Secure score
Overview of secure score
Microsoft Defender for Cloud has two main goals:
- to help you understand your current security situation
- to help you efficiently and effectively improve your security
The central feature in Defender for Cloud that enables you to achieve those goals is the secure score.
Defender for Cloud continually assesses your cross-cloud resources for security issues. It then aggregates all the findings into a single score so that you can tell, at a glance, your current security situation: the higher the score, the lower the identified risk level.
In the Azure portal pages, the secure score is shown as a percentage value and the underlying values are also clearly presented:
In the Azure mobile app, the secure score is shown as a percentage value and you can tap the secure score to see the details that explain the score:
To increase your security, review Defender for Cloud's recommendations page and remediate the recommendation by implementing the remediation instructions for each issue. Recommendations are grouped into security controls. Each control is a logical group of related security recommendations, and reflects your vulnerable attack surfaces. Your score only improves when you remediate all of the recommendations for a single resource within a control. To see how well your organization is securing each individual attack surface, review the scores for each security control.
For more information, see How your secure score is calculated below.
Manage your security posture
On the Security posture page, you're able to see the secure score for your entire subscription, and each environment in your subscription. By default all environments are shown.
| Page section | Description |
|---|---|
|
Select your environment to see its secure score, and details. Multiple environments can be selected at once. The page will change based on your selection here. |
|
Shows the total number of subscriptions, accounts and projects that affect your overall score. It also shows how many unhealthy resources and how many recommendations exist in your environments. |
The bottom half of the page allows you to view and manage viewing the individual secure scores, number of unhealthy resources and even view the recommendations for all of your individual subscriptions, accounts, and projects.
You can group this section by environment by selecting the Group by Environment checkbox.
How your secure score is calculated
The contribution of each security control towards the overall secure score is shown on the recommendations page.
To get all the possible points for a security control, all of your resources must comply with all of the security recommendations within the security control. For example, Defender for Cloud has multiple recommendations regarding how to secure your management ports. You'll need to remediate them all to make a difference to your secure score.
Example scores for a control
In this example:
Remediate vulnerabilities security control - This control groups multiple recommendations related to discovering and resolving known vulnerabilities.
Max score - The maximum number of points you can gain by completing all recommendations within a control. The maximum score for a control indicates the relative significance of that control and is fixed for every environment. Use the max score values to triage the issues to work on first.
For a list of all controls and their max scores, see Security controls and their recommendations.Current score - The current score for this control.
Current score = [Score per resource] * [Number of healthy resources]
Each control contributes towards the total score. In this example, the control is contributing 2.00 points to current total secure score.
Potential score increase - The remaining points available to you within the control. If you remediate all the recommendations in this control, your score will increase by 9%.
Potential score increase = [Score per resource] * [Number of unhealthy resources]
Insights - Gives you extra details for each recommendation, such as:
Preview recommendation - This recommendation won't affect your secure score until it's GA.
Fix - From within the recommendation details page, you can use 'Fix' to resolve this issue.
Enforce - From within the recommendation details page, you can automatically deploy a policy to fix this issue whenever someone creates a non-compliant resource.
Deny - From within the recommendation details page, you can prevent new resources from being created with this issue.
Calculations - understanding your score
| Metric | Formula and example |
|---|---|
| Security control's current score |  Each individual security control contributes towards the Security Score. Each resource affected by a recommendation within the control, contributes towards the control's current score. The current score for each control is a measure of the status of the resources within the control.  In this example, the max score of 6 would be divided by 78 because that's the sum of the healthy and unhealthy resources. 6 / 78 = 0.0769 Multiplying that by the number of healthy resources (4) results in the current score: 0.0769 * 4 = 0.31 |
| Secure score Single subscription, or connector |
  In this example, there's a single subscription, or connector with all security controls available (a potential maximum score of 60 points). The score shows 28 points out of a possible 60 and the remaining 32 points are reflected in the "Potential score increase" figures of the security controls.  This equation is the same equation for a connector with just the word subscription being replaced by the word connector. |
| Secure score Multiple subscriptions, and connectors |
 The combined score for multiple subscriptions and connectors includes a weight for each subscription, and connector. The relative weights for your subscriptions, and connectors are determined by Defender for Cloud based on factors such as the number of resources. The current score for each subscription, a dn connector is calculated in the same way as for a single subscription, or connector, but then the weight is applied as shown in the equation. When you view multiple subscriptions and connectors, the secure score evaluates all resources within all enabled policies and groups their combined impact on each security control's maximum score.  The combined score is not an average; rather it's the evaluated posture of the status of all resources across all subscriptions, and connectors. Here too, if you go to the recommendations page and add up the potential points available, you'll find that it's the difference between the current score (22) and the maximum score available (58). |
Which recommendations are included in the secure score calculations?
Only built-in recommendations that are part of the default initiative, Azure Security Benchmark, have an impact on the secure score. Recommendations flagged as Preview aren't included in the calculations of your secure score. They should still be remediated wherever possible, so that when the preview period ends they'll contribute towards your score.
Preview recommendations are marked with:
Improve your secure score
To improve your secure score, remediate security recommendations from your recommendations list. You can remediate each recommendation manually for each resource, or use the Fix option (when available) to resolve an issue on multiple resources quickly. For more information, see Remediate recommendations.
You can also configure the Enforce and Deny options on the relevant recommendations to improve your score and make sure your users don't create resources that negatively impact your score.
Security controls and their recommendations
The table below lists the security controls in Microsoft Defender for Cloud. For each control, you can see the maximum number of points you can add to your secure score if you remediate all of the recommendations listed in the control, for all of your resources.
The set of security recommendations provided with Defender for Cloud is tailored to the available resources in each organization's environment. You can disable recommendations and exempt specific resources from a recommendation to further customize the recommendations.
We recommend every organization carefully reviews their assigned Azure Policy initiatives.
Tip
For details about reviewing and editing your initiatives, see manage security policies.
Even though Defender for Cloud's default security initiative, the Azure Security Benchmark, is based on industry best practices and standards, there are scenarios in which the built-in recommendations listed below might not completely fit your organization. It's sometimes necessary to adjust the default initiative - without compromising security - to ensure it's aligned with your organization's own policies, industry standards, regulatory standards, and benchmarks.
| Secure score | Security control and description | Recommendations |
|---|---|---|
| 10 | Enable MFA - Defender for Cloud places a high value on multi-factor authentication (MFA). Use these recommendations to secure the users of your subscriptions. There are three ways to enable MFA and be compliant with the recommendations: security defaults, per-user assignment, conditional access policy. Learn more about these options in Manage MFA enforcement on your subscriptions. |
- Accounts with owner permissions on Azure resources should be MFA enabled - Accounts with write permissions on Azure resources should be MFA enabled - MFA should be enabled on accounts with owner permissions on subscriptions - MFA should be enabled on accounts with write permissions on subscriptions |
| 8 | Secure management ports - Brute force attacks often target management ports. Use these recommendations to reduce your exposure with tools like just-in-time VM access and network security groups. | - Internet-facing virtual machines should be protected with network security groups - Management ports of virtual machines should be protected with just-in-time network access control - Management ports should be closed on your virtual machines |
| 6 | Apply system updates - Not applying updates leaves unpatched vulnerabilities and results in environments that are susceptible to attacks. Use these recommendations to maintain operational efficiency, reduce security vulnerabilities, and provide a more stable environment for your end users. To deploy system updates, you can use the Update Management solution to manage patches and updates for your machines. | - Log Analytics agent should be installed on Linux-based Azure Arc-enabled machines - Log Analytics agent should be installed on virtual machine scale sets - Log Analytics agent should be installed on virtual machines - Log Analytics agent should be installed on Windows-based Azure Arc-enabled machines - System updates on virtual machine scale sets should be installed - System updates should be installed on your machines - System updates should be installed on your machines (powered by Update Center) |
| 6 | Remediate vulnerabilities - Defender for Cloud includes multiple vulnerability assessment scanners to check your machines, databases, and container registries for weaknesses that threat actors might leverage. Use these recommendations to enable these scanners and review their findings. Learn more about scanning machines, SQL servers, and container registries. |
- Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed - Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed - Code repositories should have code scanning findings resolved - Code repositories should have Dependabot scanning findings resolved - Code repositories should have infrastructure as code scanning findings resolved - Code repositories should have secret scanning findings resolved - Container images should be deployed from trusted registries only - Container registry images should have vulnerability findings resolved - Function apps should have vulnerability findings resolved - Kubernetes clusters should gate deployment of vulnerable images - Machines should have a vulnerability assessment solution - Machines should have vulnerability findings resolved - Running container images should have vulnerability findings resolved |
| 4 | Remediate security configurations - Misconfigured IT assets have a higher risk of being attacked. Use these recommendations to harden the identified misconfigurations across your infrastructure. | - Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed - Azure DevOps security posture findings should be resolved - Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed - Containers should only use allowed AppArmor profiles - Log Analytics agent should be installed on Linux-based Azure Arc-enabled machines - Log Analytics agent should be installed on virtual machine scale sets - Log Analytics agent should be installed on virtual machines - Log Analytics agent should be installed on Windows-based Azure Arc-enabled machines - Machines should be configured securely - SQL databases should have vulnerability findings resolved - SQL managed instances should have vulnerability assessment configured - SQL servers on machines should have vulnerability findings resolved - SQL servers should have vulnerability assessment configured - Virtual machine scale sets should be configured securely - Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration) - Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration) |
| 4 | Manage access and permissions - A core part of a security program is ensuring your users have the necessary access to do their jobs but no more than that: the least privilege access model. Use these recommendations to manage your identity and access requirements. | - Authentication to Linux machines should require SSH keys - Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed - Azure Cosmos DB accounts should use Azure Active Directory as the only authentication method - Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed - Blocked accounts with owner permissions on Azure resources should be removed - Blocked accounts with read and write permissions on Azure resources should be remove - Container with privilege escalation should be avoided - Containers sharing sensitive host namespaces should be avoided - Deprecated accounts should be removed from subscriptions - Deprecated accounts with owner permissions should be removed from subscriptions - External accounts with owner permissions should be removed from subscriptions - External accounts with write permissions should be removed from subscriptions - Function apps should have Client Certificates (Incoming client certificates) enabled - Guest accounts with owner permissions on Azure resources should be removed - Guest accounts with write permissions on Azure resources should be removed - Guest Configuration extension should be installed on machines - Immutable (read-only) root filesystem should be enforced for containers - Least privileged Linux capabilities should be enforced for containers - Managed identity should be used in API apps - Managed identity should be used in function apps - Managed identity should be used in web apps - Privileged containers should be avoided - Role-Based Access Control should be used on Kubernetes Services - Running containers as root user should be avoided - Service Fabric clusters should only use Azure Active Directory for client authentication - Storage account public access should be disallowed - Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers - Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
| 4 | Enable encryption at rest - Use these recommendations to ensure you mitigate misconfigurations around the protection of your stored data. | - Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign - Transparent Data Encryption on SQL databases should be enabled - Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources |
| 4 | Encrypt data in transit - Use these recommendations to secure data that’s moving between components, locations, or programs. Such data is susceptible to man-in-the-middle attacks, eavesdropping, and session hijacking. | - API App should only be accessible over HTTPS - Enforce SSL connection should be enabled for MySQL database servers - Enforce SSL connection should be enabled for PostgreSQL database servers - FTPS should be required in API apps - FTPS should be required in function apps - FTPS should be required in web apps - Function App should only be accessible over HTTPS - Redis Cache should allow access only via SSL - Secure transfer to storage accounts should be enabled - TLS should be updated to the latest version for API apps - TLS should be updated to the latest version for function apps - TLS should be updated to the latest version for web apps - Web Application should only be accessible over HTTPS |
| 4 | Restrict unauthorized network access - Azure offers a suite of tools designed to ensure accesses across your network meet the highest security standards. Use these recommendations to manage Defender for Cloud's adaptive network hardening settings, ensure you’ve configured Azure Private Link for all relevant PaaS services, enable Azure Firewall on your virtual networks, and more. |
- Adaptive network hardening recommendations should be applied on internet facing virtual machines - All network ports should be restricted on network security groups associated to your virtual machine - App Configuration should use private link - Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed - Azure Cache for Redis should reside within a virtual network - Azure Event Grid domains should use private link - Azure Event Grid topics should use private link - Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed - Azure Machine Learning workspaces should use private link - Azure SignalR Service should use private link - Azure Spring Cloud should use network injection - Container registries should not allow unrestricted network access - Container registries should use private link - CORS should not allow every resource to access API Apps - CORS should not allow every resource to access Function Apps - CORS should not allow every resource to access Web Applications - Firewall should be enabled on Key Vault - Internet-facing virtual machines should be protected with network security groups - IP forwarding on your virtual machine should be disabled - Kubernetes API server should be configured with restricted access - Private endpoint should be configured for Key Vault - Private endpoint should be enabled for MariaDB servers - Private endpoint should be enabled for MySQL servers - Private endpoint should be enabled for PostgreSQL servers - Public network access should be disabled for MariaDB servers - Public network access should be disabled for MySQL servers - Public network access should be disabled for PostgreSQL servers - Services should listen on allowed ports only - Storage account should use a private link connection - Storage accounts should restrict network access using virtual network rules - Usage of host networking and ports should be restricted - Virtual networks should be protected by Azure Firewall - VM Image Builder templates should use private link |
| 3 | Apply adaptive application control - Adaptive application control is an intelligent, automated, end-to-end solution to control which applications can run on your machines. It also helps to harden your machines against malware. | - Adaptive application controls for defining safe applications should be enabled on your machines - Allowlist rules in your adaptive application control policy should be updated - Log Analytics agent should be installed on Linux-based Azure Arc-enabled machines - Log Analytics agent should be installed on virtual machines - Log Analytics agent should be installed on Windows-based Azure Arc-enabled machines |
| 2 | Protect applications against DDoS attacks - Azure’s advanced networking security solutions include Azure DDoS Protection, Azure Web Application Firewall, and the Azure Policy Add-on for Kubernetes. Use these recommendations to ensure your applications are protected with these tools and others. | - Azure Arc-enabled Kubernetes clusters should have the Azure Policy extension installed - Azure DDoS Protection Standard should be enabled - Azure Kubernetes Service clusters should have the Azure Policy add-on for Kubernetes installed - Container CPU and memory limits should be enforced - Web Application Firewall (WAF) should be enabled for Application Gateway - Web Application Firewall (WAF) should be enabled for Azure Front Door Service service |
| 2 | Enable endpoint protection - Defender for Cloud checks your organization’s endpoints for active threat detection and response solutions such as Microsoft Defender for Endpoint or any of the major solutions shown in this list. When an Endpoint Detection and Response (EDR) solution isn’t found, you can use these recommendations to deploy Microsoft Defender for Endpoint (included as part of Microsoft Defender for servers). Other recommendations in this control help you deploy the Log Analytics agent and configure file integrity monitoring. |
- Endpoint protection health issues on machines should be resolved - Endpoint protection health issues on machines should be resolved - Endpoint protection health issues on virtual machine scale sets should be resolved - Endpoint protection should be installed on machines - Endpoint protection should be installed on machines - Endpoint protection should be installed on virtual machine scale sets - Install endpoint protection solution on virtual machines - Log Analytics agent should be installed on Linux-based Azure Arc-enabled machines - Log Analytics agent should be installed on virtual machine scale sets - Log Analytics agent should be installed on virtual machines - Log Analytics agent should be installed on Windows-based Azure Arc-enabled machines |
| 1 | Enable auditing and logging - Detailed logs are a crucial part of incident investigations and many other troubleshooting operations. The recommendations in this control focus on ensuring you’ve enabled diagnostic logs wherever relevant. | - Auditing on SQL server should be enabled - Diagnostic logs in App Service should be enabled - Diagnostic logs in Azure Data Lake Store should be enabled - Diagnostic logs in Azure Stream Analytics should be enabled - Diagnostic logs in Batch accounts should be enabled - Diagnostic logs in Data Lake Analytics should be enabled - Diagnostic logs in Event Hub should be enabled - Diagnostic logs in Key Vault should be enabled - Diagnostic logs in Kubernetes services should be enabled - Diagnostic logs in Logic Apps should be enabled - Diagnostic logs in Search services should be enabled - Diagnostic logs in Service Bus should be enabled - Diagnostic logs in Virtual Machine Scale Sets should be enabled |
| 0 | Enable enhanced security features - Use these recommendations to enable any of the enhanced security features plans. | - Azure Arc-enabled Kubernetes clusters should have the Defender extension installed - Azure Kubernetes Service clusters should have Defender profile enabled - File integrity monitoring should be enabled on machines - GitHub repositories should have Code scanning enabled - GitHub repositories should have Dependabot scanning enabled - GitHub repositories should have Secret scanning enabled - Microsoft Defender for App Service should be enabled - Microsoft Defender for Azure SQL Database servers should be enabled - Microsoft Defender for Containers should be enabled - Microsoft Defender for DNS should be enabled - Microsoft Defender for Key Vault should be enabled - Microsoft Defender for open-source relational databases should be enabled - Microsoft Defender for Resource Manager should be enabled - Microsoft Defender for servers should be enabled - Microsoft Defender for servers should be enabled on workspaces - Microsoft Defender for SQL on machines should be enabled on workspaces - Microsoft Defender for SQL servers on machines should be enabled - Microsoft Defender for Storage should be enabled |
| 0 | Implement security best practices - This control has no impact on your secure score. For that reason, it’s a collection of recommendations which are important to fulfil for the sake of your organization’s security, but which we feel shouldn’t be a part of how you assess your overall score. | - [Enable if required] Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest - [Enable if required] Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK) - [Enable if required] Cognitive Services accounts should enable data encryption with a customer-managed key (CMK) - [Enable if required] Container registries should be encrypted with a customer-managed key (CMK) - [Enable if required] MySQL servers should use customer-managed keys to encrypt data at rest - [Enable if required] PostgreSQL servers should use customer-managed keys to encrypt data at rest - [Enable if required] SQL managed instances should use customer-managed keys to encrypt data at rest - [Enable if required] SQL servers should use customer-managed keys to encrypt data at rest - [Enable if required] Storage accounts should use customer-managed key (CMK) for encryption - A maximum of 3 owners should be designated for subscriptions - Access to storage accounts with firewall and virtual network configurations should be restricted - Accounts with read permissions on Azure resources should be MFA enabled - All advanced threat protection types should be enabled in SQL managed instance advanced data security settings - All advanced threat protection types should be enabled in SQL server advanced data security settings - API Management services should use a virtual network - Audit retention for SQL servers should be set to at least 90 days - Auto provisioning of the Log Analytics agent should be enabled on subscriptions - Automation account variables should be encrypted - Azure Backup should be enabled for virtual machines - Azure Cosmos DB accounts should have firewall rules - Cognitive Services accounts should enable data encryption - Cognitive Services accounts should restrict network access - Cognitive Services accounts should use customer owned storage or enable data encryption - Container hosts should be configured securely - Default IP Filter Policy should be Deny - Diagnostic logs in IoT Hub should be enabled - Email notification for high severity alerts should be enabled - Email notification to subscription owner for high severity alerts should be enabled - Ensure API app has Client Certificates Incoming client certificates set to On - External accounts with read permissions should be removed from subscriptions - Geo-redundant backup should be enabled for Azure Database for MariaDB - Geo-redundant backup should be enabled for Azure Database for MySQL - Geo-redundant backup should be enabled for Azure Database for PostgreSQL - Guest accounts with read permissions on Azure resources should be removed - Guest Attestation extension should be installed on supported Linux virtual machine scale sets - Guest Attestation extension should be installed on supported Linux virtual machines - Guest Attestation extension should be installed on supported Windows virtual machine scale sets - Guest Attestation extension should be installed on supported Windows virtual machines - Guest Configuration extension should be installed on machines - Identical Authentication Credentials - IP Filter rule large IP range - Java should be updated to the latest version for API apps - Java should be updated to the latest version for function apps - Java should be updated to the latest version for web apps - Key Vault keys should have an expiration date - Key Vault secrets should have an expiration date - Key vaults should have purge protection enabled - Key vaults should have soft delete enabled - Kubernetes clusters should be accessible only over HTTPS - Kubernetes clusters should disable automounting API credentials - Kubernetes clusters should not grant CAPSYSADMIN security capabilities - Kubernetes clusters should not use the default namespace - Linux virtual machines should enforce kernel module signature validation - Linux virtual machines should use only signed and trusted boot components - Linux virtual machines should use Secure Boot - Machines should be restarted to apply security configuration updates - Machines should have ports closed that might expose attack vectors - MFA should be enabled on accounts with read permissions on subscriptions - Microsoft Defender for SQL should be enabled for unprotected Azure SQL servers - Microsoft Defender for SQL should be enabled for unprotected SQL Managed Instances - Network Watcher should be enabled - Non-internet-facing virtual machines should be protected with network security groups - Over-provisioned identities in subscriptions should be investigated to reduce the Permission Creep Index (PCI) - PHP should be updated to the latest version for API apps - PHP should be updated to the latest version for web apps - Private endpoint connections on Azure SQL Database should be enabled - Public network access on Azure SQL Database should be disabled - Public network access should be disabled for Cognitive Services accounts - Python should be updated to the latest version for API apps - Python should be updated to the latest version for function apps - Python should be updated to the latest version for web apps - Remote debugging should be turned off for API App - Remote debugging should be turned off for Function App - Remote debugging should be turned off for Web Applications - Secure Boot should be enabled on supported Windows virtual machines - SQL servers should have an Azure Active Directory administrator provisioned - Storage accounts should be migrated to new Azure Resource Manager resources - Subnets should be associated with a network security group - Subscriptions should have a contact email address for security issues - There should be more than one owner assigned to subscriptions - Validity period of certificates stored in Azure Key Vault should not exceed 12 months - Virtual machines guest attestation status should be healthy - Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity - Virtual machines should be migrated to new Azure Resource Manager resources - vTPM should be enabled on supported virtual machines - Web apps should request an SSL certificate for all incoming requests - Windows Defender Exploit Guard should be enabled on machines - Windows web servers should be configured to use secure communication protocols |
FAQ - Secure score
If I address only three out of four recommendations in a security control, will my secure score change?
No. It won't change until you remediate all of the recommendations for a single resource. To get the maximum score for a control, you must remediate all recommendations for all resources.
If a recommendation isn't applicable to me, and I disable it in the policy, will my security control be fulfilled and my secure score updated?
Yes. We recommend disabling recommendations when they're inapplicable in your environment. For instructions on how to disable a specific recommendation, see Disable security recommendations.
If a security control offers me zero points towards my secure score, should I ignore it?
In some cases, you'll see a control max score greater than zero, but the impact is zero. When the incremental score for fixing resources is negligible, it's rounded to zero. Don't ignore these recommendations because they still bring security improvements. The only exception is the "Additional Best Practice" control. Remediating these recommendations won't increase your score, but it will enhance your overall security.
Next steps
This article described the secure score and the included security controls.
For related material, see the following articles:
Feedback
Submit and view feedback for