Forum Discussion

TrondKKa's avatar
TrondKKa
Copper Contributor
Jul 03, 2025

Secure Score for Devices

Hi, I need to query Defender for Endpoint to get the Secure Score for Devices. I need it in percent, but the "GET https://api.securitycenter.microsoft.com/api/configurationScore" only returns the current achieved points. And I cannot find a method to get the current total achiveable points. Anyone who knows how to get this ? (I have seen there are api's for this in defender for cloud)

My second question is for the security center where you have a "Secure Score" that covers all areas. One of the sub categories for the total secure score is "Device", but that category has different "achiveable points" (currently 872 out of 927) than the points that are listed for the "Secure Score for Devices" (currently 949 out of 1004). Anyone knows why these are not in sync ?

1 Reply

  • Surya_Narayana's avatar
    Surya_Narayana
    MCT
    Jul 06, 2025

    hi TrondKKa​ , check below.

    How to Get Secure Score for Devices as a Percentage via API

    You're correct:
    The GET https://api.securitycenter.microsoft.com/api/configurationScore only gives you current achieved points, not the total possible (max) points, which makes calculating a percentage difficult.

    Try this:

    You’ll need to retrieve all configuration profile items, which include their individual max scores, and sum them manually.

    Steps:

    a.Call the GET endpoint: nginx

    GET https://api.securitycenter.microsoft.com/api/machineConfiguration`

    OR

    b.Use the newer GET: nginx

    GET https://api.securitycenter.microsoft.com/api/configurationAssessment`

    This returns each assessment (e.g., BitLocker enabled, firewall on, etc.), including:

    • maxScore
    • currentScore
    • status

    Calculate Secure Score for Devices (in percent):

    Secure Score % = (Sum of current scores / Sum of max scores) * 100

    Be sure to filter by device-related controls and exclude irrelevant controls if needed.

     

    Why are the “Device” category scores in Microsoft Secure Score and Defender for Endpoint not in sync?

    This is a known misalignment between portals due to:

    1. Different Scopes:
    • Microsoft 365 Defender’s “Secure Score for Devices” (via MDE):
      Focuses on device-specific security posture (e.g., firewall, AV, update policies) from Defender for Endpoint.
    • Microsoft Secure Score “Device” category (in Microsoft Defender portal or Azure Security Center):
      Pulls from multiple products, and may also include:
      • Defender for Cloud assessments (e.g., VM configuration in Azure)
      • Microsoft Intune policies
      • Defender for Business data

    b.Different Control Sets and Weighting:

    Each platform may:

    • Use different security controls
    • Assign different point values
    • Have overlapping controls with differing visibility or scoring logic

    c.Data Sync Timing and Source APIs:

    There may be lags or differences in data refresh cycles or the underlying telemetry source.

    You Can Do

    • Use the configurationAssessment API to calculate your own secure score for devices.
    • For full visibility, combine data from:
      • MDE
      • Microsoft Graph Secure Score API (https://graph.microsoft.com/v1.0/security/secureScores)
    • Be aware of scope differences to justify discrepancies.

     

Resources