Identity Secure Score: Plan & Automate Identity Governance (SC-300)
Understanding Identity Secure Score
Why Is Identity Secure Score Important?
Identity Secure Score is a critical component of Microsoft Entra ID (formerly Azure AD) that provides organizations with a quantifiable measurement of how well their identity security posture aligns with Microsoft's best practice recommendations. In today's threat landscape, identity is the primary attack vector — over 80% of breaches involve compromised credentials. Without a clear metric to assess your identity security configuration, organizations operate blindly, leaving gaps that attackers can exploit.
For the SC-300 exam, Identity Secure Score falls under the domain of planning and automating identity governance. Microsoft expects identity administrators to not only understand the score but also know how to monitor it, interpret improvement actions, and integrate it into an organization's overall security strategy.
What Is Identity Secure Score?
Identity Secure Score is a percentage-based metric (0%–100%) displayed in the Microsoft Entra admin center under Protection > Identity Secure Score. It evaluates your tenant's identity configuration against a set of Microsoft-recommended security improvement actions. The higher your score, the more aligned your environment is with best practices.
Key characteristics include:
- Score Range: 0% to 100%, representing the ratio of achieved points to maximum possible points.
- Improvement Actions: A prioritized list of recommended actions, each with an assigned point value based on its security impact.
- Comparison Benchmarks: You can compare your score against organizations of similar size and industry, as well as against all Microsoft 365 tenants.
- Score History: A historical graph showing how your score has changed over time (up to 90 days), enabling trend analysis.
How Does Identity Secure Score Work?
The Identity Secure Score engine continuously evaluates your Microsoft Entra tenant configuration and compares it against a predefined set of improvement actions. Here is how the process works:
1. Evaluation of Improvement Actions
Microsoft maintains a list of improvement actions, each targeting a specific identity security configuration. Examples include:
- Require MFA for all users — Ensures multi-factor authentication is enforced across the tenant.
- Ensure all users can complete MFA — Verifies that users have registered for MFA.
- Enable policy to block legacy authentication — Blocks outdated protocols that bypass MFA.
- Designate more than one global admin — Ensures administrative redundancy without over-provisioning.
- Do not expire passwords — Aligns with NIST guidance to avoid forced periodic password changes.
- Enable self-service password reset — Reduces helpdesk burden and improves user experience.
- Protect all users with a sign-in risk policy — Leverages Identity Protection risk-based Conditional Access.
- Protect all users with a user risk policy — Automatically remediates compromised accounts.
- Use limited administrative roles — Applies least-privilege principles to admin roles.
- Enable Microsoft Entra ID Privileged Identity Management (PIM) — Provides just-in-time access for privileged roles.
2. Point Assignment
Each improvement action is assigned a maximum point value. When the action is fully implemented, you receive the full points. Partial implementation may yield partial credit for some actions. Actions that are not applicable can be marked as resolved through third party, resolved through alternate mitigation, or risk accepted, which adjusts the denominator of your score calculation.
3. Score Calculation
The formula is:
Identity Secure Score = (Achieved Points / Maximum Possible Points) × 100%
If you mark an action as "risk accepted" or "resolved through third party," the points for that action are removed from both the numerator and denominator, so they do not negatively affect your score.
4. Score Refresh
The score is updated every 48 hours (approximately). Changes you make to your tenant configuration will not be reflected immediately. This is an important detail for the exam.
5. Historical Tracking
The score history graph allows administrators to track improvements or regressions over time. This is useful for governance reporting and demonstrating compliance progress to stakeholders.
Where to Access Identity Secure Score
- Microsoft Entra admin center: Navigate to Protection > Identity Secure Score
- Microsoft 365 Defender portal: The broader Microsoft Secure Score includes identity-related recommendations, but the Identity Secure Score in Entra is specific to identity configurations.
- Microsoft Graph API: You can programmatically retrieve the Identity Secure Score using the security resource type in Microsoft Graph, which supports automation and integration into custom dashboards or SIEM tools.
Roles Required
To view the Identity Secure Score, you need one of the following roles:
- Global Administrator
- Security Administrator
- Security Reader
- Global Reader
To modify settings that affect the score, you need the appropriate administrative role for each specific action (e.g., Conditional Access Administrator for CA policies, Privileged Role Administrator for PIM).
How Identity Secure Score Relates to Identity Governance
Identity Secure Score is a monitoring and planning tool within the broader identity governance framework. It connects to governance in several ways:
- Baseline Assessment: Before implementing governance policies, the score provides a baseline of your current posture.
- Continuous Monitoring: As you implement access reviews, entitlement management, PIM, and Conditional Access, the score reflects these improvements.
- Automation: Using Microsoft Graph API, you can automate score monitoring, trigger alerts when the score drops, and integrate with Azure Logic Apps or Power Automate for governance workflows.
- Compliance Reporting: The score history and improvement action list serve as evidence for auditors and compliance frameworks.
Relationship with Microsoft Secure Score
It is important to distinguish:
- Microsoft Secure Score (in Microsoft 365 Defender) covers identity, devices, apps, and data — a broader scope.
- Identity Secure Score (in Microsoft Entra) focuses exclusively on identity-related configurations.
The SC-300 exam primarily focuses on the Identity Secure Score in Microsoft Entra, though understanding the relationship with the broader Secure Score is beneficial.
Common Improvement Actions and Their Impact
Here is a summary of high-impact improvement actions frequently referenced in exam scenarios:
| Action | Impact | Notes |
|---|---|---|
| Require MFA for all users | High | Conditional Access policy preferred over per-user MFA |
| Block legacy authentication | High | Legacy protocols cannot enforce MFA |
| Enable sign-in risk policy | High | Requires Microsoft Entra ID P2 |
| Enable user risk policy | High | Requires Microsoft Entra ID P2 |
| Enable PIM | Medium-High | Just-in-time privileged access |
| Use limited admin roles | Medium | Least privilege principle |
| Enable SSPR | Medium | Reduces helpdesk calls, improves user experience |
| Do not expire passwords | Medium | Aligns with modern security guidance |
| Designate more than one global admin | Low-Medium | Ensures continuity without over-provisioning |
Exam Tips: Answering Questions on Identity Secure Score Monitoring
Tip 1: Know the Refresh Interval
The Identity Secure Score updates approximately every 48 hours. If an exam question asks why a recently implemented change is not yet reflected in the score, the answer is the refresh delay.
Tip 2: Understand Action Statuses
Improvement actions can have the following statuses:
- To address — Not yet implemented.
- Planned — Manually marked as planned; does not affect score.
- Risk accepted — You accept the risk; points are removed from the denominator.
- Resolved through third party — A third-party tool addresses the recommendation; points are removed from the denominator.
- Resolved through alternate mitigation — Addressed differently; partial or full credit may apply.
- Completed — Fully implemented and verified by the system.
Exam questions may test whether marking an action as "risk accepted" improves or changes the score. Remember: it removes those points from both numerator and denominator, effectively not counting that action.
Tip 3: Know the Required Licenses
Some improvement actions require Microsoft Entra ID P2 (e.g., sign-in risk policy, user risk policy, PIM). If a question describes a tenant with only P1 or free licenses, those actions would still appear but cannot be fully implemented without upgrading.
Tip 4: Differentiate Between Identity Secure Score and Microsoft Secure Score
If the question specifically mentions identity posture and the Microsoft Entra admin center, the answer is Identity Secure Score. If it references a broader security posture across Microsoft 365 workloads, the answer is Microsoft Secure Score.
Tip 5: Know the Access Location
Identity Secure Score is found at Microsoft Entra admin center > Protection > Identity Secure Score. Exam questions may present multiple navigation paths and ask you to choose the correct one.
Tip 6: Microsoft Graph API Integration
For automation scenarios, remember that the Identity Secure Score can be retrieved via the Microsoft Graph API. If a question asks about automating score monitoring or building custom reports, Graph API is the correct answer. The relevant endpoints fall under /security/secureScores.
Tip 7: Focus on High-Impact Actions
Exam scenarios often present a tenant with a low score and ask which action would most improve the score. Prioritize actions like enabling MFA for all users and blocking legacy authentication, as these carry the highest point values.
Tip 8: Understand the Comparison Feature
The Identity Secure Score allows comparison with organizations of similar size and with all tenants globally. A question might ask how to benchmark your organization's identity posture against peers — the answer is the comparison feature within Identity Secure Score.
Tip 9: Score Does Not Guarantee Security
A 100% score does not mean you are fully secure. It means you have implemented all of Microsoft's recommended configurations. Exam questions may test your understanding that additional security measures beyond the scored actions may still be necessary.
Tip 10: Watch for Conditional Access vs. Per-User MFA
Microsoft recommends using Conditional Access policies for MFA enforcement rather than per-user MFA. The improvement action for MFA may not give full credit if per-user MFA is used instead of Conditional Access. This is a common exam trap.
Tip 11: Least Privilege for Viewing vs. Modifying
If a question asks about the minimum role needed to view the Identity Secure Score, the answer is Security Reader or Global Reader. If the question asks about implementing improvement actions, the answer depends on the specific action (e.g., Conditional Access Administrator, Privileged Role Administrator).
Summary
Identity Secure Score is a foundational tool for monitoring and improving your organization's identity security posture in Microsoft Entra ID. For the SC-300 exam, focus on understanding how the score is calculated, the refresh interval, the statuses of improvement actions, the licensing requirements for specific actions, the roles needed to access the score, and how to use the Microsoft Graph API for automation. Always prioritize high-impact actions like MFA enforcement and legacy authentication blocking when presented with scenario-based questions about improving the score.
