Secure Score: Security Defaults doesn't award full points for improvement points stated in the docs

Occasional Visitor

Hi,

 

The Secure Score documentation states the following about Security Defaults:

 

If you turn on security defaults, you'll be awarded full points for the following improvement actions:

  • Ensure all users can complete multi-factor authentication for secure access (9 points)
  • Require MFA for administrative roles (10 points)
  • Enable policy to block legacy authentication (7 points)

However, in a tenant I manage this is not what happens. I am awarded full points for the second and last bullets, but not for the first bullet. For that improvement action, I am only awarded 4.33 out of 9 points, and under "Implementation status" it states that: "You have 25 out of 52 users registered and protected with MFA."

 

The documention is very clear: enabling Security Defaults should award full points. Does the fact that this does not happen in this tenant mean the documentation is incorrect, or that something is wrong with the tenant?

1 Reply
You can see from my similar MFA question last year that there is a significant discrepancy between the doco and the actual secure score. Also note that lack of clarifying response on last questions:
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/secure-score-not-improving-e...