Most inherited tenants sit somewhere between 28 and 45. The controls are there — they’ve just never been touched. Getting above 90 is achievable in most environments, but the path there isn’t obvious. Here’s what works, what doesn’t, and where to start.
What Secure Score Actually Measures
Secure Score is a prioritised recommendation list with a number attached. That number is a ratio: current points divided by the maximum achievable points in your tenant. Controls are weighted — some are worth 2 points, others 16. Some are free to implement; others require licences you may not have.
What it doesn’t measure: whether you’d survive a real attack. A tenant sitting at 95 can still be compromised. Secure Score measures configuration coverage — it’s a proxy for how much of the low-hanging fruit an attacker has been denied. Useful, but worth keeping that framing when reporting to stakeholders.
Mistakes New Engineers Make
Going after the big points first. Sorting by highest impact and starting at the top is a natural instinct. The problem: high-point items — things like Privileged Identity Management, Defender for Identity, or full MFA coverage — often require change management, licence procurement, or executive sign-off. Weeks burn on a single control while the dashboard barely shifts. The better move is to build momentum with quick wins first, then bring the credibility of visible progress to the heavier conversations.
Implementing controls without understanding the dependency chain. Enabling a Conditional Access policy before confirming break-glass accounts are excluded is a classic mistake. So is enforcing MFA via Security Defaults and then finding it conflicts with existing CA policies. Read the recommendation detail, understand what it touches, and test with a pilot group first.
Not filtering by available licences. Secure Score includes recommendations for features that may require licences you don’t have. Use the “Licenses” filter in the portal before planning anything. It saves hours of frustration and avoids the awkward conversation where a client asks why you’re scoping work they can’t actually implement.
Skipping the “User Impact” field. Every recommendation documents the blast radius. Enabling MFA for all users is not a silent change. Blocking legacy authentication affects users on old mail clients. Missing that field is how engineers end up locking a CEO out of Outlook on a Monday morning.
Low-Hanging Fruit: Maximum Points, Minimum Friction
These controls consistently deliver 25–40 points combined and most can be completed in a single focused session.
Block legacy authentication protocols. Basic auth is a free path past MFA. A single Conditional Access policy blocking legacy authentication clients — Exchange ActiveSync, IMAP, SMTP AUTH, POP3 — removes an enormous attack surface. Users on Outlook 2010 or older will break. Worth the disruption.
Enable combined security information registration. Often overlooked. Enabling the combined registration experience in Entra ID settings is a few clicks and costs nothing. It’s typically worth 4–8 points and unlocks several downstream recommendations.
Enable Self-Service Password Reset (SSPR). Low effort, moderate points, high end-user value. Set the authentication methods to require two, scope it to all users, and move on.
Require MFA for Azure management. A specific Conditional Access policy scoped to the Azure Management app (app ID: 797f4846-ba00-4fd7-ba43-dac1f8f63013). Fast to implement, high risk reduction for privileged operations.
Tighten Defender for Office 365 anti-phishing policies. If you have Exchange Online Protection or Defender for Office 365, the default policies exist but are rarely fully configured. Enable impersonation protection for key users and domains, enable mailbox intelligence, and set the phishing threshold to aggressive. Worth 6–10 points across multiple recommendations.
Enable Unified Audit Logging. One toggle. Zero user impact. Needed for virtually every security investigation you’ll ever run. Check it under Microsoft Purview → Audit. If it’s off, you’ve also just discovered why incident reports from the past year have no logs.
Set password expiration to “never expire”. Counterintuitive, but it’s a Secure Score recommendation aligned with NIST 800-63B. Forcing frequent password changes leads to weaker, predictable passwords. With MFA enforced, “never expire” is the right configuration — and it’s worth 4+ points.
Review and remove inactive accounts and guest access. Pull a report of accounts inactive for 90+ days. Disable or delete them. Guest accounts with no recent sign-ins are common and easy to clean up. This hits multiple recommendations in one sweep.
A Practical Sequencing Approach
A reliable order of operations for a new engagement:
- Filter the Secure Score dashboard to “Achievable with current licences”
- Identify the 2–8 point controls with low user impact — batch these into a single change window
- Move to medium-effort items (Conditional Access policy tuning, Defender policy configuration) in a 2-week sprint
- Reserve PIM, Defender for Identity, and cross-tenant access reviews for a dedicated workstream with proper change management
Most tenants exceed 85 by the end of step 3. The final stretch to 90+ comes from step 4.
Reporting the Progress
A jump from 34 to 88 looks dramatic on a chart — use it. Export the historical score from the dashboard and produce a before/after comparison by category (Identity, Devices, Apps, Data, Infrastructure). Category breakdowns tell a better story than a single number. A security leader cares less about the aggregate than knowing identity controls went from 22% to 94% covered.
Always document deferred items and why. “We deferred disabling SMTP AUTH because four line-of-business applications still depend on it — scheduled for Q3 remediation” is a professional response. Unexplained gaps invite questions you don’t want.
The score is a proxy. What the underlying work actually does is remove the easy wins for an attacker — credential stuffing via basic auth, phishing past an unconfigured policy, persisting in a tenant with no audit trail. Start with the quick wins, document the decisions, and don’t let perfect be the enemy of done.