Azure Secure Score vs. Microsoft Secure Score

Bojan Magusic · ‎Jun 17 2021

This article was written by Future Kortor (@fkortor) and Bojan Magusic (@Bojan Magusic).

Intro

The purpose of this article is to empower organizations to understand the difference between Secure Score in Microsoft Defender for Cloud and Microsoft Secure Score in Microsoft 365 Security center. This article also touches briefly on the Identity Secure Score in the Azure AD Portal and Microsoft Secure Score for Devices in the Microsoft 365 Security center but going into details on these products is outside of the scope of this article.

Secure Score Functionality

As companies migrate more and more workloads to the cloud, it’s important to ensure that any resources in the public cloud are secured by adhering to industry standards and best practices. While companies might have existing solutions for their on-premises environment, security controls in the cloud differ from those on-premises. As no two company environments are the same, the question becomes where do you start with improving your security posture? What actions should you prioritize? Here is where Secure Score comes into play! The idea behind the Secure Score functionality, is to provide you with a measurement that helps understand your current security posture as well as a list of actions you can take to improve your security posture. Secure Score, continuously assesses your environment. Meaning, as you take actions to increase your security posture or deploy new resources, these changes will be reflected in your Secure Score. By implementing recommendations you’re adhering to best practices which will effectively increase the measurement and enhance

Depending on the workloads in question, you might be interested in having a measurement solely for your Microsoft SaaS workloads. On the other hand, you might be interested in a measurement for your PaaS and IaaS workloads in Azure (and even hybrid or multi-cloud scenarios). Hence, the need to have a different Secure Score for each scenario, which provides you a measurement for the specific type of cloud computing service that you are utilizing:

Secure Score: applicable for PaaS, IaaS, hybrid and multi-cloud workloads.
Microsoft Secure Score applicable for Microsoft SaaS workloads.

The table below aims to highlight the high-level difference between the two scores.

Service Models	Cloud Computing Service Provider	Category	Name of Secure Score Functionality	Administration Portal
SaaS	Microsoft 365	Identity, Devices and Apps	Microsoft Secure Score	Microsoft 365 Security Center
PaaS	Azure	Feature Coverage for Azure PaaS Services	Secure Score	Microsoft Defender for Cloud Dashboard
	AWS	Provided by AWS Security Hub
	GCP	Provided by GCP Security Command Center
IaaS	Azure	Supported Platforms	Secure Score	Microsoft Defender for Cloud Dashboard
	GCP, AWS	Supported Platforms
	On-premise	Supported Platforms

Important Note: Microsoft 365 Secure Score is broken down further for each category (i.e. Identity Secure Score), however this falls out of scope of this article. More information on this topic can be found here.

Observation: With cloud adoption, identity has become the new perimeter – the control plane for your organization's infrastructure, regardless of the type of cloud computing services that is being used (IaaS, PaaS, SaaS or even on-premises). Protecting your organization's identities is key. Therefore, both scores place a high value on protecting your identities and enabling MFA. will have a positive impact on both scores. Beyond protecting identities, you can treat these two scores as separate.

Now, let’s dive into each one of these two scores!

Secure Score in Microsoft Defender for Cloud

Secure Score is all about helping you improve your security posture with regards to your Azure resources (IaaS & PaaS) and even hybrid and multi-cloud workloads (i.e. AWS and GCP resources). When you select Secure Score in Microsoft Defender for Cloud it shows you a list of security controls, where each security control has a list of recommendations (see Figure 1). As you start addressing each one of those recommendations and you successfully address all the recommendations in a particular security control, your Secure Score will increase by a certain number of points (highlighted in the Potential score increase column). With your Secure Score increasing, your security posture will improve.

Figure 1: Secure score in Microsoft Defender for Cloud dashboard

Learn how Secure Score affects your governance.

Learn how to protect non-Azure resources.

Microsoft Secure Score in Microsoft 365 Security Center

Microsoft Secure Score is all about helping you improve your security posture with regards to Microsoft 365 services (see Figure 2). The Microsoft Secure Score contains three distinct control and score categories:

Identity (Azure Active Directory accounts and roles)
Devices (Microsoft Defender for Endpoint)
Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)

At the time this was written, currently in Microsoft Secure Score there are recommendations for the following products:

Microsoft 365 (including Exchange Online)
Azure Active Directory
Microsoft Defender for Endpoint
Microsoft Defender for Identity
Microsoft Defender for Cloud Apps
Microsoft Teams

Figure 2: Microsoft Secure Score in Microsoft 365 Security Center

Final Considerations:

The Secure Score functionality is all about helping you understand your current security posture and giving you a list of recommendations to proactively improve your security posture. Secure Score in Microsoft Defender for Cloud can help you understand how to improve the security posture of your Azure IaaS and PaaS services (and even hybrid and multi-cloud). Microsoft Secure Score helps you understand how to improve your security posture when it comes to Identities, Devices and SaaS Applications in Microsoft 365. Both play a significant role in building a holistic security posture of your organization. Depending on how your organization is structured and which department (or team) is responsible for which workload, different teams and stakeholders might need to be involved to effectively improve the security posture of your organization. Hopefully, this article provides real value in understanding where you can find proactive guidance on how to improve your organizations security, depending on the workload in question. Remember, with each recommendation that you remediate, you are increasing your score and hardening your security defenses.

Reviewer:

@Yuri Diogenes, Principal PM

Morten_Knudsen · ‎Jun 17 2021

it is crucial, that Microsoft align the term ‘Secure Score’ into a ONE Microsoft Secure Score-term as illustrated below

Customers needs to be able to have a single KPI – with the possibility to drill down into the different environments.

My customers are really confused today as there is a Microsoft Secure Score and then there are many Azure Secure Scores (one per subscription).

Microsoft can do better :smiling_face_with_smiling_eyes:

Here is a highlevel suggestion on how Microsoft could design this - sorry for going into solution-mode :smiling_face_with_smiling_eyes:

akudrati · ‎Jun 17 2021

I love this slide which I picked up from Microsoft Secure Score session in Microsoft Ignite conference. This slide summarized it well as what is covered in Secure Score.

Dean Gross · ‎Jul 06 2021

Azure AD is part of Azure. Azure Security Center should include everything in Azure so that security admins have a complete picture. . There are many azure security admins that don't use M365 Security Center so they can't see the identity score, omitting identity secure score from ASC does not make any sense.

Please add the Identity Secure Score to ASC

Dean Gross · ‎Jul 06 2021

What ever happened to the idea of showing Infrastructure score as a category in M365 Secure Score? It used to be there without any data and now it does not even show up.

Bojan Magusic · ‎Jul 15 2021

Hi @Dean Gross and thank you for the feedback. Azure Security Center focuses on infrastructure and platform services, not on identities. In case you want to have this feature included in ASC, please make sure to post or upvote in the ASC Uservoice.

Dean Gross · ‎Jul 17 2021

Ok, I have added it to UserVoice Add Identity Score – Customer Feedback for ACE Community Tooling (azure.com) hopefully others will vote for it.

Dean Gross · ‎Jul 17 2021

Given the importance of protecting identities, I don't understand the decisions to exclude it from ASC. We should be making it as easy as possible for organizations to improve their complete security posture. ASC is not providing very complete CSPM functionality when identity is excluded.

SaniGarba · ‎Sep 26 2021

The suggestion to streamline these frameworks into a single expression is very valid. It would make the products more welcoming and easily understood.

Dean Gross · ‎Sep 26 2021

While I agree that they should be integrated, this needs to be done carefully. I have many clients that don’t use both platforms

SergioT1228 · ‎Aug 23 2022

SS in Security Portal vs. DfC still is confusing as for Servers vs. Workstation. I try to explain to our customer that Endpoints in the security portal are more workstation focused, anything that would not be covered by Defender for Servers, but it still confuses them. I would prefer some type of advanced filtering or better breakdown in the security portal. Looking forward to the advancements MS makes on helping with the break out of the secure score.

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs