The Secure Score documentation states the following about Security Defaults:
If you turn on security defaults, you'll be awarded full points for the following improvement actions:
- Ensure all users can complete multi-factor authentication for secure access (9 points)
- Require MFA for administrative roles (10 points)
- Enable policy to block legacy authentication (7 points)
However, in a tenant I manage this is not what happens. I am awarded full points for the second and last bullets, but not for the first bullet. For that improvement action, I am only awarded 4.33 out of 9 points, and under "Implementation status" it states that: "You have 25 out of 52 users registered and protected with MFA."
The documention is very clear: enabling Security Defaults should award full points. Does the fact that this does not happen in this tenant mean the documentation is incorrect, or that something is wrong with the tenant?