Challenges of Achieving 100% in Secure Score in Microsoft 365

Written By Pierre Pham

While achieving a 100% Secure Score in Microsoft 365 is technically possible, it is highly impractical due to conflicting security requirements, business needs, and user experience concerns. Instead, organizations should focus on optimizing their security posture by implementing high-impact security measures without disrupting workflows.

1. Conflicting Requirements – Some security measures might contradict business needs. Example:

Disabling email auto-forwarding increases security but may hinder legitimate workflows.

Blocking legacy authentication improves security but might break older apps.

2. User Experience vs. Security – Some policies can be disruptive:

Forcing MFA for every login improves security but frustrates users.

Blocking third-party apps increases security but limits productivity.

3. Limited Organizational Fit – Some controls require:

• Specific licenses (e.g., Defender for Office 365, Purview).

• Compliance that may not be relevant to your organization.

4. Continuous Changes – Microsoft updates Secure Score recommendations frequently, meaning a “perfect score” may not last.

Best Approach: Optimize Security Without Compromising Usability

Instead of chasing 100%, focus on:

• Achieving a high Secure Score (above 80-90% is excellent).

• Prioritizing security based on risks to your organization.

• Implementing measures without disrupting users.

How to Improve Microsoft Secure Score

Here are some high-impact recommendations:

Identity Protection

✔ Enable Multi-Factor Authentication (MFA) for all users

✔ Block legacy authentication (disable basic authentication for Exchange Online)

✔ Require passwordless authentication (Windows Hello, FIDO2 keys, Microsoft Authenticator)

✔ Set up Conditional Access Policies (e.g., block risky sign-ins, require compliant devices)

Device Security

✔ Deploy Microsoft Defender for Endpoint

✔ Require devices to be Azure AD Joined & Intune Managed

✔ Enforce BitLocker encryption on all endpoints

✔ Require Windows Defender Antivirus & EDR

Email & Collaboration Security

✔ Enable Microsoft Defender for Office 365

✔ Enforce anti-phishing, Safe Links, Safe Attachments

✔ Implement DMARC, SPF, DKIM, and MTA-STS

✔ Block auto-forwarding of emails

✔ Apply Data Loss Prevention (DLP) policies

Data Protection & Compliance

✔ Enable Microsoft Purview Information Protection (sensitivity labels)

✔ Restrict external sharing in OneDrive & SharePoint

✔ Require email encryption (OME, S/MIME)

✔ Implement data retention policies

Monitoring & Response

✔ Enable Microsoft Sentinel (SIEM) or Defender XDR for logging

✔ Configure audit logs & alerts for suspicious activity

✔ Set up self-service password reset (SSPR)

How to Check Your Secure Score

1. Go to Microsoft Secure Score Dashboard:

🔗 https://security.microsoft.com/securescore

2. Review recommendations and implement those with the biggest impact.

3. Use Microsoft Defender Attack Simulation to test your security.

Bottom Line

100% Secure Score? Theoretically possible but not practical.

Target: 80-90% with security balanced against usability.

Prioritize: High-impact security policies over chasing numbers.

Pierre Pham

http://www.pierrepham.com
Next

How to Plan and Budget for Network Cabling Services