Microsoft 365 cyberattack slashed £30 million from Marks & Spencer’s profits—plus £15 million a week in ongoing losses. Even well-defended organizations can pay dearly after a breach. While Secure Score alone can’t make you immune, it’s the best first step to harden security, stay compliant, and close gaps. Here’s how to use Secure Score, practical automation, and compliance mapping to protect your enterprise in 2025.
Inside this article:
Microsoft Secure Score is a foundational tool for measuring and improving your Microsoft 365 security posture. Expanding beyond Office 365 to assess Azure AD, Microsoft Defender, Endpoint Manager, Secure Score aligns closely with major compliance frameworks like NIST CSF, NIST 800-171, CIS Controls, ISO 27001, NIS 2, and Australia’s Essential Eight — making it an essential component in any enterprise risk-reduction strategy.
This playbook offers updated guidance, automation tips, and practical quick wins to help enterprise IT and security leaders use Secure Score — following security best practices both right away and in the longer term. It also outlines how CoreView enhances Secure Score with deeper visibility, automation, and actionable workflows.
Microsoft Secure Score is a security tool built into Microsoft 365 that assigns a score to your company’s digital security posture. It evaluates how well-protected your organization is based on your security practices compared to recommended security best practices. Secure Score also actively identifies improvements you can make across your M365 workloads.
The score is derived from a combination of your security configurations, user behaviors, and other security-related factors. A higher score is better, that is, your organization has taken a greater number of recommended security actions, giving you a stronger security posture. It is, according to Microsoft, designed to help organizations report on their current state of security, improve their security posture, and benchmark their security and set up key performance indicators.
It is important to note that the Secure Score is dynamic. Things change all the time. Whether it’s in your own setup or in best practice recommendations, monitoring your security is ongoing work, and your Secure Score will fluctuate to reflect both positive and negative changes.
Improvements to Secure Score are ongoing. Even though Microsoft has not publicly updated its resources about Secure Score in 2025, several enhancements have been deployed since 2023 that have continued into 2024 and 2025. Broadly, these changes include, for example:
In 2025 specifically, Microsoft has introduced several enhancements across identity and governance and usability, including:
Also, more generally and not exclusively related to Secure Score, Microsoft’s Secure Future Initiative emphasizes Microsoft’s commitment to security posture improvements. Ongoing changes to Secure Score features reflect alignment with Secure Future and secure-by-design principles, such as enhanced identity protection, token signing key hardening, and proactive log detection.
Around 70% of companies express concern about compliance monitoring, citing the challenges of keeping up with evolving compliance standards in cloud environments as a top security priority.
Yet, compliance with cybersecurity frameworks is critical because it provides a structured, standardized approach to managing and reducing cyber risk and ensuring cyber resilience. While compliance is often seen as fundamentally tied to meeting regulatory requirements, it is not exclusively about regulatory adherence. Compliance has a number of other benefits, and Secure Score can be a component in aligning your security posture with recognized compliance frameworks.
Some of the key reasons why compliance matters include:
Combining compliance frameworks and requirements and Secure Score categories demonstrates that Secure Score is not only a tool for technical improvement. It is also an interactive tool for easier compliance and can act as a control evidence library to speed audits and track maturity progress:
Knowing best practices and actually putting them into practice are two different things. The 2025 CoreView State of Microsoft 365 Security survey revealed that 60% of organizations consider themselves as having advanced security – but the very same 60% have experienced the same rate of account compromise as those with the most basic security implementations. Throughout the research, a striking disconnect between perceived security maturity and actual protection levels emerges.
The most common M365 vulnerabilities and top attack vectors are the same (fixable) issues, such as lack of or unenforced MFA, lack of email safety, overprivileged admin roles, and poor data loss prevention enforcement. Making moves to fix some of these problems can improve your Secure Score.
A 2025 CoreView survey of IT leaders discovered that a promising 90% have implemented MFA – but only 41% have automated detection and enforcement. Without enforcing MFA organization-wide, this critical piece of the security puzzle is meaningless. After all, as Microsoft Cloud Security and Azure guidance reports, up to 99% of breaches involve accounts without MFA enforced.
An even more alarming problem is that several studies report that anywhere from 58 to 75% of large enterprises have at least one admin account without enforced MFA. While MFA should be enforced for everyone in an organization, not enforcing MFA for admin accounts is like leaving a master key under the doormat – just one unsecured admin user is enough for an attacker to access, modify or remove sensitive data, to manage or erase user permissions, install software, or shut down entire systems. A compromised admin account can be catastrophic and have far-reaching business consequences.
Email is inherently insecure, highly targeted, and dependent on user behavior — making it a weak point despite being a critical communication tool.
Humans are easily fooled and therefore an ideal target for social engineering strategies like phishing and spear phishing and business email compromise attacks. Humans are trusting and can be careless – likely to click links in emails that lead to malware, ransomware and trojans, infecting an entire organization. People also receive a lot of email and can become overwhelmed or fatigued, making it much easier for malicious emails to slip through the cracks because the user’s defenses are down.
Technically email is also an easy target, as it is open by default to external communication. It’s accessible from anywhere and can be integrated with a number of other tools, which widens the attack surface. It also lacks any form of built-in authentication, meaning that emails can easily be spoofed.
Organizations, too, can be careless in that there are often no guardrails in place to detect email-based attacks or note and stop problematic internal email behavior, such as unrestricted external email forwarding.
More than half of global organizations don’t have sufficient restrictions placed on access permissions, which is especially problematic at the admin level. Admin accounts have access to everything – for the same reasons as organizations should mandate MFA on all admin accounts, they should strive to limit admin access as much as possible.
Instead, organizations should adopt a more granular approach to access management that enables the assignment of just enough access at different levels without opening up much wider permissions than necessary, i.e., role-based access management can reduce risk and the potential blast radius if a system is compromised.
Microsoft recommends having fewer than five global admin accounts in any organization – and CoreView research shows that many organizations are moving in the right direction on this front. Unfortunately, however, many organizations still do not have strong oversight processes to bring admin access under control.
There is also a growing problem with Entra apps having extensive read-write access, which could be almost as damaging as excessive admin privileges. These privileged-access apps provide direct access into your tenant, which immediately expands the attack surface. At the same time as limiting the number of admin accounts, organizations should also consider reining in these app permissions.
Data leakage and lax file sharing are often the result of weak controls, human error, or poor visibility. Together, they create vulnerabilities that attackers can exploit—often without needing to break into systems, simply by stumbling on exposed or poorly protected data. Preventing breaches requires a combination of secure technologies, strict policies, and employee awareness.
Emails, cloud storage, messaging apps, or unsecured APIs can all open the door to unauthorized access. With an estimated 70-80% of an organization’s most sensitive data stored in cloud-based Microsoft Office documents, tightening access control and security and implementing audits to avoid breaches is non-negotiable.
According to multiple industry reports, such as from a 2023 Cloud Security Alliance (CSA) survey, misconfigurations are responsible for anywhere from 25 to 60% of cloud-related security breaches, with some estimates claiming that 99% of cloud security failures are the customer’s fault, largely due to misconfiguration.
Misconfiguration is the number one cloud security concern among more than 60% of organizations. Regardless of the percentage, cross-industry evidence indicates that misconfigurations pose a genuine and ongoing security risk as well as a risk to productivity and operational resilience.
“Even experienced IT pros sometimes fail to understand the true enemy. For instance, viruses, malware and attacks such as DDoS are seen as are most likely avenues into the network than other attacks…; …But the often unknown truth is the most common way cyber criminals breach your system is by exploiting misconfiguration.”
Microsoft has over 5,000 configuration types and more than 10,000 individual configuration elements. It would be easy to make a mistake manually configuring any of these things – and virtually impossible to detect misconfigurations with the naked eye.
At the same time, the number of configuration tampering incidents is rising, with Microsoft reporting more than 176,000 such incidents in just one month. How would anyone be able to detect these without automating configuration monitoring? And if you were a victim of configuration tampering, would you be able to restore your baseline configurations?
A recent CoreView survey found that organizations with formal disaster recovery plans were 58% less likely to experience operational disruptions related to misconfigurations – and with formal change processes in place, these orgs also saw 72% fewer security incidents tied to misconfigurations.
Understanding the reality of your security posture and the scale and scope of potential vulnerabilities is the first step toward risk mitigation. And with CoreView, you can boost your Secure Score and start closing the configuration security gap.
According to Microsoft, “Microsoft Secure Score is a reasonably meaningful starting point for measuring and improving your Microsoft 365 security posture. To help you devise a plan for a staged rollout of controls, the tool combines recommendations into five categories: identity, data, devices, apps and infrastructure.”
Your first step toward achieving a better Secure Score is knowing where you stand today – both to benchmark yourself against your future posture and to look at your security performance versus industry benchmarks, that is, industry average and same-size tenants.
Understanding where your organization and its security policies stand in relation to the most important compliance frameworks is also helpful in determining what steps you need to take to tighten up your overall security posture.
The CoreView Microsoft 365 Health Check (a complete scan of your tenant to determine security posture, application usage and license state) shows many ways you can boost your Secure Score. The Health Check is an in-depth analysis and offers a Security Action Plan based on the findings. It also includes an enhanced version of the Microsoft Secure Score.
Take a look at some of the biggest security vulnerabilities, which make up a part of a thorough M365 health check:
Below is an example of a Security Compliance Check that dives into some of the security issues many organizations uncover when they start to look under the hood. Consider adopting a tenant-wide security compliance snapshot and set monthly baselines to manage and monitor your tenant security.
Passwords are a big deal for any application, service, or environment but even more so for a Microsoft 365 tenant. Whether you have a hybrid or a cloud-only M365 environment, you will have cloud users. In this case, M365 is the default authentication provider, which is why it is vital to implement the right password policy to protect your users’ identities and account security. Once an M365 password is cracked, a hacker has access to everything that end user does.
The old way of protecting passwords was to demand complexity and require these complex passwords to be changed regularly, often every 90 days. This caused users to forget their passwords and write them down –security breaches in the making. A newer approach is event-driven password changes. If there is a breach, or other security event, end users should be prompted to change their passwords.
In addition to aligning with NIST SP 800-63B policies on passwords and moving toward password best practices, you can tap CoreView to track these events and automatically alert users to update their passwords.
Multi-factor authentication (MFA) is one of the most important security practices you can adopt. Fortunately, Microsoft 365 has a proven built-in MFA solution. MFA has become so recognized that the National Institute of Standards and Technology (NIST) guidelines on password security now specifically recommend the implementation of MFA. Also, the United States Department of Homeland security now recommends that all M365 users implement MFA.
Forward-thinking organizations have deployed MFA to improve user identity security – but just implementing MFA is not enough. Enforcement is critical to success, and today, nearly 60% of organizations that have implemented MFA lack automated enforcement, meaning that their investment in Zero Trust isn’t providing assurance that their user identities are adequately protected.
MFA only works if it is activated. NIST guidelines state: “Multi-factor authentication for administrator accounts not enabled by default: Azure Active Directory (AD) Global Administrators in an M365 environment have the highest level of administrator privileges at the tenant level. Multi-factor authentication (MFA) is not enabled by default for these accounts.”
CoreView shows how many users have MFA activated, have MFA disabled, and how many users with MFA disabled have administrative roles, which presents a substantial security risk. With CoreView, it is easy to monitor, set, and enforce an appropriate MFA authentication policy.
All users should have MFA, but admin accounts absolutely must. Most organizations struggle with excess admin privileges (and struggle to roll back this access once given), and these roles have access to everything – including the most sensitive data.
“In an environment where there are too many administrators, or elevated-privilege accounts, there is an increased risk of compromise,” according to the Microsoft Inside Track blog. “When elevated access is persistent or elevated-privilege accounts use the same credentials to access multiple resources, a compromised account can become a major breach.”
Email, as the reigning top attack vector, remains a clear vulnerability for organizations of all sizes. About 90% of all cyberthreats originate in email, mostly through phishing operations, but also through malware, spam, ransomware, and impersonation scams.
Mailboxes are the number one way hackers breach systems, steal identities and credentials, and launch phishing and ransomware attacks. Limiting access rights to mailboxes can stop these breaches in their tracks while also protecting data, mail content and mailbox-owner identities. This can include items such as access to more than five mailboxes, auto forwarding, and accessing mailboxes of others.
CoreView can apply key rules for mailbox security, for instance, flagging user accounts that have been provided with access rights to more than five other user mailboxes. These are not for Room, Shared, or Team mailboxes, but rather actual User Mailbox accounts. Such cases should be investigated to ensure they are being used for acceptable business purposes.
Often, mailbox security can be compromised by spam and malicious malware. CoreView can discover the exact number of instances of malware sent by email from your organization.
Knowing the internal sources of malware is critical to stopping the spread. CoreView keeps IT informed of unusual patterns or targeting, which may be attempts to compromise mailboxes in your organization. CoreView also provides details on potentially compromised accounts and the malware that may have been sent from your organization, enabling support for investigations and remediation.
Email may remain the weakest link in your security posture, but you can take steps to harden email security, such as:
The concept of “least privilege” involves the practice of restricting access rights for users, accounts, and computing processes to only those resources required to perform routine, legitimate activities.
Ensuring that M365 administrative privileges are limited to those that absolutely need them is critical to a safe cybersecurity posture. An internal threat, such as a disgruntled employee, with access to global admin privileges, is a major risk that can be prevented simply by limiting the number of users with admin privileges — and restricting the scope of those permissions.
Unfortunately, Microsoft 365 Admin roles have limited flexibility. Microsoft offers some roles that limit administration rights on a specific workload, but these are not available across all workloads.
The major issue with many M365 deployments is that administrators have global access to all the company users as well as access to all configuration capabilities for the assigned workload. Unfortunately, this permission model doesn’t match with most enterprise organizations’ requirements.
For example, if you have a local support team in a specific country, you should limit their administrative control to users within their area of work. Or, if you have a tiered support structure, you should limit administrative rights for support staff based on their responsibilities. Microsoft does not make this easy, but CoreView does, helping you to:
CoreView can help your organization implement a granular role-based access control (RBAC) policy. Your organization will be able to assign administrative privileges to operators that appropriately match their responsibilities.
To the average user, setting up automatic email forwarding rules is harmless. But for those whose job it is to prevent data breaches and ensure compliance, email forwarding rules can quickly turn into a nightmare. Indiscriminate forwarding of emails outside of your organization is a common vector for information theft as well as a potential violation of GDPR and similar data protection regulations.
CoreView can identify mailboxes that have auto-forwarding to external addresses, such as “Gmail.com”. This is a major data leakage concern. These should all be reset to internal e-mail addresses or have the auto-forwarding removed completely. Some key steps to take to mitigate these dangers include:
Another aspect of data leakage is the growing challenge of sharing content. The sharing and collaboration capabilities made possible by M365 are powerful but also dangerous. With OneDrive and SharePoint, the ease with which users can share data externally makes collaboration easy but also opens up a security risk. Because documents can be shared directly with specific people, internally with other people within your org, or made “shareable” anonymously – that is, anyone with the link can open the document – there are some obvious security gaps.
A shareable asset, also known as anonymous sharing, is the most insecure way to share a document since you cannot track how the link will circulate and be shared outside of your organization, and who will have access to your data.
CoreView can detect OneDrive sharing activities, SharePoint sharing activities, as well as creation and use of anonymous links. Also, CoreView allows for admins to be alerted when new anonymous links are created or used.
Many of these data leakage incidents are not malicious and are the result of an accident or misconfiguration. But how data leakage happens is only one aspect of the problem. A key consideration is where vulnerabilities arise. For M365, which houses anywhere from 70-80% of a company’s sensitive business information within Office documents, building defenses is critical to safeguarding organizational data – including everything from budgets and contracts to HR files, product roadmaps, and confidential strategy presentations.
Gartner reports that 92% of Microsoft cloud incidents in 2024 happened because of misconfigurations. The 2024 Verizon Data Breach Investigations Report also highlights misconfiguration as a source of cyber insecurity, although the report notes that misconfiguration – while still being the second-most common error and responsible for 10% of breaches – was on the decline.
The important takeaway with regard to configuration and misconfiguration is that human error, which the aforementioned DBIR cited as a leading cause of data breaches, is inevitable. As such, automation is key to circumventing the security risks associated with configuration issues.
Whether configuration errors are merely human carelessness or a result of active configuration tampering (which is significantly on the rise, according to Microsoft’s 2024 Digital Defense Report, and not on most organizations’ radar), a secure organization is one that implements automated configuration oversight to gain visibility into and track changes across M365’s vast configuration surface.
Manual reviews are unsustainable, and why try to manage the more than 10,000 individual config elements across critical M365 services manually when CoreView provides automation workflows to enforce remediation on configuration drift?
Some Secure Score recommendations can be actioned almost immediately, leading to quick wins for strengthening your organization’s security posture. Other critical, but longer-term, changes need to be planned and resourced, which makes them ideal as strategic projects to take on over the course of a year or more.
Some examples here include:
By introducing vigilance and monitoring, you can raise your Secure Score. Some key best practices – beyond those already described – include:
While Secure Score is a powerful tool for measuring and improving your M365 security posture, looking beyond built-in Microsoft controls is a must have.
Attackers target the whole ecosystem: supply chain apps, misconfigured third-party integrations, hybrid cloud weaknesses, shadow IT, and more. Even organizations with a high Secure Score are vulnerable if they rely solely on Microsoft’s recommended controls, without supplementing them with broader visibility, continuous governance across multiple tenants, including dev and test ones, and automation for enforcement.
Secure Score is essential but should be one of many elements of a multi-layered approach. Augmenting built-in tooling with advanced management and automation platforms (like CoreView) is key to defending against current—and future—threats.
Your security posture should defend your organization against the wide range of vulnerabilities to which you are exposed while also complying with a host of changing regulations. CoreView has what you need to build these defenses and get a handle on cybersecurity and cyber resilience.
CoreView gives you actionable insights tied to Secure Score recommendations. Get deep visibility into:
CoreView’s workflow engine can automate remediation, directly improving your Secure Score. With CoreView, you can take action by:
CoreView tracks Secure Score metrics over time, helping you:
CoreView helps you enforce Microsoft 365 policies at scale. These policies help keep your environment aligned with Secure Score best practices:
With CoreView, you can directly reduce the number of high-privilege accounts, a critical Secure Score metric, by:
Secure Score isn't just a Microsoft metric. It’s a strategic tool for reducing enterprise risk, proving compliance maturity, and building a defensible security posture. Whether you're an enterprise CISO or an IT admin, aligning your operations to Secure Score — and automating improvements — will pay dividends in both threat prevention and audit readiness.
Find out more about how CoreView can help.
Microsoft Secure Score is a built-in analytics tool in Microsoft 365 that measures your organization’s security posture. It assigns a risk-based score based on how well you’ve implemented key protective controls such as MFA, DLP, and privileged access restrictions — and it provides actionable recommendations to help you improve.
New features in 2025 include expanded coverage for Azure and Microsoft Defender, improved benchmarking, easier compliance mapping (NIST, ISO 27001), API-driven automation, custom control scoring, and better dashboards. See “2025 Microsoft Secure Score Overview” for the full list.
Many Secure Score recommendations map directly to frameworks like NIST CSF, ISO 27001, and CIS Controls. Following these recommendations makes it easier to demonstrate due diligence in audits and maintain regulatory alignment.
Not entirely. A high score reflects best practice adoption, but doesn’t guarantee complete protection. Threats evolve and user behavior matters; use Secure Score as one part of a continuous, multilayered security approach.
Quick wins include: enabling MFA for every account (especially admins), blocking external auto-forwarding, reducing admin privileges, and applying DLP policies. You’ll find a step-by-step checklist in the Playbook section above.
Secure Score measures actions across five areas: identity, data, devices, apps, and infrastructure. Key actions include activating MFA, enforcing least privilege, configuring secure sharing, and monitoring risky behaviors.
Absolutely. Tools like CoreView can automatically enforce security policies, remediate configuration drift, and monitor for compliance gaps—helping you maintain and grow your Secure Score over time.
CoreView scans your Microsoft 365 environment for Secure Score gaps, automates remediation (e.g., enabling MFA or revoking risky permissions), and provides dashboards for compliance monitoring and reporting.
