Strengthening Security: Understanding Microsoft Entra Identity Secure Score

Microsoft Entra Identity Secure Score provides an easy-to-view dashboard of your organization’s identity security posture within Microsoft Entra ID (formerly Azure Active Directory). This blog post explains how your score is calculated, what recommendations it includes, and how organizations can use it to prioritize and implement security best practices.

What is the Microsoft Entra Identity Secure Score?

The Microsoft Identity Secure Score is a security-focused scoring system that includes a subset of overall Microsoft 365 and Entra ID functionality. It is based on security criteria and is generated every 24 hours against your tenant(s). The Identity Secure Score is naturally tied to your Entra ID (Azure AD) environment and configuration settings, including apps, data, users, and devices.

It provides a list of recommendations with steps to resolve, what licenses are needed to implement, and the overall weight to your score after completing the proposed changes. As a general rule, the higher your score, the stronger your organization’s security posture is. Your cybersecurity department should be very curious about this score.

How do I access the Identity Secure Score?

There are two main methods to access your organization’s Identity Secure Score (dashboard). I’ll be utilizing my M365 Developer tenant for the demonstration purposes of this article.

• First, browse to the Microsoft Entra admin center -> https://entra.microsoft.com/.
• Navigate to Identity -> Overview.
• Under the ‘My feed’ section, you’ll see the ‘Secure Score for Identity’ tile.

• You can click the ‘View secure score’ link for a helpful overview dashboard.

(This takes you to Security -> Identity Secure Score)

Here we see our overall score, and when it was last generated. There’s a comparison graph showing how secure you are against other similarly-sized organizations in Microsoft’s ecosystem, and a history line graph showing what, if any, trends exist in your environment. Great way to show your CISO progress as you alleviate lower-scoring configuration settings!

The second way is to view your score using the Microsoft Defender (Microsoft Security) website.

• Navigate to Exposure management -> Secure score -> Recommended actions.
• Then, click the Filter icon on the right, and select “Identity” under the Category section.

This will show all your identity-related recommendations.

What permissions do you need to view/make changes?

You need at least Global Reader (or Security Reader) or similar roles to see the Identity Secure Score dashboard. However, making recommended changes will require additional role assignments. It would be best for a user or users with the ‘Security Administrator’ role to interact and document proposed changes – that role is tailor-made to only have ‘read/write’ permissions in the Security space, including Secure Score. This is preferable to having a Global Administrator handle changes, as that all-powerful role should be severely limited in usage due to its ability to make changes to almost everything in a tenant.

How is the score calculated?

Every 24 hours, Microsoft runs a background process in your tenant that looks at your security configuration and compares your settings with the recommended best practices. Based on this outcome, a new score is calculated for your directory.

It’s possible that your security configuration isn’t fully aligned with the best practice guidance, and the improvement actions are only partially met. In these scenarios, you’re awarded a portion of the max score available for the control.

What Microsoft 365 services are included?

The larger Microsoft Secure Score encompasses five core pillars of Microsoft 365:

• Data
• Identity
• Devices
• Infrastructure
• Apps

The Identity Secure Score focuses solely on the Identity pillar, the focus of this article. This mainly includes Microsoft Entra ID. The implied overlap means that your recommendations for the Identity Secure Score and the identity score in Microsoft are the same.

Where and what are Microsoft’s top recommendations?

After you see your score, you’ll probably want to know how to get it up to 100% (unless you’re already there – Congratulations!), or at least put in a concerted effort. That’s where the Recommendations come in. If you navigate to the Microsoft Entra admin center webpage again and go to Identity -> Overview, you can click the ‘Recommendations’ link right above the search field towards the top.

Microsoft again displays your Identity Secure Score, Score History, and its recommendations below. You’re shown the following for each recommendation:

• Priority (Low, Medium, High)
• The recommendation description
• Required licenses to implement the recommendation
• The Release type of the recommendation (Public Preview, Generally available, etc.)
• Secure Score points – how many total points you’ve achieved thus far
• What resource types are impacted
• The overall Status of the Recommendation (Active or Completed)

Licensing prerequisites

Under the ‘Required licenses’ section of each recommendation, you’ll be shown what licenses are needed to carry out the required change to boost your score and get more secure. In general, it will be one of these four main licenses:

• Microsoft Entra ID Free
• Microsoft Entra ID P1
• Microsoft Entra ID P2
• Microsoft Entra Workload ID

Multifactor Authentication (MFA) enforcement

Now that you’ve seen an overview of your recommendations, let’s focus on three of the most impactful and important recommendations you should consider implementing as soon as possible, if you haven’t already.

Enforcing Multi-Factor Authentication (MFA)

Even though Microsoft finally required all users accessing Microsoft 365 admin center websites and portals as of around October 2024, you should certainly make sure you implement a Conditional Access policy enforcing MFA for all users.

This does require Microsoft Entra ID P1 or P2 licenses, but it is absolutely imperative that all of your users use at least a second factor (push notification from the Microsoft Authenticator app) when logging in.

Blocking legacy authentication

My second recommendation is blocking legacy authentication – a crucial step in hardening your Microsoft Entra ID environment – it’s one of the highest-impact actions you can take to improve your Identity Secure Score.

Legacy authentication refers to older protocols like:

• POP, IMAP, SMTP, MAPI, and RPC
• Basic authentication for Exchange ActiveSync and Outlook

These protocols don’t support modern security features like multifactor authentication, making them prime targets for security breaches. Microsoft reports that over 99% of password spray attacks use legacy authentication protocols.

To remain agile, please be advised – as of this writing, starting mid-July 2025, Microsoft will block legacy authentication by default across Microsoft 365 tenants—including SharePoint, OneDrive, and Office apps. This is part of their Secure Future Initiative.

Least privilege and RBAC

The third recommendation is foundational to both the Identity Secure Score and a broader ‘Zero Trust’ strategy – Least Privilege and Role-Based Access Control hygiene.

Embracing the principle of least privilege means granting users, apps, and services only the required permissions to perform the duties and tasks. Giving a helpdesk technician the ‘Helpdesk Administrator’ role instead of the ‘Global Administrator’ role is a relatively obvious and spurious but important example to understand the concept.

Using Role Hygiene refers to the periodic review and reconciliation of users and their assigned RBAC roles. Using Privileged Identity Management (PIM), as an example, to temporarily grant a user with Global Administrator rights will give you a higher score than leaving that assignment permanent (24×7).

Recent Developments

Because the security landscape is so fluid, and hackers are getting better and better at exploiting all the software technologies out there, including Microsoft Entra ID, Microsoft is consistently offering new methods to assist its customers with boosting their score towards 100%. Let’s point out a few examples here.

Microsoft Entra gets new Identity Secure Score recommendations

As you may have read earlier this year on Petri, Microsoft added a few features to their Identity Secure Score dashboard. The history of a tenant’s score is new, the added recommendation for requiring MFA for administrative roles, and enabling policies to block legacy authentication were all introduced early this year and have been rolling out to all tenants over the last few months.

Another recent recommendation is to suggest that users be protected by implementing Risk policies. When Entra ID detects irregularities over a short period of time for a user’s sign-in logs, they get flagged as a Risky user. Their account may have logged in from a different geographic location than normal – this is a very common ‘risk’ criterion. Of course, there may be valid reasons for this – a VPN, logging into a Windows 365 desktop, etc. The point is, configuring alerts for these types of recommendations helps you proactively, not just reactively, raise your Identity Secure Score.

Frequently asked questions

What is Microsoft Identity Secure Score?

Microsoft Identity Secure Score is a numerical representation (on a scale of 0 to 100%) of your organization’s security posture related specifically to identity and access management within Microsoft Entra ID (formerly Azure Active Directory). It assesses how well your organization is protected against identity-based threats by evaluating implemented security controls such as multifactor authentication, risky sign-in detection, user risk policies, and conditional access policies. A higher score indicates better alignment with Microsoft’s recommended identity security practices.

How do I find my Microsoft Secure Score?

To find your Microsoft Secure Score:

1. Sign in to the Microsoft 365 Defender portal using an account with the necessary admin permissions.
2. Navigate to Secure Score in the left-hand menu.
3. Review the dashboard for your current overall score and breakdowns by categories such as identity, devices, apps, and data.

You can also find the Identity Secure Score specifically by visiting the Entra admin center and navigating to Identity Secure Score under Protection.

What is Microsoft Compliance Score?

Microsoft Compliance Score, found in the Microsoft Purview compliance portal, measures your organization’s progress in meeting data protection and regulatory requirements. It provides a score based on how many recommended compliance actions (such as DLP policies, retention labels, audit logs, and access reviews) have been implemented. The score helps compliance and risk managers prioritize improvement efforts based on risk level and regulatory impact.