Every Microsoft 365 tenant has a security score. It's a number out of 100 that tells you how well your environment is configured. Most businesses we look at sit around 30 to 40 — not because they don't care, but because nobody told them this thing existed.

Here's how to find yours and what to do with it.

Where to find it

Go to security.microsoft.com and sign in with your admin account.

In the left menu, click Secure Score. You'll see your current score, a breakdown by category (Identity, Device, App, Data), and a list of recommended actions ranked by impact.

If you can't see it, you need at least Security Reader permissions in Entra ID.

What the score means

It's not a pass/fail. A score of 40 doesn't mean you're about to get hacked. It means there are security features available in your licence that you haven't turned on yet.

The score is relative to what's available in your plan. If you're on Business Premium, you'll have more potential points than someone on Business Basic because you have more security tools available.

Quick wins to improve it

The recommended actions list is sorted by impact. The top items are usually:

• Enable MFA for all users — this alone can jump your score significantly

• Block legacy authentication protocols — old mail clients that bypass MFA

• Enable self-service password reset — reduces help desk load and improves security

• Turn on audit logging — so you can actually see what's happening in your tenant

• Set up Conditional Access policies — control where and how people sign in

How often to check it

Microsoft updates the score daily. Worth checking monthly at minimum. If you're actively making changes, check weekly to see the impact.

Some actions take 24 to 48 hours to reflect in the score after you've made the change.

What we typically do

When we onboard a new managed services client, the Secure Score review is one of the first things we do. We go through each recommendation, work out what's relevant to your business, and configure it properly.

Most businesses jump from 30-40 to 60-70 without spending an extra dollar — it's just configuration.

If you want us to run through yours, reach out for a free security review.