Microsoft gives every M365 tenant a Secure Score — a live, continuously updated measure of your security posture. Most SMBs have never looked at it. Here's how to find it, what it means, and what to do if it's low.
How to find your Secure Score
You need to be a Global Administrator or Security Administrator to access this.
- Go to security.microsoft.com
- Sign in with your M365 admin credentials
- In the left navigation, click Secure score
- Your current score is shown as a percentage and a number out of a possible total
That's it. You're looking at a real-time assessment of your tenant's security configuration against Microsoft's recommended controls.
What the score actually means
Secure Score is calculated based on the security controls you have configured across your M365 environment. Each control has a point value — enabling MFA might be worth 10 points, configuring Conditional Access another 15, and so on.
The score is expressed as a percentage of the maximum achievable for your licence type. A score below 30% is a significant concern. Between 30-50% is common but improvable. Above 60% indicates a reasonably mature security posture.
What matters more than the number itself is the list of recommended actions — each one tells you exactly what to fix and how much it will improve your score.
The most common quick wins
In almost every SMB tenant we audit, the same issues come up:
- MFA not enforced — this is the single highest-impact control and surprisingly often not configured correctly
- Legacy authentication not blocked — older email protocols bypass MFA entirely and are a significant vulnerability
- No Conditional Access policies — without these, any device anywhere can authenticate to your tenant
- Admin accounts used for daily tasks — privileged accounts should be separate and used only when needed
- SharePoint external sharing too permissive — often set to allow sharing with anyone, which creates data exposure risk
What to do with this information
The recommended actions list in Secure Score is a useful starting point, but it doesn't tell you the full story. Some actions have a high point value but low practical impact for your specific business. Others are technically complex to implement without breaking existing workflows.
That's where a proper M365 audit adds value — not just reading the score, but understanding which improvements matter most for your environment, your risk profile, and your people.
If your score is below 40% and you want to understand what it would take to improve it, book a free discovery call. We'll walk through what we typically find in businesses like yours and give you a realistic view of what's achievable.
Want a full picture of your M365 security posture?
The BlueArc Discovery engagement includes a complete security posture review — not just Secure Score, but a structured audit of your entire M365 configuration aligned to Cyber Essentials.
Book a Free Discovery Call