// the numbers
Before & after
Starting score
34%
Default M365 config · No MFA · No CA policies
Final score
81%
MFA enforced · CA framework · Defender configured
Before
~170 / 500 pts
0%50%100%
After
~405 / 500 pts
0%50%100%
// overview
Why Secure Score matters for SMBs
Microsoft Secure Score is a measurement of an organisation's security posture relative to the controls available in their licence. A score of 34% on M365 Business Premium means roughly two-thirds of the security controls included in the licence are switched off or misconfigured.
Secure Score is one of the first things I pull up when auditing a new tenant. It gives an immediate, quantified picture of what's misconfigured or switched off, and as improvements are made, the number moves in real time. It's one of the clearest ways to show progress on a security engagement.
⚠️
34% is typical for an unconfigured tenant. Most SMBs that buy M365 Business Premium without dedicated IT get to this score by default. Microsoft enables just enough to function, but not enough to be properly secure.
// approach
Four-phase improvement plan
Improvements were tackled in order of impact and risk. Quick wins first, then the more complex configurations that need testing before being enforced.
Enable MFA registration for all users (Security Defaults or per-user MFA)
Disable Security Defaults and move to Conditional Access (prevents overlap)
Block legacy authentication protocols (Exchange Online, SharePoint)
Enable self-service password reset (SSPR) for all users
Remove unused global admin accounts and excess privileged roles
Deploy Conditional Access framework (9 policies, covered in the CA Framework project)
Enable Microsoft Authenticator as default MFA method, disable SMS
Configure named locations and mark office IPs as trusted
Enable number matching and additional context for Authenticator push
Review and remove stale guest accounts from Entra ID
Enable Entra ID Identity Protection with user and sign-in risk policies
Enrol all Windows devices into Intune via Autopilot or manual enrolment
Deploy Intune compliance policy (BitLocker, Defender AV, OS version, PIN)
Enable Microsoft Defender for Business with all protection features switched on
Configure Defender attack surface reduction (ASR) rules in Audit first
Enable Endpoint Detection and Response (EDR) via Defender for Endpoint
Deploy BitLocker encryption policy via Intune, store keys in Entra ID
Enable Microsoft Purview sensitivity labels for email and documents
Configure basic DLP policy to block external sharing of financial and personal data
Enable Exchange Online Protection with anti-phishing, anti-spam, and safe links
Enable Defender for Office 365 with safe attachments in Dynamic Delivery mode
Configure SPF, DKIM, and DMARC records for the domain
Set SharePoint external sharing to "Existing guests only"
// top actions
Highest-impact single actions
Not all Secure Score actions are equal. These are the ones with the biggest point return relative to effort.
| Action | Points | Effort |
|---|
| Require MFA for all users (via CA) | +28 pts | Medium |
| Block legacy authentication | +10 pts | Low |
| Enable Defender for Business (all features) | +9 pts | Low |
| Enable number matching on Authenticator | +9 pts | Low |
| BitLocker on all managed devices | +7 pts | Medium |
| DMARC policy set to reject/quarantine | +5 pts | Low |
| Enable Safe Attachments for O365 | +4 pts | Low |
| Reduce global admin count to 2 | +4 pts | Low |
| Enable Intune compliance policies | +4 pts | Medium |
| Enable Identity Protection risk policies | +3 pts | Medium |
// trade-offs
What was deliberately skipped
Secure Score does not mean maximum score at any cost. Some actions were skipped because they'd cause more disruption than benefit for an SMB with this profile.
⏭
Privileged Identity Management (PIM)
Requires Entra ID P2. Valuable but adds overhead for small IT teams. Recommended as a future upgrade once the P1 baseline is solid.
⏭
Microsoft Purview full DLP suite
Complex to configure correctly for SMBs without a defined data classification policy. Basic sensitivity labels were deployed; full DLP left for a follow-on engagement.
⏭
ASR rules in enforcement mode
Attack surface reduction rules in Audit mode first. Several rules broke legitimate LOB applications in testing. Enforcement phase planned after a full audit period.
⏭
Intune MAM for personal devices
Mobile Application Management adds value but requires a change management process with end users. Left out of scope for this engagement to avoid user pushback.
💡
81% is a realistic target for M365 Business Premium. Getting from 81% to 90%+ requires P2 licences (PIM, full Identity Protection) and more complex configurations that may not be cost-effective for smaller businesses.