If you log into the Microsoft 365 Defender portal, you’ll see a big percentage number on your dashboard. That is your Secure Score.
For many small business admins, this number sits comfortably (and dangerously) around 20%. Microsoft recommends getting it above 65%.
The Secure Score isn’t just a gamified metric; it’s a prioritized list of vulnerabilities in your tenant. Here are the top “high-impact” actions you should take to boost your score and actually secure your business.
1. Enable MFA (Multi-Factor Authentication)
- Impact: Massive (User & Admin security)
- Difficulty: Medium (User training required)
This is the single most important setting. The Secure Score gives you points for:
* Requiring MFA for Admin Roles (Critical).
* Requiring MFA for All Users.
How to do it:
Go to Azure Active Directory (Entra ID) -> Properties -> Manage Security Defaults. Turning this “On” instantly enforces MFA for everyone using the Microsoft Authenticator app.
2. Block Legacy Authentication
- Impact: High
- Difficulty: Low
“Legacy Authentication” refers to older protocols (IMAP, POP3, SMTP) that don’t support MFA. Hackers love these because they can bypass your shiny new 2FA setup by brute-forcing a password via a POP3 request.
How to do it:
If “Security Defaults” is on (see above), this is done automatically. If you use Conditional Access policies, create a policy to “Block” client apps using legacy protocols.
3. Protect Global Admins
- Impact: Critical
- Difficulty: Low
You should not have more than 2-4 Global Admins. And those accounts should never be used for daily email.
Recommendation:
Create separate “Cloud Only” admin accounts (e.g., admin.name@domain.onmicrosoft.com) that are unlicenced and used only for administration. This protects your actual identity from phishing attacks targeting your daily email.
4. User Consent to Apps
- Impact: Medium
- Difficulty: Low
By default, users can allow third-party apps to access their profile data (“This quirky calendar app wants to read your contacts!”). This is a common vector for data exfiltration.
How to do it:
Go to Entra ID -> Enterprise Applications -> Consent and permissions.
Set “User consent for applications” to “Do not allow user consent”. Instead, configure an “Admin consent workflow” where users request an app, and you approve it.
5.Turn on Audit Logging
- Impact: Low (Preventative) -> High (Forensic)
- Difficulty: Very Low
If you get hacked, you need to know what they accessed. Audit logging is not fully retroactive. You need to turn it on before the breach.
How to do it:
Go to the Compliance Admin Center -> Audit. Verify that “Start recording user and admin activity” is enabled.
Summary
Improving your Secure Score is about reducing your attack surface. You don’t need to hit 100%—that often makes the system unusable—but clearing these top 5 items will put you ahead of 90% of targeted businesses.