The MSP Guide to Microsoft Secure Score Optimization

Microsoft Secure Score is a critical metric for demonstrating security posture to clients and identifying security gaps across Microsoft 365 environments. For MSPs managing multiple tenants, optimizing Secure Score isn’t just about numbers—it’s about systematically closing security vulnerabilities and improving your clients’ overall protection.

This guide provides actionable strategies to improve Secure Score and implement security recommendations across your client base.

Understanding Microsoft Secure Score

What is Secure Score?

Microsoft Secure Score measures your security posture on a scale of 0-323 points. Each point represents a completed improvement action. The score reflects:

• Email and data security (Exchange, SharePoint, OneDrive)
• Devices and applications (Intune, Microsoft Defender)
• Identity and access (Azure AD, Conditional Access)
• Cloud apps and services (Teams, Power BI)
• Overall risk reduction

Why It Matters:

• Industry average score is 65-70 (there’s always room for improvement)
• Each improvement reduces real breach risk
• Clients expect security leadership from their MSP
• Demonstrates ROI of your security services
• Helps prioritize security investments

Where to Access Secure Score

1. Navigate to Microsoft 365 Defender > Secure score
2. Requires Microsoft 365 Defender access (included with E3+ licenses)
3. Or access through Security Center > Secure Score

You’ll see:

• Current score and target score comparison
• Breakdown by security category
• List of improvement actions with point values
• Implementation difficulty and progress tracking

High-Impact Improvement Actions (Start Here)

Not all improvement actions have equal impact. Focus on these high-value items first:

1. Enable Multi-Factor Authentication (MFA) - 10 Points

Implementation:

1. Azure AD > Conditional Access > Create policy
2. Name: “Require MFA for All Users”
3. Include: All users (exclude break-glass accounts)
4. Cloud apps: All cloud apps
5. Grant: Require MFA
6. Enable: Yes

Timeline: 1-2 weeks (includes user enrollment period)

Business Impact: Blocks 99% of account compromise attempts—highest ROI security control.

2. Block Legacy Authentication - 10 Points

Implementation:

1. Create Conditional Access policy: “Block Legacy Authentication”
2. Client apps to block: Exchange ActiveSync, IMAP, POP, SMTP
3. Access: Block
4. Enable policy

Timeline: Same day (minimal user impact if clients using Outlook/Teams)

Business Impact: Eliminates password spray attacks against older protocols.

3. Enable Advanced Threat Protection (ATP) - 10 Points

For Exchange:

1. Exchange Admin Center > Threat management > Policy > Safe Attachments
2. Enable “Turn on ATP for SharePoint, OneDrive, and Microsoft Teams”
3. Enable “Protect files in SharePoint Online, OneDrive, and Teams”

For Microsoft 365:

1. Defender > Email & Collaboration > Policies & rules > Threat policies
2. Enable Anti-phishing policies
3. Enable Safe Links
4. Enable Safe Attachments

Timeline: 1 day

Business Impact: Prevents email-based attacks and malware distribution.

4. Enable Audit Logging - 10 Points

Implementation:

1. Compliance Center > Audit > Start recording user and admin activity
2. Verify enabled (should show green checkmark)
3. Ensure at least 90 days retention (Microsoft default)

Timeline: Same day

Business Impact: Enables incident investigation and compliance requirements.

5. Require Password Change for Risky Users - 10 Points

Implementation (Premium P2):

1. Azure AD > Identity Protection > User risk policy
2. Assign users: All users
3. Conditions: Medium and above risk
4. Access: Require password change
5. Enable: Yes

Timeline: Immediate

Business Impact: Proactively removes attackers from compromised accounts.

Medium-Impact Improvements (10-15 Points Each)

6. Enable Device Compliance Policies - 15 Points

Implementation:

1. Intune > Device compliance > Create policy
2. Name: “Healthcare/General Device Compliance”
3. Platform: Windows 10 and later
4. Required settings:
   • Require password: Yes
   • Minimum password length: 8
   • Require encryption: Yes
   • Require system security updates: Yes
   • Antivirus: Enabled

Timeline: 2-3 weeks (device compliance rollout)

Business Impact: Ensures only secure devices access company data.

7. Enable Mobile Device Management - 10 Points

Implementation:

1. Intune > Devices > Enrollment
2. Enable enrollment for iOS, Android, Windows
3. Create enrollment restrictions for corporate devices
4. Deploy Company Portal app to users

Timeline: 3-4 weeks (pilot + rollout)

Business Impact: Controls mobile access and enables remote wipe.

8. Implement Conditional Access Policies - Up to 25 Points

Key Policies:

• Require MFA for specific apps (Teams, SharePoint, Exchange)
• Require compliant devices for email access
• Block access from high-risk locations
• Require passwordless for admins

Timeline: 2-4 weeks per policy

Business Impact: Sophisticated threat detection and prevention.

9. Configure Sharing Controls - 10 Points

Implementation:

1. SharePoint Admin Center > Policies > Sharing
2. Set to “Only existing guests” minimum
3. Restrict to specific domains if applicable
4. Enable expiration dates for guest access

Timeline: 1 day

Business Impact: Prevents accidental external data exposure.

10. Enable Sensitivity Labels - 10 Points

Implementation:

1. Compliance Center > Information protection > Labels
2. Create labels: Confidential, Internal, Public
3. Configure encryption for Confidential
4. Enable auto-labeling for sensitive data (SSN, payment card)

Timeline: 2 weeks (testing + rollout)

Business Impact: Encrypts sensitive data automatically.

Action Plan Template for MSPs

Use this template to systematically improve client Secure Scores:

Month 1: Foundation (40-50 Points)

• [ ] Enable MFA baseline
• [ ] Block legacy authentication
• [ ] Enable audit logging
• [ ] Enable advanced threat protection
• [ ] Configure basic sharing controls

Month 2: Identity (30-40 Points)

• [ ] Implement Conditional Access policies
• [ ] Require password change for risky users
• [ ] Configure Azure AD password protection
• [ ] Implement passwordless sign-in

Month 3: Devices (20-30 Points)

• [ ] Deploy mobile device management
• [ ] Implement device compliance policies
• [ ] Configure managed device access
• [ ] Deploy Windows Defender/Microsoft Defender

Month 4: Data Protection (20-30 Points)

• [ ] Enable sensitivity labels
• [ ] Configure DLP policies
• [ ] Implement information barriers
• [ ] Enable retention policies

Client Communication Strategy

Present Secure Score as:

1. Benchmark: “Your current score is 142. Industry average is 168. Here’s our plan to close the gap.”

2. Risk Reduction: “Each improvement action reduces breach risk by X%. Implementing our top 5 recommendations reduces your breach risk by 60%.”

3. Compliance: “Secure Score improvements directly support compliance with [HIPAA/NIST/SOC2] requirements.”

4. ROI: “MFA alone prevents 99% of account compromise attacks. This single control has prevented 15+ client breaches in the last year.”

Monthly Reporting:

• Show Secure Score trend (should improve monthly)
• Highlight completed improvement actions
• List upcoming planned improvements
• Communicate business impact of each improvement

Common Optimization Challenges

Challenge: Users Reject MFA

Solution:

• Communicate security necessity clearly
• Provide support materials and training
• Offer grace period for enrollment
• Start with lower-risk populations as pilots

Challenge: Legacy Applications Require Old Protocols

Solution:

• Migrate to modern applications (Outlook instead of IMAP)
• Create conditional access exceptions for critical apps
• Work with vendors on application updates
• Document all exceptions and review quarterly

Challenge: Clients Want High Score Without Security Impact

Solution:

• Explain that real score improvements mean real risk reduction
• Prioritize user-friendly improvements first
• Create phased rollout plans
• Show correlation between score improvements and reduced incidents

Measuring MSP Impact

Track these metrics to demonstrate value:

• Average client Secure Score improvement: ___
• Percentage of clients above industry average: ___
• Security incidents prevented through improvements: ___
• Client satisfaction with security posture: ___

Conclusion

Microsoft Secure Score is your roadmap for systematically improving client security. By implementing this guide:

• You’ll close critical security gaps
• Demonstrate clear security ROI to clients
• Build competitive advantage in your market
• Reduce breach risk across your client base

Secure Score improvements aren’t just metrics—they’re real security improvements protecting your clients’ organizations.

Ready to assess your Microsoft 365 security posture? Run a free security assessment at 365 Security Assessment.