Secure Score is a way to measure how well an environment is following security recommendations in Microsoft Defender for Cloud. It turns many findings into a posture score and control-level view so leaders and engineers can see whether security is improving or drifting. The score is not a certificate, audit result, or guarantee that nothing can be attacked. It is a prioritization tool that helps teams focus remediation work, compare subscriptions, and explain progress in language non-security stakeholders can understand.
secure score, Defender for Cloud secure score, cloud secure score, security posture score, Microsoft Defender secure score
Difficulty
fundamentals
CLI mappings
5
Last verified
2026-05-23
Microsoft Learn
Secure Score in Microsoft Defender for Cloud is a risk-based measurement of cloud security posture. It summarizes progress against security recommendations and controls so teams can prioritize remediation, track improvement, and communicate posture across Azure and multicloud environments over time.
In Azure architecture, Secure Score sits in the Defender for Cloud security-posture plane. It draws from assessments, recommendations, regulatory controls, asset risk, and resource coverage across subscriptions and connected environments. Azure CLI exposes secure scores and controls through az security, while portal views show trends and recommended actions. The score depends on which resources are onboarded, which Defender plans and policies are enabled, and whether recommendations are exempted, remediated, or unresolved. It connects governance, compliance, resource hygiene, security operations, and executive reporting.
Why it matters
Secure Score matters because cloud security backlogs are usually too large to fix randomly. A posture score gives security teams a way to prioritize controls, show progress, and identify subscriptions or teams that are carrying avoidable risk. It helps engineering managers decide which recommendations deserve sprint time and helps executives see whether investment is reducing exposure. The danger is treating the number as the goal. A team can chase easy points while ignoring business-critical risks, or misunderstand score changes caused by new assets, policy changes, or updated weighting. Used correctly, Secure Score turns fragmented findings into a practical remediation conversation.
⌁
Where you see it
Signals, screens, and Azure surfaces where this term usually becomes operational.
Signal 01
In Defender for Cloud, the Secure Score page shows posture percentage, score history, controls, recommendations, affected resources, and risk-based prioritization signals for remediation planning cycles.
Signal 02
In Azure CLI output, az security secure-scores list returns score records that can be exported for governance dashboards or evidence reviews across subscriptions and tenants.
Signal 03
In recommendation views, each control shows affected resources, remediation steps, owner data, exemptions, and status that influence the posture score after assessment refresh cycles and governance.
Signal 04
In executive reports, Secure Score trends are combined with subscription ownership, critical assets, compliance status, and remediation backlog progress for risk review and planning sessions.
✦
When this becomes relevant
Specific situations where this term helps solve real Azure design, operations, migration, security, reliability, cost, or governance problems.
Prioritize a large security backlog by focusing first on score controls tied to critical assets and high-risk recommendations.
Track whether subscription owners are improving posture after remediation sprints instead of relying on one-time audit meetings.
Detect governance drift when new resources or policy changes suddenly lower secure score for a landing zone.
Export score and control data for compliance evidence, board reporting, or monthly security posture reviews.
Challenge unjustified exemptions by comparing score movement, affected resources, and the real risk a recommendation addresses.
◆
Real-world case studies
Different enterprise-style examples that show the term being used to hit measurable objectives.
Case study 01
Energy utility prioritizes remediation by risk instead of loudest dashboard
Scenario, objectives, solution, measured impact, and takeaway.
📌Scenario
An energy utility had hundreds of Defender for Cloud recommendations across corporate IT, field telemetry, and analytics subscriptions. Teams argued over priorities because every dashboard looked urgent.
🎯Business/Technical Objectives
Use Secure Score controls to identify the highest posture gaps.
Map recommendations to accountable subscription owners.
Reduce unresolved high-risk findings before a regulatory review.
Avoid remediation changes that could disrupt operational telemetry.
✅Solution Using Secure Score
The cloud governance team exported Secure Score and secure score control data with Azure CLI, then joined it with subscription tags for owner, environment, and criticality. Recommendations tied to identity, exposed management ports, missing endpoint protection, and logging gaps were ranked above low-impact configuration items. Controls affecting field telemetry subscriptions required change windows and rollback plans. Weekly reviews tracked score movement, unresolved controls, and exemptions requiring risk-owner approval. Remediation evidence was stored with tickets, including before-and-after CLI output and Defender for Cloud screenshots for auditors.
📈Results & Business Impact
High-risk unresolved recommendations fell 46 percent before the regulatory review.
Secure Score improved from 61 percent to 78 percent across the main Azure estate.
No telemetry ingestion outage occurred because risky remediations used approved change windows.
Subscription owners accepted 92 percent of assigned findings without manual spreadsheet reconciliation.
💡Key Takeaway for Glossary Readers
Secure Score is strongest when it turns a noisy security backlog into owned, risk-aware engineering work.
Case study 02
Media streaming company detects posture drift after rapid expansion
Scenario, objectives, solution, measured impact, and takeaway.
📌Scenario
A media streaming company launched new regional workloads for a sports season. Two weeks later, Secure Score dropped sharply, but no single team knew whether the decline reflected real risk or newly assessed assets.
🎯Business/Technical Objectives
Explain the Secure Score decline without blaming the wrong release.
Identify which new subscriptions and controls drove the drop.
Remediate quick posture gaps before peak streaming traffic.
Create a repeatable drift review after future launches.
✅Solution Using Secure Score
Security operations used az security secure-scores and secure-score-controls commands across the new subscriptions, exporting JSON into a workbook with resource-owner tags. The analysis showed that several regions lacked diagnostic logging, vulnerability assessment, and managed identity hardening on newly created resources. Platform engineers fixed baseline deployment modules, while application teams addressed workload-specific recommendations. Temporary exemptions were created only for controls requiring vendor maintenance windows. The company added a post-launch Secure Score check to its release calendar, comparing prelaunch and postlaunch control states.
📈Results & Business Impact
The score drop was traced to 14 newly created subscriptions rather than a security incident.
Secure Score recovered from 69 percent to 81 percent before the first playoff weekend.
Baseline module fixes prevented the same three recommendations from recurring in later regions.
Security review time after regional launches fell from two days to four hours.
💡Key Takeaway for Glossary Readers
Secure Score trend changes can reveal governance drift quickly when teams connect the score to ownership and release events.
Case study 03
Digital services agency turns secure score into cabinet-level reporting
Scenario, objectives, solution, measured impact, and takeaway.
📌Scenario
A national digital services agency needed to brief executives on cloud security posture across citizen-service applications. Raw recommendation lists were too technical, and teams disputed which fixes mattered most.
🎯Business/Technical Objectives
Translate technical posture data into executive-ready progress metrics.
Keep application teams accountable for assigned recommendations.
Separate justified exemptions from neglected remediation.
Show measurable improvement before a public-service resilience audit.
✅Solution Using Secure Score
The agency built a monthly posture workflow around Defender for Cloud Secure Score. Azure CLI exports captured secure scores, controls, and assessments for each subscription. Data was grouped by service owner, criticality, and control category, then reviewed in a governance board. Recommendations requiring architecture changes, such as private networking or identity redesign, became roadmap items. Quick configuration fixes were assigned to sprint backlogs. Exemptions required a named risk owner, expiry date, and evidence. The report showed score movement, open high-risk controls, overdue remediation, and business impact rather than just a percentage.
📈Results & Business Impact
Executive reporting shifted from 43 pages of findings to a six-metric posture brief.
Overall Secure Score improved from 58 percent to 74 percent in two quarters.
Expired or ownerless exemptions dropped from 37 to 6 after governance-board review.
Audit preparation time fell by 35 percent because evidence exports were already collected monthly.
💡Key Takeaway for Glossary Readers
Secure Score becomes useful to leaders when it is tied to owners, risk decisions, evidence, and architectural remediation plans.
Why use Azure CLI for this?
I use Azure CLI for Secure Score because posture reviews need repeatable evidence, not screenshots from one portal session. CLI lets me list secure scores, inspect controls, export JSON for reporting, compare subscriptions, and join findings with owners or tags. After ten years of Azure operations, I know that security conversations go better when the data is scriptable and reviewable. CLI also helps separate score movement from portal filtering mistakes. You can capture the score before and after remediation, feed a governance dashboard, and prove which controls changed without giving every stakeholder full Defender portal access. for audits and leadership.
CLI use cases
List secure scores for the current subscription and export JSON for posture reporting or trend comparison.
Show a specific secure score initiative and inspect current percentage, weight, and control-level state.
List secure score controls to identify which areas are suppressing the score and need remediation ownership.
Compare scores across subscriptions after switching context or running a scripted management-group inventory.
Join score findings with tags, resource owners, or ticket queues to build a remediation backlog.
Before you run CLI
Confirm tenant, subscription scope, Defender for Cloud access, az security availability, and whether you need management-group-wide reporting.
Check that relevant resources and Defender plans are onboarded; otherwise the score can underrepresent actual exposure.
Use JSON output for evidence, and avoid assuming a score change means remediation succeeded without checking recommendation details.
Review exemptions, ownership tags, policy assignments, and business criticality before ranking fixes by score points alone.
What output tells you
Secure score output shows initiative names, current score values, maximum score, percentage, weights, and status used for posture tracking.
Control output identifies which security controls contribute to the score and where remediation is still needed.
Differences between subscriptions reveal ownership gaps, missing Defender coverage, or newly assessed resources that changed posture.
Mapped Azure CLI commands
Secure Score CLI Commands
operational-guidance
az security secure-scores list --output json
az security secure-scoresdiscoverSecurity
az security secure-scores show --name ascScore --output json
az security secure-scoresdiscoverSecurity
az security secure-score-controls list --output table
az security secure-score-controlsdiscoverSecurity
az security secure-score-controls list_by_score --name ascScore --output json
az security secure-score-controlsdiscoverSecurity
az security assessment list --output table
az security assessmentdiscoverSecurity
Architecture context
A seasoned Azure architect uses Secure Score as a governance signal, not as the whole security architecture. It belongs beside Defender for Cloud recommendations, Azure Policy, management groups, tags, workload criticality, incident history, and regulatory obligations. The best programs map score controls to accountable platform or application teams, then track progress through remediation tasks, exemptions, and change windows. Architecture matters because some improvements require design changes such as private endpoints, managed identity, patching, backup, logging, or JIT access. Secure Score should feed quarterly risk reviews and sprint planning, but it should not replace threat modeling or workload-specific security design. or incidents.
Security
Security impact is direct because Secure Score highlights gaps that increase attack surface, such as missing protections, weak identity controls, exposed resources, poor monitoring, or unresolved recommendations. The score itself does not enforce controls, but it guides remediation and risk prioritization. Access to score details should be limited to roles that can view security posture, because recommendations may reveal sensitive weaknesses. Teams should avoid gaming the score with unjustified exemptions or low-value fixes. The strongest use is to pair Secure Score with asset criticality, attack paths, regulatory requirements, and owner accountability so security work addresses real exposure, not just percentage movement.
Cost
Secure Score has no standalone bill, but it influences cost through Defender plan coverage, remediation projects, logging, endpoint protection, staffing, and automation. Some recommendations require paid controls or architecture changes, while others reduce future incident cost with little spend. Chasing every point without business context can waste engineering time, especially on low-risk resources. Ignoring the score can be much more expensive when preventable exposure becomes an incident or audit finding. FinOps and security owners should evaluate recommendations by risk reduction, asset criticality, implementation cost, and operational impact. The best Secure Score program funds high-risk fixes first. and measurable risk reduction.
Reliability
Reliability impact is indirect but meaningful. Secure Score does not make a workload resilient by itself, yet many security recommendations overlap with operational stability: backup, patching, endpoint protection, monitoring, least privilege, and configuration hygiene. Weak security can become a reliability incident when ransomware, credential compromise, or misconfiguration disrupts service. Score changes can also reveal new assets that are unmanaged or newly assessed. Reliable governance means treating Secure Score as an early warning signal, validating recommendation scope, and coordinating remediation through normal change control. Operators should watch for remediations that could break access, networking, or automation if applied without testing. in production.
Performance
Runtime performance impact is usually indirect. Secure Score calculations do not slow an application, but the recommended controls used to improve posture can affect performance if applied blindly. Examples include endpoint agents, logging volume, encryption settings, network restrictions, or just-in-time access workflows. The operational performance benefit is stronger: teams can rank hundreds of findings quickly instead of manually reading every assessment. Engineers should test remediations that change networking, identity, compute agents, or logging before production rollout. Secure Score improves organizational speed by pointing teams toward priority controls, but performance-sensitive workloads still need measurement after each security change. under load.
Operations
Operators use Secure Score by listing scores, drilling into controls, assigning recommendation owners, tracking exemptions, and exporting evidence for review. Day-to-day work includes comparing subscriptions, checking which controls lost points, validating that remediations are reflected after assessment refresh, and routing findings to the right platform or application team. CLI and Resource Graph queries can turn posture data into dashboards and backlog reports. Troubleshooting focuses on why the score changed: a new resource, policy assignment, recommendation update, exemption, missing Defender plan, or delayed assessment. Good operations keep score reviews regular, documented, and tied to actual remediation tickets. or audit reviews.
Common mistakes
Treating Secure Score as a compliance certificate instead of a prioritization and posture-tracking signal.
Chasing easy points while ignoring high-criticality assets, attack paths, or recommendations with bigger business risk.
Forgetting that score changes can come from new resources, policy updates, exemptions, or assessment timing, not only remediation.
Giving broad access to posture findings without considering that recommendations reveal sensitive weaknesses.
Applying remediations automatically without testing identity, networking, logging, or workload behavior changes.