L18. Microsoft Security Score
Course outlineLesson 18 of 18
Microsoft Security Score measures your organisation's security posture across Microsoft 365, Entra ID, and Defender products. The AZ-500 tests score calculation, improvement actions, and the difference between score gaming and genuine hardening.
What Is Microsoft Security Score?
Microsoft Security Score is a measurement of your security posture based on your configuration across Microsoft 365 services, Entra ID, and Defender products. It lives at security.microsoft.com under Secure Score.
Score = (achieved points / total possible points) x 100
Improvement Actions
Each improvement action has:
- Points: How much the action contributes to your score
- Category: Identity, Data, Device, Apps, Infrastructure
- Implementation status: To address / In progress / Risk accepted / Planned / Resolved through third party
Common high-value improvement actions the exam tests:
- Require MFA for all users (Identity: highest point value)
- Enable self-service password reset (Identity)
- Block legacy authentication (Identity)
- Enable audit log data (Data)
- Enable Microsoft Defender for Office 365 (Apps)
Score vs Real Security
Exam trap: Actions such as "Mark as Risk Accepted" or "Resolved through third party" improve your score without implementing controls. A score of 80% does not mean 80% security: it means 80% of Microsoft's recommended controls are reported as addressed.Score Relationships
| Product | Score Feed |
|---|---|
| Entra ID | Identity actions (MFA, CA, PIM) |
| Microsoft 365 | Apps and data actions |
| Defender for Endpoint | Device actions |
| Defender for Cloud | Infrastructure actions (separate Secure Score) |
- ✓Score = achieved points / total points x 100: spans M365, Entra ID, and Defender products
- ✓"Risk Accepted" and "Resolved through third party" improve the score without implementing controls
- ✓MFA for all users is typically the highest-point improvement action in the Identity category
- ✓Microsoft Security Score (M365/Entra) and Defender for Cloud Secure Score (Azure resources) are separate metrics
- ✓The score reflects self-reported and detected control states: it is a management KPI, not a security guarantee
1. How is Microsoft Security Score calculated?
2. An improvement action is marked 'Risk accepted'. What does this mean?
3. Microsoft Security Score covers improvement actions across which products?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds structured video courses, hands-on Azure labs, and timed practice exams to make it stick before exam day.