Azure AD

How to Export Secure Score Reports in Microsoft 365

Wondering how secure your organization really is? If you're unsure, Microsoft knows the answer better than you do! Microsoft Secure Score, a complimentary feature included with your license, can tell you just how secure you are. This powerful tool evaluates your security measures and gives you a quick snapshot of your current security status. In this guide, you’ll learn how to export Microsoft Secure Score reports, analyze vulnerabilities, and strengthen your organization's defenses.

Using Microsoft 365 Defender Portal

Microsoft 365 Permission Required

Security Reader Least Privilege

Global Admin Most Privilege

Sign in to the Microsoft 365 Defender.
Go to the Exposure management»Secure Score to view the Microsoft Secure Score page.

In this Microsoft Secure Score portal, you can view your organization's overall secure score and understand how it is calculated across various categories.

Using Windows PowerShell

Microsoft 365 Permission Required

Security Reader Least Privilege

Global Admin Most Privilege

Connect to the Microsoft Graph PowerShell module with your credentials using the cmdlet below.

Windows PowerShell

 Connect-MgGraph -Scopes "SecurityEvents.Read.All"

Execute the cmdlet below to get the Microsoft Secure Score objects.
Windows PowerShell
```
 Get-MgSecuritySecureScore
```

You can obtain the properties and relationships of a 'secureScore' object to gain a comprehensive understanding of your security metrics through this method.
When you retrieve Microsoft Secure Score objects via PowerShell, the output includes data points, such as IDs, active user count, and Azure tenant ID. With this data, admins can get an overall view of security measures across the organization. However, it’s important to note that PowerShell returns only the 'secureScore' objects themselves, not the actual scores!

Using AdminDroid
Simple & Quick

AdminDroid Permission Required Delegated

Any user with report access assigned by the Super Admin.

Open the AdminDroid Office 365 Reporter.
Navigate to the Tenant’s Overall Score Trend report under Audit»Secure Score»Overall.

AdminDroid Azure AD Reporter

Comprehensive Microsoft Secure Score Reporting Made Easy

AdminDroid's Azure AD management tool provides in-depth insights into your Microsoft 365 Defender Secure Score, allowing easy analysis across areas like MFA, MDM, and Azure AD. It offers detailed reports on your Secure Score and comparisons, helping admins efficiently manage and optimize security.

Enhance Your Secure Score with Immediate Alerts

As your security partner, AdminDroid’s real-time alerts notify you of critical Microsoft 365 changes to swiftly address issues and boost your Secure Score.

Boost Mobile Security with the Device Encryption Report

Monitor your Secure Score for mobile device encryption with AdminDroid, encourage users to encrypt their devices, and prevent unauthorized access.

Protect Against Outdated Methods with Secure Score Insights

Use AdminDroid's AI-powered charts to assess your Secure Score for blocking legacy authentication and safeguard against compromised, outdated sign-in attempts.

Increase Your Secure Score by Securing Users Without MFA

Discover Microsoft 365 users without MFA using AdminDroid's dedicated reports to increase your Secure Score by enforcing MFA for them.

Maximize Security with AdminDroid's SSPR Analysis

Optimize your Microsoft Secure Score with AdminDroid's self-service password reset report and track key metrics like obtained score, users without SSPR, etc., to enhance security.

Control SharePoint External Sharing to Improve Secure Score Status

Audit SharePoint Online external sharing to block or restrict sharing to specific domains for better control and an improved Secure Score.

AdminDroid paves the way for robust and comprehensive Secure Score reporting. Remember, security scores reflect your organization's security posture but don't guarantee protection from breaches! Therefore, explore AdminDroid's security and compliance reports on Microsoft 365 to tightly safeguard your digital assets.
Don’t bear the security burden alone - Let AdminDroid help you fortify your defenses!

Explore a full range of reporting options

Download Live Demo

Important Tips

Follow Microsoft 365 best security practices to boost your security, as improving your Secure Score is directly tied to configuring stronger security settings.

Use the Maester tool, a Microsoft security test automation framework that runs tests to ensure your tenant’s configurations align with baseline security policies.

With security defaults in place, ensure sign-in and user risk policies are marked as "Resolved through alternate mitigation" to keep your Secure Score intact.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while handling Microsoft 365 Defender Secure Score reports.

Error Permissions required to access.

This error occurs when you lack the necessary permissions or privileges to view the Secure Score dashboard in Microsoft 365 Defender portal.

Fix Please contact your administrator to assign you eligible permissions, such as global roles or security-based roles to access the Secure Score dashboard.

Error Get-MgSecuritySecureScore : Authentication needed.

This error occurs when you attempt to execute the Get-MgSecuritySecureScore cmdlet in PowerShell without connecting to the required modules.

Fix Before using the Get-MgSecuritySecureScore cmdlet, you need to ensure that the Microsoft Graph module is connected or imported in PowerShell.

//Execute the following cmdlet to import the Microsoft Graph PowerShell module.  
Import-Module Microsoft.Graph 
//Use the following cmdlet to connect to the Microsoft Graph PowerShell module.  
Connect-MgGraph

Error Get-MgSecuritySecureScore: Auth token does not contain valid permissions or user does not have valid roles.

This error occurs when an admin tries to get the Secure Score without appropriate permissions in Windows PowerShell.

Fix Execute the following cmdlet to obtain the necessary permissions for using Get-MgSecuritySecureScore.

Connect-MgGraph –Scopes SecurityEvents.ReadWrite.All

Error Looks like you don’t have the right permission to view this page or this feature isn’t part of your organization’s Microsoft 365 subscription.

This error occurs when you do not have the proper licenses required to view the Secure Score dashboard.

Fix Ensure you have a valid license that allows access to the Microsoft Secure Score page.

Azure AD

Frequently Asked Questions

Empower Your Security Strategy with Secure Score Reports and Insights

What is Microsoft Secure Score and who can manage it?

Your Microsoft Secure Score is essential for maintaining your organization's security health. This metric gives security insights and suggestions for improvements, making it crucial for Microsoft 365 admins to regularly review and enhance their security.

What are the license requirements for Microsoft Secure Score?

Microsoft Secure Score is included as a complimentary feature with your Microsoft 365 subscription and is easily accessible with your existing plan. Additional licenses like Microsoft 365 E5 or specific security add-ons may be needed to follow the security recommendations.

Who can manage Microsoft Secure Score?

Secure Score can be viewed and accessed by the following roles according to their access permissions.

How to check your Microsoft Secure Score?

As a Microsoft 365 admin, regularly checking your organization's Secure Score and keeping your security team informed is crucial. Monitoring the Secure Score ensures everyone is aligned and helps maintain effective security measures.

To check and improve your security posture, follow the steps below.

Log in to the Microsoft Defender Portal.
Go to Exposure management»Secure Score.
Check your Secure Score on the Microsoft 365 Secure Score Overview page, displayed as a percentage with achieved points out of the maximum shown below.
You can customize your view of the Secure Score by selecting the "Include" button next to your score. This allows you to see different perspectives on your security performance.
- Planned Score: The projected score when planned actions are completed.
- Current License Score: The score achievable with your current Microsoft license.
- Achievable Score: The score attainable with your current licenses and risk acceptance.
This portal also provides a summary of actions to review, such as what needs to be addressed, what is planned, and any recent additions or updates to your security configurations.
Additionally, you can view comparison trends between your organization and those of similar size with the comparison charts, helping you benchmark your security effectively.

What should be my target Microsoft Secure Score?

Your Microsoft Secure Score should be above 60% to indicate solid security measures that have been implemented. A higher score reflects better security practices and configurations. Understanding what constitutes a good score, how it's calculated, and how it compares to the Microsoft Secure Score industry average will help you set and achieve your target Secure Score.

How is Secure Score Calculated?

Microsoft Secure Score is calculated based on several factors:

Configurations: Security settings like multi-factor authentication, safe documents for Office clients, password protection, and more.
User Behaviors: Secure practices, such as using strong passwords, blocking legacy authentication, avoiding external sharing of calendars, and more.
Third-party Solutions: Integration of complementary security tools.

What is a good Microsoft Secure Score?

80% and above: This is considered as a good secure score. Your Microsoft 365 environment is secure but can still be improved. Regularly review and implement additional recommendations.
60% to 80%: This is a medium score. Your security is close to good but needs further tightening. Follow the recommended actions to enhance your security.
Less than 60%: This score indicates vulnerability. Immediate action is necessary as it reflects significant security risks. Address the risks by implementing the recommendations mentioned to improve your score.

Ideal Secure Score and Practical Considerations

While a 100% Secure Score is the ideal target, achieving it often requires significant investment in additional Microsoft licenses and extensive security configurations. For most small businesses, aiming for a score of 80% is excellent. For example, a small nonprofit with fewer than 100 users with an average score of 44% is acceptable, given their resource constraints.

By leveraging the Microsoft Secure Score benchmark, admins can proactively enhance their organization's security posture and ensure a safer Microsoft 365 environment.

How to increase Secure Score in Microsoft 365?

Weak passwords may expose confidential data that results in financial losses, legal issues, and reputational damage. By following Microsoft's recommendations, admins can mitigate these risks and maintain a secure, user-friendly environment.

Here are some key actions to boost your Microsoft Secure Score status.

Do not allow Exchange Online Calendar details to be shared with external users.
Configure which users can present in Teams Meetings.
Restrict anonymous users from joining meetings.

Also, other key Microsoft 365 recommendations for your organization can be found in the Defender portal under the Exposure management»Secure Score»Recommended actions tab.

While native Microsoft 365 tools provide a basic security foundation, they can be cumbersome to navigate and manage, especially for tracking changes and trends over time.

To overcome the limitations of native methods, AdminDroid offers the Office 365 Secure Score – Security Settings Daily Scores report, providing detailed security insights.

This report offers daily Secure Scores for each security control in your tenant. It provides admins with valuable insights to monitor and enhance their Microsoft 365 security.
It categorizes control settings by areas, such as identity, data, devices, & apps, including metrics like obtained score, maximum score, score percentage, and more.

Will MFA increase my Microsoft 365 Secure Score?

Yes, enabling multi-factor authentication will significantly increase your Microsoft Secure Score. Since MFA adds extra security by requiring multiple authentication methods, Microsoft places a high value on MFA in your Secure Score.

To comply with these recommendations and improve your Secure Score, you can enable MFA in two ways:

Enable MFA using Security Defaults: A baseline security setting automatically enabled by Microsoft.
Enable MFA using Conditional Access Policy: Set CA policies to require MFA based on specific conditions. When implementing Conditional Access MFA, ensure you enforce MFA, including Microsoft admin portals and the Microsoft Azure Management App ID.

Although Microsoft stresses the importance of MFA for improving security, the native Secure Score dashboard doesn't clearly show its impact, making it hard to understand.

Wave goodbye to tedious native methods - AdminDroid makes Secure Score tracking a breeze!

Discover AdminDroid's MFA Registration Score Trend report to see the real impact of MFA adoption among your users. This report details metrics like total users, unregistered users, maximum scores, obtained scores, and more.
It also includes a dedicated Admin MFA Score Trend report based on the number of admin accounts with MFA.

Handy Hint: Effortlessly send reports to your inbox with AdminDroid's email option 📧. Enjoy an instant overview of the report results right in the email body!

How to track Microsoft Secure Score history?

Tracking Microsoft Secure Score history is crucial for enhancing your organization’s security. It helps admins spot trends, prioritize configurations, justify security investments, and ensure transparency for stakeholders.

Here’s how to analyze Secure Score in Microsoft 365 Defender using the History tab in the Secure Score dashboard.

Viewing the History Graph: This tab displays a weekly graph of your organization's Secure Score over time. It helps admins track security changes and quickly address vulnerabilities.
Detailed Actions Table: Below the graph, you will find a table listing all actions taken within the selected time range. This table includes details such as the actions taken, resulting points, and the category of each action. You can also adjust the date range and filter by category using the 'Filter' option. The 'Group by' feature helps to organize your data, making it easier for admins to focus on specific areas that need attention.
Viewing Recommended Action Details: To view more details about a specific action, select the recommended action from the table. A flyout pane will appear, providing insights into the recommendation. It also shows how the Secure Score points have changed over time due to that particular action, helping admins understand its impact and focus on necessary changes.
Checking the History of a Particular Action: In the flyout pane, you will find a ‘History’ link. Clicking this link allows you to view the history of a particular action, showing how it has changed over time. This feature is particularly useful for admins to track the effectiveness of implemented actions and ensure continuous security improvement.

By following these steps, you can effectively track the history of your Microsoft Secure Score, understand the impact of actions taken, and identify areas for further improvement.

What is Identity Secure Score and how to check it?

Identity Secure Score is a metric within Microsoft Entra ID (Azure AD) platform that assesses an organization's identity security. It offers insights and recommendations to improve security, with scores ranging from 0 to 223. These scores reflect real-time monitoring of implemented security controls.

How to view Identity Secure Score?

Log in to the Microsoft Entra admin center.
In the left-hand menu, select Identity and then click on Overview.
Move to the Recommendations tab to view your Identity Secure Score and see recommendations for improving it.

How to achieve a 100% Identity Secure Score in Microsoft 365?

To improve your Identity Secure Score, focus on implementing the following steps:

Designate the Right Number of Global Admins: Ensure only the necessary number of global admins (Microsoft recommends 2-4 global admins) to minimize exposure.
Use Least Privileged Admin Roles: Assign the least privileged roles needed for specific tasks to enhance security.
Utilize Privileged Identity Management (PIM): Use PIM for groups to protect and secure admin accounts with strong authentication and monitoring.
Require MFA for Administrative Roles: Enforce multi-factor authentication for all administrative roles to add an extra layer of protection.
Restrict User Consent to Applications: Manage user consent to applications in Microsoft 365 by blocking consent to unreliable apps and preventing potential security risks.
Implement Sign-In User Risk Conditional Access Policy: Set up risk-based Conditional Access policies to automatically respond to risky sign-in behavior.
Monitor and Respond to Alerts: Actively monitor alerts from Azure AD Identity Protection and respond promptly to potential vulnerabilities and threats.
Implement Single Sign-On (SSO): Use SSO to secure applications and ensure seamless and secure access management.

By focusing on these strategies, organizations can enhance their Identity Secure Score and strengthen overall identity security within Azure AD.

What is the difference between Secure Score and Compliance Score?

The Microsoft 365 Compliance Score and Secure Score are both essential tools provided by Microsoft to help organizations assess security & compliance postures. However, they focus on different areas, as outlined below.

Secure Score

The Secure Score evaluates an organization’s security state across Microsoft 365 services, including Azure AD, Exchange Online, and SharePoint Online.
The maximum Secure Score is 411.
Secure Score considers only the points you achieve by following the best security practices in Microsoft 365.
Secure Score shows historical data and trends, allowing you to track the impact of your security improvements over time.
The primary goal is to enhance overall security by following best practices, such as enabling MFA, using Conditional Access, etc.

Compliance Score

The Compliance Score, calculated through the Microsoft Compliance Manager portal, helps organizations manage their compliance with regulatory requirements and standards.
The highest possible Compliance Score is 22,460.
Compliance Score includes both the points you achieve and Microsoft-managed points. The Microsoft-managed points are the points earned through Microsoft’s cloud service provider controls.
Compliance Score does not offer a dedicated view of historical data and trends.
This helps organizations to stay compliant with legal and regulatory standards, such as ISO, GDPR, and more.

In summary, Secure Score enhances security practices, while Compliance Score ensures regulatory adherence. Both tools are required for maintaining a robust security and compliance in your Microsoft 365 environment.