Secure Score - Define headings in Control List Export

New Contributor

Is there a document that describes each of the columns included in the Control List Export (CSV) from Secure Score?

Most are obvious, but some (Control Type, Category. Workload, Tier, Threats, Enablement) could use some explanation to help me determine how to use them.

3 Replies

Hi William,


There is not a definition file, but if you let me know which ones you have questions on I will be happy to answer.

OK I want clarification on the following headers: Control Type (Config, Review, Behavior) Action Category (Data, Device, Identity) This one in particular - Workload (AzureAD, IO, EXO, OD4B, Intune, IP, SFB, SPO) Tier (Core, Advanced, Defense in Depth) Rank (can I assume that the lower the number, the higher the rank of this particular control? Does a higher rank assume it is more important? Thanks
best response confirmed by Deleted

Hi William,


Under control type, config is about making a configuration change like enabling MFA for your admins.  Review is for looking at reports.  Behavior is for controls that are more about changing the demeanor of how organization approaches security.  For example, designate more than one global admin or using IRM to protect documents.


Action category is for understanding what the control helps protect.  For example, many of the Azure AD controls are tagged as identity and the MDM controls are tagged as device.  Expect the use of this to grow as we are going to move away from the workload scores and go to using the category.  You can get more info on that here.


Workload is the acronym for the Microsoft solution that the control resides in.  EXO is short for Exchange Online, OD4B is OneDrive for Business, SFB is Skype for Business, SPO is SharePoint Online, IP is Information Protection (which is more of a category then a solution), Azure AD is Azure Active Directory, MCAS is Microsoft Cloud App Security, and Intune is our enterprise MDM solution.


Rank is what we used to order the recommendations of controls in the Take Action, Improve Your Microsoft Secure Score section.  For example, enabling MFA for privileged roles will always be first unless you have the full set of points.


Tier is for understanding the distinction between a high value, low user impact control, and a moderate value, moderate user impact control. Core is stuff that most every organization should be able to do. Defense in Depth will require more analysis to determine the impact on your organization. Advanced is for organizations that have discrete security needs that they are willing to pay for premium products.