and text-message codes are still allowed. Microsoft's been pushing people off SMS and voice for years now because of SIM swapping and text interception, but a lot of tenants still have it on. The Authenticator app with biometric on your phone is the standard, and it has been for a while.

Microsoft's own number on this is over 99%. Properly enforced MFA blocks 99 of 100 account compromise attempts. Which also means if it's not on, or it's not enforced, the attacker doesn't need to be clever. One password and they're in.

We aim for 100% enforcement. Full audit, fix the outliers, re-audit every quarter to catch new users that slipped in. Most of our managed tenants sit over 90%. Holding a true 100% is hard. People get hired, swap phones, things slip. That's what the quarterly audit is for.

When a prospect tells me they're at 85%, I just say: 85% isn't a thing. Either everybody has it or they don't. 85% means one in seven of your people is walking around with no MFA, and that's your front door, wide open.

Licensing Bloat (Microsoft Won't Clean It Up Either)

This one shows up fast. 30 employees, 50 licenses. Twenty just sitting there getting billed every month because nobody removed them when people left. Folks sitting on E5 when they need E3. Add-ons stacked on years ago and forgotten about.

Licensing bloat isn't a Secure Score item directly, but Eric's point is it's a tell. "If you're not even doing that, then you're definitely not doing the other stuff." Cleaning up licenses is the easiest, dumbest thing in IT. If your IT company isn't keeping that clean, what else aren't they cleaning?

And then there's the bigger one: former employees whose accounts are still active. Still licensed. Still receiving email. Sometimes still Global Admin.

Active accounts for people who don't work at the company anymore are one of the highest-value targets in a tenant. Nobody's watching them. Nobody will notice the login from a country you don't do business in. Offboarding isn't complete when HR processes the paperwork. It's complete when the 365 account is disabled, the mailbox is handled, and the license is gone.

SharePoint Sprawl Your Score Can't See

We pulled up a tenant recently that had over 40 SharePoint sites. Eric calls it the Wild West. Forty-plus sites, no naming convention, half of them abandoned, owners that make no sense. Susie owns this one. Larry owns that one. Nobody knows why.

Secure Score flags external sharing misconfigurations, but site sprawl itself isn't a setting Microsoft tracks. It's a governance problem, not a config toggle. And sprawl is where permission drift actually lives. Old access that never got revoked. Folders shared too widely. External guest accounts nobody remembers inviting.

We've written separately about SharePoint file permissions and SharePoint backup. The site count is the tenant-level signal that the inside of those sites is probably a mess too.

A Few More Things We Check Every Time

• External sharing defaults. The default on SharePoint and OneDrive is "Anyone" links. The most permissive setting Microsoft offers is what ships out of the box. We lock that down tenant by tenant. For most businesses, "new and existing guests" with auditable invites is the right setting, not public shareable links.
• Unified audit log. On by default for most enterprise SKUs, but off by default for Microsoft 365 Business Basic, Standard, and Premium, which is what most SMBs are on. If it was never turned on, you've got no forensic record of anything that happened in your own environment.
• Security awareness training completion. Most tenants we audit are hovering at 60 to 70%. I haven't seen anyone over 90% in a long time. Training that 30 to 40% of your people skip isn't really training.
• Legacy authentication. Microsoft disabled most legacy auth protocols back in 2022, so for newer tenants this isn't usually the issue it used to be. But any tenant that predates that, or any mail-flow exception that reopened it, deserves a look.

When Secure Score Isn't the Bar Anymore

One of our newer clients is a DoD manufacturer, which means they have to be CMMC compliant. The CMMC rule went live late 2025. Anybody in the DoD supply chain is on the clock now.

We already manage their California operation. They just brought us in for Minnesota too. Eric's heading on-site soon and we already know the tenant audit is going to be a journey. CMMC forces you to prove every setting. You can't just say MFA is enforced. You have to show it. You can't just say Global Admin is locked down. You have to list every admin and document why they have it.

CMMC is a high bar, and most businesses are never going to be subject to it. But the funny thing is, the CMMC Level 2 checklist is mostly the list of things we already check on every new tenant. Global Admins, MFA enforcement, conditional access, logging, backup, offboarding. A solid Secure Score gets you a head start. The CMMC work that's left after that is mostly proving you did it. Different problem.

The Short Version

If you got this far and you're wondering whether your tenant has any of this, it probably does. About 7 out of 10 tenants we walk into still have security defaults on. That's not on you, and it's not really on your IT guy either. Microsoft made it easy to turn on, and they did their job there. Whoever's actually managing it after that is on the hook for the rest. Most of the time, nobody's managing it.

Sources & Citations

External claims in this article are drawn from the following primary sources. Statements about McNallan's own clients and process come from interviews with Eric Thompson, McNallan Technology Solutions.

• Microsoft Learn: Microsoft Secure Score (definition, calculation, location in admin portal)
• Microsoft Learn: Best practices for Microsoft Entra roles (Microsoft's recommendation: fewer than five Global Administrators, plus two cloud-only break-glass accounts)
• Microsoft Learn: Configure Security Defaults (auto-enabled on new tenants since October 2019)
• Microsoft Learn: Plan for mandatory Microsoft Entra MFA (MFA blocks over 99% of account-compromise attempts)
• Microsoft Security Blog: Defending against evolving identity attack techniques (adversary-in-the-middle session-token theft bypassing standard MFA)
• Microsoft Entra Blog: Defeating Adversary-in-the-Middle Phishing Attacks (phishing-resistant MFA: FIDO2, hardware keys, passkeys)
• Microsoft Learn: Manage SharePoint and OneDrive external sharing (default sharing level is "Anyone")
• Microsoft Learn: Turn auditing on or off (Microsoft Purview) (auditing default enablement varies by SKU; off by default for Microsoft 365 Business Basic, Standard, and Premium)
• Microsoft Learn: Deprecation of Basic authentication in Exchange Online (most legacy auth protocols disabled October 2022)
• U.S. Department of Defense: Cybersecurity Maturity Model Certification (CMMC) Program (Phase 1 enforcement began November 10, 2025)
• Microsoft Learn: Microsoft and CMMC (CMMC alignment with Microsoft 365 controls)
• CISA: BOD 25-01: Implementing Secure Practices for Cloud Services (federal-agency M365 baseline requirements)