Forum Discussion

TrondKKa's avatar
TrondKKa
Copper Contributor
Jul 03, 2025

Secure Score for Devices

Hi, I need to query Defender for Endpoint to get the Secure Score for Devices. I need it in percent, but the "GET https://api.securitycenter.microsoft.com/api/configurationScore" only returns the cur...
Surya_Narayana's avatar
Surya_Narayana
MCT
Jul 06, 2025

hi TrondKKa​ , check below.

How to Get Secure Score for Devices as a Percentage via API

You're correct:
The GET https://api.securitycenter.microsoft.com/api/configurationScore only gives you current achieved points, not the total possible (max) points, which makes calculating a percentage difficult.

Try this:

You’ll need to retrieve all configuration profile items, which include their individual max scores, and sum them manually.

Steps:

a.Call the GET endpoint: nginx

GET https://api.securitycenter.microsoft.com/api/machineConfiguration`

OR

b.Use the newer GET: nginx

GET https://api.securitycenter.microsoft.com/api/configurationAssessment`

This returns each assessment (e.g., BitLocker enabled, firewall on, etc.), including:

  • maxScore
  • currentScore
  • status

Calculate Secure Score for Devices (in percent):

Secure Score % = (Sum of current scores / Sum of max scores) * 100

Be sure to filter by device-related controls and exclude irrelevant controls if needed.

 

Why are the “Device” category scores in Microsoft Secure Score and Defender for Endpoint not in sync?

This is a known misalignment between portals due to:

  1. Different Scopes:
  • Microsoft 365 Defender’s “Secure Score for Devices” (via MDE):
    Focuses on device-specific security posture (e.g., firewall, AV, update policies) from Defender for Endpoint.
  • Microsoft Secure Score “Device” category (in Microsoft Defender portal or Azure Security Center):
    Pulls from multiple products, and may also include:
    • Defender for Cloud assessments (e.g., VM configuration in Azure)
    • Microsoft Intune policies
    • Defender for Business data

b.Different Control Sets and Weighting:

Each platform may:

  • Use different security controls
  • Assign different point values
  • Have overlapping controls with differing visibility or scoring logic

c.Data Sync Timing and Source APIs:

There may be lags or differences in data refresh cycles or the underlying telemetry source.

You Can Do

  • Use the configurationAssessment API to calculate your own secure score for devices.
  • For full visibility, combine data from:
    • MDE
    • Microsoft Graph Secure Score API (https://graph.microsoft.com/v1.0/security/secureScores)
  • Be aware of scope differences to justify discrepancies.

 

Resources