Free tool · 5 minutes · Microsoft Entra identity
Identity is where the cheapest, fastest security wins live. Score your Microsoft Entra identity posture across authentication strength, privileged access, lifecycle, external access and risk-based controls in five minutes.
8 questions · 4 domains
Score your Microsoft Entra identity posture discipline across authentication strength, privileged access, lifecycle, external access and risk-based controls. Identity is where the cheapest, fastest security wins live.
Domain 1
MFA coverage and method strength, legacy auth blocking, password-less rollout, phishing-resistant MFA for privileged accounts.
What is your current MFA coverage across the tenant?
Source: Microsoft Entra Identity Secure Score; ASD Essential Eight MFA.
Is legacy authentication blocked via Conditional Access?
Source: Microsoft Entra Conditional Access policy: Block legacy authentication.
Domain 2
Global Administrator count, Privileged Identity Management (PIM) maturity, role least-privilege, break-glass account hygiene.
How many Global Administrators does the tenant have?
Source: Microsoft Entra Identity Secure Score; Microsoft recommended baseline.
Is Privileged Identity Management (PIM) deployed for Entra and Azure roles?
Source: Microsoft Entra Privileged Identity Management.
Domain 3
Joiner-mover-leaver discipline, automated lifecycle workflows, access reviews, entitlement management for role-based access bundles.
How is offboarding integrated with identity lifecycle?
Source: Microsoft Entra ID Governance Lifecycle Workflows.
Are access reviews run on privileged roles and sensitive resources?
Source: Microsoft Entra Access Reviews; APRA CPS 234 paragraph 17.
Domain 4
Guest user lifecycle, cross-tenant access settings, Entra ID Protection risk-based Conditional Access, sign-in and user risk policies.
How is B2B guest access governed?
Source: Microsoft Entra External ID; cross-tenant access settings.
Are Entra ID Protection risk-based Conditional Access policies in active use?
Source: Microsoft Entra ID Protection; Conditional Access risk-based policies.
This is an indicative self-assessment. It is not a substitute for a live tenant audit. For verified results Frontrow runs an Entra ID posture audit in-tenant.
What the check covers
Domain 1
Authentication strength is the floor of identity posture. The Frontrow benchmark for AU mid-market: 100% MFA (any form), legacy auth blocked via Conditional Access, phishing-resistant MFA (FIDO2 or Windows Hello) on Global Admins and high-risk roles, password-less rollout to general users underway.
Domain 2
Standing Global Administrator accounts are the single highest-exploited identity weakness. The Microsoft benchmark is 2–4 Global Admins, all on PIM eligible (not standing) assignments. Two emergency break-glass accounts excluded from Conditional Access, with monitoring.
Domain 3
Identity Governance is where AU mid-market typically lags. Automated lifecycle workflows, quarterly access reviews on privileged roles and sensitive resources, entitlement management for cross-team access bundles. Requires Entra ID Governance licence on top of Entra ID P2.
Domain 4
External access (B2B guests, cross-tenant settings) and risk-based access (Entra ID Protection sign-in risk and user risk policies) are the higher-maturity identity controls. Both are typically the last domain to mature in AU mid-market.
Frequently asked questions
Identity Secure Score is the Microsoft Entra-specific posture metric. It surfaces a percentage based on the identity controls in active use against Microsoft's recommended baseline — MFA coverage, Conditional Access policies, PIM deployment, legacy auth blocking, password hygiene, and more. It moves faster than the broader Microsoft Secure Score because identity is where the cheapest, fastest posture wins live.
Identity Secure Score is identity-domain only. Microsoft Secure Score is the broader posture metric covering identity, devices, apps, data and AI. Most AU mid-market tenants find the Identity Secure Score is the easier and faster metric to lift first — typically 20–30 percentage points achievable in 90 days with focused identity work. Once identity is solid the broader Secure Score gains follow.
Three controls dominate the early-stage gains. First, 100% MFA coverage (any form). Second, block legacy authentication via Conditional Access. Third, reduce Global Administrators to 2–4 with PIM. Each is achievable in 2–4 weeks on an existing M365 tenant. After those three, the next tranche is phishing-resistant MFA on privileged accounts, then risk-based Conditional Access via Entra ID Protection.
Entra ID Free (the M365 baseline) gives you MFA and basic Conditional Access. Entra ID P1 (included in M365 E3 / Business Premium) unlocks full Conditional Access, dynamic groups, group-based licensing and the meaningful identity governance baseline. Entra ID P2 (included in M365 E5) unlocks PIM, Identity Protection risk-based access, and access reviews. For most AU mid-market tenants, P1 is the floor, P2 is the target.
Workload identities (service principals, managed identities) are out of scope for traditional MFA but in scope for Conditional Access for workload identities (preview/GA depending on configuration). The Frontrow recommendation is to inventory service principals, identify which have privileged Graph or Azure resource permissions, apply Conditional Access for workload identities to scope their use, and review the OAuth consent grant history.
Essential Eight Strategy 5 (Restrict administrative privileges), Strategy 6 (Multi-factor authentication) and Strategy 7 (Patch operating systems) all overlap with identity work. A mature Identity Secure Score typically maps to Essential Eight ML2 in the identity-related controls. For AU mid-market the practical answer is: run both. Identity Secure Score for the operational rhythm, Essential Eight for the maturity-targeting and board reporting.
A direct review of Microsoft Entra Identity Secure Score, Conditional Access policies, sign-in logs, privileged role assignments, B2B guest access, and Entra ID Protection signals. Output: prioritised 90-day remediation plan with named owners and target trajectory. Most engagements deliver 15–25 percentage point uplift in 90 days. Indicative pricing on request.
Every scoring threshold cites a primary source: Microsoft Learn for Identity Secure Score, Conditional Access, PIM and Entra ID Protection, ASD Essential Eight identity controls, APRA CPS 234 paragraph 17 on privileged access, and the Frontrow AU mid-market identity benchmark. Methodology authored by Daniel Brown (5x Microsoft MVP), Graeme Lodge (Managing Director), and Sam Williams (Investor & Executive Consultant).
