Secure Score incorrectly flags onPremisesSyncEnabled as “disabled” in cloud-only tenants (null should be treated as not applicable)

Question

Support Ticket Draft

Hello Microsoft Support,

In our cloud-only tenant (no Entra Connect / hybrid sync), the organization object’s onPremisesSyncEnabled property is null, which is expected according to Microsoft documentation for tenants that have never been synchronized.

References

• Microsoft Graph organization resource – onPremisesSyncEnabled is nullable and “null if this object has never been synced from an on-premises directory (default).”
• Secure Score overview

---

Issues Observed

1. In the Microsoft Admin Center, the tenant page shows “Directory sync disabled” when the property is null.
2. The portal also shows “Last sync not configured” and other synchronization metadata fields that do not apply to a cloud-only tenant.
3. In Microsoft Secure Score (Identity section), the recommendation shown is: Enable password hash sync if hybrid
   • Value: “You have disabled password hash sync.”
   • Action plan: “Install Microsoft Entra Connect and configure directory synchronization …”
   • Status description: Marked as dismissed by user, but still scored as 0/5.
   • Even after dismissing this recommendation (e.g. dismissed for over two weeks), Secure Score still counts 0/5 points against the overall Identity score.

---

Impact

• Creates false positives in Secure Score.
• Misrepresents the tenant’s security and configuration posture.
• Can lead to unnecessary compliance/audit questions.

---

Request

• Please confirm whether the current behavior (treating null as “disabled” and showing sync-related fields) is by design.
• If this is a known bug, can you share any fix or roadmap timeline?
• If intentional, can Microsoft update Secure Score and the Admin Portal so that when onPremisesSyncEnabled = null, the state is treated as “Not applicable (cloud-only tenant)”, and sync metadata fields such as “Last sync” are suppressed rather than shown?

---

Steps to Reproduce

1. Use a cloud-only tenant (no Entra Connect / Cloud Sync configured).
2. Query the tenant organization object via Graph → onPremisesSyncEnabled = null.
3. In Admin Center → observe “Directory sync disabled” and “Last sync not configured.”
4. In Secure Score → Identity recommendations → “Enable password hash sync if hybrid” shows as failed.
5. Dismiss the recommendation → Secure Score continues to count 0/5 points against the overall score.

---

Expected Result

For cloud-only tenants (onPremisesSyncEnabled = null):

• Admin Portal should display “Not applicable (cloud-only tenant)” instead of “Disabled” or “Not configured.”
• Secure Score should automatically suppress or exclude sync-related recommendations.
• Dismissed recommendations should not continue to reduce the Identity score.

Answer 1

Hi Keith,

Thank you for posting your query on Microsoft Q&A.

The issue you are encountering with Secure Score incorrectly flagging the onPremisesSyncEnabled property as “disabled” in cloud-only tenants is a known limitation related to how Secure Score interprets this property. In Microsoft Graph API, the onPremisesSyncEnabled property is null for tenants that have never used on-premises synchronization, which is typical for cloud-only tenants. However, Secure Score currently treats this null value as “disabled” rather than marking it as “Not applicable.” This causes inaccurate security recommendations and score impact.

In Microsoft Entra Identity Secure Score, recommendations are tailored to your tenant’s configuration and are scored based on how well your environment aligns with Microsoft’s security best practices. Some recommendations may appear even when they are not applicable to your setup. Although you can dismiss such recommendations, they may still influence your overall score, which can cause confusion.

Please consider the following steps to effectively understand and manage this situation:

Review Your Secure Score Dashboard: Secure Score aggregates security findings into a score to help you assess your security posture across subscriptions. You can view detailed recommendations, including those related to synchronization, in the Microsoft Entra admin center under Identity Secure Score or in Microsoft Defender for Cloud.

Interpret Null onPremisesSyncEnabled Correctly: Recognize that a null value for onPremisesSyncEnabled means no on-premises synchronization is configured and that this state should ideally be considered “Not applicable” and not “disabled.”

Manage Recommendations: Dismiss recommendations that do not apply to your environment. Note that dismissed recommendations may still appear in your score calculations, but the Microsoft Entra portal provides options to set certain improvement actions as “ignored” or “risk accepted,” which excludes them from scoring.

Focus on Relevant Security Controls: Prioritize recommendations based on their impact and relevance to your environment. Microsoft’s secure score focuses on key security controls such as enabling MFA, managing access and permissions, and protecting against vulnerabilities, which have a greater effect on improving your security posture.

Understand Scoring Mechanisms: The score updates periodically based on your security configuration. Partial compliance with a recommendation is reflected in partial points. The score is not an absolute risk measure but an indicator of your alignment with best practices.

For detailed information, please refer to the official Microsoft documentation on secure score in Defender for Cloud and Identity Secure Score in Microsoft Entra:

• Secure score in Defender for Cloud
• What is the Identity Secure Score?

By understanding these nuances, you can better interpret and manage your Secure Score and focus on security improvements that are meaningful to your environment.

Please click "Accept as Answer" if this resolves your issue. This will help others experiencing similar challenges find the solution.