A scene that has become common: at insurance renewal, the broker sends a cybersecurity questionnaire. Somewhere on the list, a line asks for your “Microsoft 365 security score” or your “Secure Score.” The owner looks at the question, has no idea what it means, and discovers at the same moment that coverage — or a claim payout — may depend on it.
If that’s you, you’re not alone. Here’s what this score is, why insurers care, and how to raise it.
What is the Microsoft 365 security score?
The Microsoft Secure Score is a rating, expressed as a percentage, calculated automatically by Microsoft from your Microsoft 365 configuration. It compares your current security settings against a set of recommended best practices: multi-factor authentication, admin-account protection, anti-phishing defenses, device policies, and many more.
In practice, every security measure you turn on earns you points. The score is therefore a snapshot of your posture: the higher it is, the more your environment applies the protections Microsoft considers essential. You view it in the Microsoft Defender portal, and it shifts over time as your configuration changes.
Why your insurer cares
The cyber-insurance market has tightened. Faced with the rise of ransomware and fraud, insurers no longer simply collect a premium: they require a minimum security level before covering an organization. The questionnaire you’re handed exists for exactly that — to verify you apply the basic controls.
The Microsoft 365 security score has become a handy shortcut for insurers, because it sums up several of the controls they care about in a single number:
- Is multi-factor authentication (MFA) enabled everywhere?
- Are admin accounts protected separately?
- Are legacy sign-in methods (which bypass MFA) blocked?
- Are anti-phishing defenses and device protection in place?
One detail worth knowing, and it matters: in the event of a claim, some insurers verify after the fact that the measures you declared were actually in place. Declaring a control you don’t have risks a claim being denied at the worst possible moment. Transparency isn’t just honest — it protects you.
A high score doesn’t tell the whole story
Let’s be clear: the Secure Score is an excellent indicator, but it isn’t proof of absolute security. It’s a measure relative to your Microsoft plan’s features, and it doesn’t cover your entire environment — your backups, on-premises servers, firewall or employee awareness aren’t fully reflected in it.
That’s why your insurer’s questionnaire usually goes beyond the score alone: it also asks about your backup practices, your detection (EDR) solution, your incident response plan and your team training. So the right move isn’t to “inflate the number,” but to genuinely strengthen the right areas — the score follows naturally.
How to improve it
Most quick wins revolve around identity, because that’s where almost every attack comes through:
- Enable MFA for all accounts, favoring the Microsoft Authenticator app over text-message codes. Dollar for dollar, it’s the most cost-effective control there is. We explain why here.
- Block legacy authentication, those old protocols that sidestep MFA.
- Protect and separate admin accounts, the most targeted and too often the least defended.
- Turn on Microsoft Defender protections already included in several Microsoft 365 plans — often, you’re already paying for defenses you don’t use.
- Put tested backups and phishing awareness in place, which round out the insurance questionnaire.
Each action ticks a box on the questionnaire and raises your score. You can gauge your posture in a few minutes with our free cybersecurity self-assessment — it covers the very questions insurers ask.
We can handle it for you
Retrieving the score, translating it into plain language, completing the questionnaire without jargon and fixing what needs fixing: that’s exactly what our security audit covers. We give you an honest picture, prioritize fixes by impact, and provide the evidence to hand to your insurer.
Bottom line: the Microsoft 365 security score has become a shared language between you and your insurer. Understanding it means avoiding nasty surprises at renewal — and especially at claim time. And improving it simply comes down to protecting your organization better.