How secure is your Azure AD tenant? If you don't know how to answer this question, read this article to learn how the identity secure score helps you to monitor and improve your identity security posture.

Note! For the most recent version of the official document you can go here.

What is a secure score?

The identity secure score is number between 1 and 130 that functions as indicator for how aligned you are with Microsoft's best practices recommendations for security.

The score helps you to:

  • Objectively measure your identity security posture
  • Plan identity security improvements
  • Review the success of your improvements

You can access the score and related information on the identity secure score dashboard. On this dashboard, you find:

  • Your score

  • A comparison graph

  • A trend graph

  • A list of identity security best practices

By following the improvement actions, you can:

  • Improve your security posture and your score.
  • Take advantage of Microsoft’s Identity features.

The improvement actions take into consideration:

  • Privileged accounts
  • App management
  • Conditional access policies
  • Authentication methods
  • Auditing and reporting

How do I get my secure score?

The Identity Secure Score is available in all editions of Azure AD.

To access your score, go to the Azure AD Overview dashboard.

How does it work?

Every 48 hours, Azure looks at your security configuration and compares your settings with the recommended best practices. Based on the outcome of this evaluation, a new score is calculated for your tenant. This means that it can take up to 48 hours until a configuration change you have made is reflected in your score.

Each recommendation is measured based on your Azure AD configuration. If you are using third-party products to enable a best practice recommendation, you can indicate this in the settings of an improvement action:

Additionally, you also have the option to set recommendations to be ignored if they don't apply to your environment. An ignored recommendation does not contribute to the calculation of your score:

How does it help me?

Using the secure score helps increase your organization's security by encouraging you to use the built-in security features such as:

Learning more about these features as you use the tool will help give you piece of mind that you're taking the right steps to protect your organization from threats.

Customers who are using Secure Score have seen their score increase five times more than customers who aren't using it. (The increase in score corresponds with the security features being used in their organizations.)

What you should know

Who can use Secure Score?

Anyone who has admin permissions (global admin or a custom admin role) for your Azure AD tenant. Users who aren't assigned an admin role can't access the score. However, admins can use the tool to share their results with other people in their organization. We're looking at including other, non-admin roles in the permissions list in the future. If there are specific roles you'd like us to consider, let us know by posting on the Office Security, Privacy & Compliance community.

What does [Not Scored] mean?

Actions labeled as [Not Scored] are ones you can perform in your organization but won't be scored because they aren't hooked up in the tool (yet!). So, you can still improve your security, but you won't get credit for those actions right now.

How often is my score updated?

The score is calculated once per day (around 1:00 AM PST). If you make a change to a measured action, the score will automatically update the next day. It takes up to 48 hours for a change to be reflected in your score.

Who can see my results?

Results are filtered to show scores only to people in your organization who are assigned an admin role (global admin or a custom admin role).

My score changed. How do I figure out why?

On the score analyzer page on the secure score portal, click a data point for a specific day, then scroll down to see the completed and incomplete actions for that day to find out what changed.

Does the Secure Score measure my risk of getting breached?

In short, no. The Secure Score does not express an absolute measure of how likely you are to get breached. It expresses the extent to which you have adopted features that can offset the risk of being breached. No service can guarantee that you will not be breached, and the Secure Score should not be interpreted as a guarantee in any way.

How should I interpret my score?

You're given points for configuring recommended security features or performing security-related tasks (like reading reports). Some actions are scored for partial completion, like enabling multi-factor authentication (MFA) for your users. Your Secure Score is directly representative of the Microsoft security services you use. Remember that security should always be balanced with usability. All security controls have a user impact component. Controls with low user impact should have little to no effect on your users' day-to-day operations.

To see your score history, go to the score analyzer page on the secure score portal. Choose a specific date to see which controls were enabled for that day and what points you earned for each one.

How does the identity secure score relate to the Office 365 secure score?

The Office 365 secure score is about to be migrated into an aggregate of five different scores:

  • Identity
  • Data
  • Devices
  • Infrastructure
  • Apps

The identity secure score represents the identity part of of the Office 365 secure score. This means that your recommendations for the identity secure score and the identity score in Office 365 are the same.

I have an idea for another control. How do I let you know what it is?

We'd love to hear from you. Post your ideas on the Office Security, Privacy & Compliance community. We're listening and want the Secure Score to include all options that are important to you.

Something isn't working right. Who should I contact? If you have any issues, let us know by posting on the Office Security, Privacy & Compliance community. We're monitoring the community and will provide help.

My organization only has certain security features. Does this affect my score?

The Secure Score calculates your score based on the services you purchased. For example, if you only purchased an Exchange Online plan, you won't be scored for SharePoint Online security features. The denominator of the score is the sum of all the baselines for the controls that apply to the products you purchased. The numerator is the sum of all the controls for which you completed, or partially completed, the actions to fulfill that control.

Next steps

If you would like to see a video about the Office 365 secure score, click here.