6.4 Secure Score and Remediation Priority

What Secure Score Measures

Secure score is the Defender for Cloud concept that turns posture findings into an at-a-glance measurement. Microsoft describes it as summarizing your security posture based on the security recommendations — as you remediate recommendations, your secure score improves. Crucially for SC-900, secure score is not an exam score and not a sign-in risk score; it is a cloud security posture metric, and it is part of free Foundational CSPM (no paid plan required).

The core interpretation is simple: the higher the secure score, the lower the identified risk. The score does not claim two organizations with the same number have identical real-world risk — it provides a summarized, trackable view of posture and remediation progress. The actionable detail still lives in the underlying recommendations, affected resources, and risk context.

How Secure Score and Recommendations Connect

Secure score is computed from the security controls — logical groups of related recommendations. Each control contributes points, and you earn a control's points by making all of its in-scope resources healthy (remediating every recommendation in that control). The recommendations page shows the potential score increase for each control, the risk level, the contributing risk factors, and the affected resources.

This directly answers the most common secure-score exam question: how do you improve the score? The answer is to remediate security recommendations — and to prioritize the controls or recommendations that yield the largest risk reduction. Microsoft's risk-based prioritization ranks recommendations using exposure, data sensitivity, lateral-movement potential, and exploitability, so fixing internet-exposed, high-impact issues both reduces real risk and moves the score most.

Secure score is available in two surfaces: the classic experience in the Azure portal, and the newer experience in the Microsoft Defender portal, which incorporates asset risk factors and criticality to sharpen prioritization. For SC-900 the takeaway is simply that secure score belongs to Defender for Cloud posture management, wherever it is displayed.

The Classic Score-vs-Score Trap

The most-tested secure score trap is confusing it with compliance score from Microsoft Purview Compliance Manager. They sound alike but live in different products:

• Cloud secure score → Defender for Cloud → reflects cloud security posture based on security recommendations.
• Compliance score → Microsoft Purview Compliance Manager → reflects progress against improvement actions for regulatory and standards compliance across Microsoft 365 and beyond.

If the prompt asks for a single view of cloud posture with recommendations, pick Defender for Cloud secure score. If it asks for managing regulatory assessments and improvement actions, pick Compliance Manager — do not choose secure score just because the word score appears. A strong exam answer always names the right product and the right action.

• Secure score summarizes Defender for Cloud posture as a percentage.
• Higher score = lower identified risk; remediate recommendations to raise it.
• Secure score is free (Foundational CSPM) and appears in both portals.
• Cloud secure score ≠ Compliance Manager compliance score.

How the Score Is Built and Displayed

Secure score is expressed as a percentage (and a points figure) that rolls up the security controls for a subscription, management group, or the whole environment. Each control is worth a maximum number of points, and you earn those points proportionally as you make the in-scope resources healthy. Microsoft's guidance for raising the score is to work control by control: pick the control with the largest potential increase, remediate its recommendations, and watch the points accrue.

Because controls bundle related fixes, completing one control can lift the score more than scattering effort across many unrelated single recommendations.

The score is also a trend. Defender for Cloud charts secure score over time so leadership can see whether posture is improving week over week, and it lets teams compare environments (Azure, AWS, GCP) side by side. For SC-900, the testable ideas are: the score is recommendation-driven, higher is better, it is free, and it is a measurement rather than an action plan — the recommendations themselves remain the action plan.

Prioritization: Score vs Risk

Secure score and risk-based prioritization are related but distinct. Secure score tells you how much posture remains to fix; the risk model tells you which items to fix first. Defender for Cloud ranks recommendations using factors such as internet exposure, data sensitivity, lateral-movement potential, and exploitability, surfacing the issues that meaningfully reduce real risk. A common best practice the exam may echo: don't blindly chase score points — fix the risk-prioritized, internet-facing, high-impact recommendations first, which usually also moves the score most.

The Two Portals and the Final Trap

Secure score is reachable in the Azure portal (classic experience) and the Microsoft Defender portal (newer, risk-aware experience that factors in asset criticality). Either way it remains a Defender for Cloud posture metric. The last trap to internalize: never let the word score pull you toward the wrong product. Cloud secure score = Defender for Cloud posture. Compliance score = Microsoft Purview Compliance Manager, tracking improvement actions for regulatory compliance. Identity/sign-in risk = Microsoft Entra ID Protection.

Three different scores, three different products — match the score to the scope described in the prompt.