Free tool · 5 minutes · Microsoft Defender posture
Microsoft Secure Score is the headline security posture metric. The score is only useful if recommendations get actioned. Score your discipline across identity, devices, apps, data and operational follow-through in five minutes.
8 questions · 4 domains
Score your Microsoft Secure Score discipline across identity, devices, apps, data and operational follow-through. The score itself is only useful if the recommendations get actioned — this tool measures that.
Domain 1
Identity-domain Secure Score recommendations — MFA coverage, legacy auth blocking, Conditional Access, PIM, privileged role hygiene.
What is your current MFA coverage across the tenant?
Source: Microsoft Secure Score identity recommendations; ASD Essential Eight MFA.
How many Global Administrators does the tenant have?
Source: Microsoft Secure Score privileged identity recommendations.
Domain 2
Device-domain Secure Score — Defender for Endpoint deployment, ASR rules in block mode, Intune compliance policies, Conditional Access compliant-device requirement.
Is Microsoft Defender for Endpoint deployed across the corporate device fleet?
Source: Microsoft Secure Score device recommendations.
Are ASR (Attack Surface Reduction) rules in block mode?
Source: Microsoft Secure Score device recommendations; Microsoft ASR rules guidance.
Domain 3
App and data Secure Score recommendations — sensitivity labels, DLP, Defender for Office 365 settings, Defender for Cloud Apps OAuth governance, SharePoint sharing.
Are Microsoft Defender for Office 365 Safe Links and Safe Attachments enabled?
Source: Microsoft Secure Score apps recommendations.
What is the state of Information Protection sensitivity labels?
Source: Microsoft Secure Score data recommendations; Microsoft Information Protection guidance.
Domain 4
How the Secure Score is reviewed, who owns the actions, the cadence of review, the trending posture over time.
How often is Microsoft Secure Score reviewed?
Source: Frontrow security operating rhythm benchmark.
Is the Secure Score trend tracked over time and reported to the board?
Source: Frontrow board reporting benchmark.
This is an indicative self-assessment. It is not a substitute for a tenant-level posture review. For verified results Frontrow runs a Microsoft Defender posture audit in-tenant.
What the check covers
Domain 1
Identity recommendations dominate the early-stage Secure Score gains. MFA on all users, block legacy auth, restrict Global Admin to 2-4 people, deploy PIM. These are typically 20-30 percentage points of Secure Score in an unconfigured tenant.
Domain 2
Device recommendations require MDE deployed and Intune in active use. ASR rules in block mode, BitLocker, AV running, sensor onboarded. The gap between 'MDE licensed' and 'MDE actively protecting' is the lever here.
Domain 3
Apps and data is the slow-burn part of Secure Score. Sensitivity labels rolled out, DLP active, Safe Links and Safe Attachments configured, anonymous SharePoint links disabled. These are typically the recommendations that linger longest in 'unactioned' status.
Domain 4
The discipline of weekly or monthly Secure Score review with named owners is what separates tenants that improve from tenants that stagnate. The score is a metric; the operating rhythm is the work.
Frequently asked questions
There is no universal target. Microsoft surfaces a percentage but the absolute value depends on the licences you own (E3 vs E5, Defender plan mix). The Frontrow benchmark across AU mid-market is 35–55% as the starting baseline, 70%+ as the mature posture target, and the trajectory mattering more than the absolute number. A tenant moving from 40% to 60% over a year is healthier than a tenant that's been at 65% for three years.
Secure Score is the security operating-rhythm metric. Used well it surfaces the next-most-impactful recommendation, tracks whether the organisation is improving, and creates a defensible board narrative. Used poorly (looked at once a quarter and ignored) it's a number that doesn't drive anything. This tool measures the former, not the latter.
Overlap but not equivalence. Secure Score is broader (covers data classification, app governance, posture trending) but doesn't have explicit maturity levels. Essential Eight is narrower (eight specific mitigation strategies) but maturity-graded (ML0 / ML1 / ML2 / ML3). For an AU mid-market tenant the practical answer is: run both. Secure Score for the day-to-day posture work, Essential Eight for the maturity-targeting and board reporting.
Three identity-domain wins typically deliver 20–30 percentage points: 100% MFA coverage (or as close as you can get), block legacy authentication via Conditional Access, and reduce Global Administrators to 2–4 with PIM. Each is achievable in 2–4 weeks on an existing M365 tenant. Device-domain wins (MDE deployed, ASR rules in block mode) take longer but deliver the next tranche.
Sometimes. The most common case where adding licences materially lifts Secure Score is moving from Office 365 E3 to Microsoft 365 E3 (which adds Intune and Entra ID P1), or moving from Microsoft 365 Business Standard to Business Premium (same — adds Intune and Entra ID P1). Beyond that, recommendations are mostly about configuring what you already have. See the M365 Licence Audit Scorer tool for the broader licensing question.
Weekly for the security operations team, monthly for the IT leadership, quarterly for the board. The cadence isn't the point — the action discipline is. A weekly review that produces nothing actionable is worse than a monthly review that produces three documented improvements.
A direct review of the Microsoft Secure Score and Defender XDR posture dashboards, plus the per-domain recommendation backlog. Output: prioritised remediation plan with effort estimates, ownership assignments and a 90-day target trajectory. Most engagements deliver a 10–20 percentage point uplift in 90 days. Indicative pricing on request.
Every scoring threshold cites a primary source: Microsoft Learn for Microsoft Secure Score and Defender XDR posture, Microsoft's official MFA and PIM guidance, ASR rules documentation, and the Frontrow AU mid-market posture benchmark. Methodology authored by Daniel Brown (5x Microsoft MVP), Graeme Lodge (Managing Director), and Sam Williams (Investor & Executive Consultant).
