Secure score in Azure Security Center

Introduction to secure score

Azure Security Center has two main goals:

  • to help you understand your current security situation
  • to help you efficiently and effectively improve your security

The central feature in Security Center that enables you to achieve those goals is secure score.

Security Center continually assesses your resources, subscriptions, and organization for security issues. It then aggregates all the findings into a single score so that you can tell, at a glance, your current security situation: the higher the score, the lower the identified risk level.

The secure score is shown in the Azure portal pages as a percentage value, but the underlying values are also clearly presented:

Overall secure score as shown in the portal.

To increase your security, review Security Center's recommendations page for the outstanding actions necessary to raise your score. Each recommendation includes instructions to help you remediate the specific issue.

Recommendations are grouped into security controls. Each control is a logical group of related security recommendations, and reflects your vulnerable attack surfaces. Your score only improves when you remediate all of the recommendations for a single resource within a control. To see how well your organization is securing each individual attack surface, review the scores for each security control.

For more information, see How your secure score is calculated below.

How your secure score is calculated

The contribution of each security control towards the overall secure score is shown clearly on the recommendations page.

Azure Security Center's security controls and their impact on your secure score

To get all the possible points for a security control, all your resources must comply with all of the security recommendations within the security control. For example, Security Center has multiple recommendations regarding how to secure your management ports. You'll need to remediate them all to make a difference to your secure score.

Example scores for a control

Apply system updates security control.

In this example:

# Name Description
1 Remediate vulnerabilities security control This control groups multiple recommendations related to discovering and resolving known vulnerabilities.
2 Max score The maximum number of points you can gain by completing all recommendations within a control. The maximum score for a control indicates the relative significance of that control and is fixed for every environment. Use the max score values to triage the issues to work on first.
For a list of all controls and their max scores, see Security controls and their recommendations.
3 Number of resources There are 35 resources affected by this control.
To understand the possible contribution of every resource, divide the max score by the number of resources.
For this example, 6/35=0.1714
Every resource contributes 0.1714 points.
4 Current score The current score for this control.
Current score=[Score per resource]*[Number of healthy resources]
0.1714 x 5 healthy resources = 0.86
Each control contributes towards the total score. In this example, the control is contributing 0.86 points to current total secure score.
5 Potential score increase The remaining points available to you within the control. If you remediate all the recommendations in this control, your score will increase by 9%.
Potential score increase=[Score per resource]*[Number of unhealthy resources]
0.1714 x 30 unhealthy resources = 5.14

Calculations - understanding your score

Metric Formula and example
Security control's current score
Equation for calculating a security control's score.

Each individual security control contributes towards the Security Score. Each resource affected by a recommendation within the control, contributes towards the control's current score. The current score for each control is a measure of the status of the resources within the control.
Tooltips showing the values used when calculating the security control's current score
In this example, the max score of 6 would be divided by 78 because that's the sum of the healthy and unhealthy resources.
6 / 78 = 0.0769
Multiplying that by the number of healthy resources (4) results in the current score:
0.0769 * 4 = 0.31

Secure score
Single subscription

Equation for calculating a subscription's secure score

Single subscription secure score with all controls enabled
In this example, there is a single subscription with all security controls available (a potential maximum score of 60 points). The score shows 28 points out of a possible 60 and the remaining 32 points are reflected in the "Potential score increase" figures of the security controls.
List of controls and the potential score increase
Secure score
Multiple subscriptions

Equation for calculating the secure score for multiple subscriptions.

When calculating the combined score for multiple subscriptions, Security Center includes a weight for each subscription. The relative weights for your subscriptions are determined by Security Center based on factors such as the number of resources.
The current score for each subscription is calculated in the same way as for a single subscription, but then the weight is applied as shown in the equation.
When viewing multiple subscriptions, secure score evaluates all resources within all enabled policies and groups their combined impact on each security control's maximum score.
Secure score for multiple subscriptions with all controls enabled
The combined score is not an average; rather it's the evaluated posture of the status of all resources across all subscriptions.
Here too, if you go to the recommendations page and add up the potential points available, you will find that it's the difference between the current score (24) and the maximum score available (60).

Which recommendations are included in the secure score calculations?

Only built-in recommendations have an impact on the secure score.

Recommendations flagged as Preview aren't included in the calculations of your secure score. They should still be remediated wherever possible, so that when the preview period ends they'll contribute towards your score.

An example of a preview recommendation:

Recommendation with the preview flag.

Improve your secure score

To improve your secure score, remediate security recommendations from your recommendations list. You can remediate each recommendation manually for each resource, or by using the Fix option (when available) to resolve an issue on multiple resources quickly. For more information, see Remediate recommendations.

Another way to improve your score and ensure your users don't create resources that negatively impact your score is to configure the Enforce and Deny options on the relevant recommendations. Learn more in Prevent misconfigurations with Enforce/Deny recommendations.

Security controls and their recommendations

The table below lists the security controls in Azure Security Center. For each control, you can see the maximum number of points you can add to your secure score if you remediate all of the recommendations listed in the control, for all of your resources.

The set of security recommendations provided with Security Center is tailored to the available resources in each organization's environment. The recommendations can be further customized by disabling policies and exempting specific resources from a recommendation.

We recommend every organization carefully review their assigned Azure Policy initiatives.

Tip

For details of reviewing and editing your initiatives, see Working with security policies.

Even though Security Center's default security initiative is based on industry best practices and standards, there are scenarios in which the built-in recommendations listed below might not completely fit your organization. Consequently, it'll sometimes be necessary to adjust the default initiative - without compromising security - to ensure it's aligned with your organization's own policies, industry standards, regulatory standards, and benchmarks you're obligated to meet.

Secure score Security control and description Recommendations
10 Enable MFA - Security Center places a high value on multi-factor authentication (MFA). Use these recommendations to secure the users of your subscriptions.
There are three ways to enable MFA and be compliant with the recommendations: security defaults, per-user assignment, conditional access policy. Learn more about these options in Manage MFA enforcement on your subscriptions.
- MFA should be enabled on accounts with owner permissions on your subscription
- MFA should be enabled on accounts with owner permissions on your subscription
- MFA should be enabled on accounts with write permissions on your subscription
- MFA should be enabled on accounts with write permissions on your subscription
8 Secure management ports - Brute force attacks often target management ports. Use these recommendations to reduce your exposure with tools like just-in-time VM access and network security groups. - Internet-facing virtual machines should be protected with network security groups
- Management ports of virtual machines should be protected with just-in-time network access control
- Management ports should be closed on your virtual machines
6 Apply system updates - Not applying updates leaves unpatched vulnerabilities and results in environments that are susceptible to attacks. Use these recommendations to maintain operational efficiency, reduce security vulnerabilities, and provide a more stable environment for your end users. To deploy system updates, you can use the Update Management solution to manage patches and updates for your machines. - Log Analytics agent should be installed on your Linux-based Azure Arc machines
- Log Analytics agent should be installed on your virtual machine
- Log Analytics agent should be installed on your virtual machine scale sets
- Log Analytics agent should be installed on your Windows-based Azure Arc machines
- System updates on virtual machine scale sets should be installed
- System updates should be installed on your machines
- System updates should be installed on your machines (powered by Update Center)
6 Remediate vulnerabilities - Security Center includes multiple vulnerability assessment scanners to check your machines, databases, and container registries for weaknesses that threat actors might leverage. Use these recommendations to enable these scanners and review their findings.
Learn more about scanning machines, SQL servers, and container registries.
- A vulnerability assessment solution should be enabled on your virtual machines
- Azure Kubernetes Service clusters should have the Azure Policy Add-on for Kubernetes installed
- Container images should be deployed from trusted registries only
- Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)
- Vulnerabilities in your virtual machines should be remediated
4 Encrypt data in transit - Use these recommendations to secure data that’s moving between components, locations, or programs. Such data is susceptible to man-in-the-middle attacks, eavesdropping, and session hijacking. - API App should only be accessible over HTTPS
- Enforce SSL connection should be enabled for MySQL database servers
- Enforce SSL connection should be enabled for PostgreSQL database servers
- FTPS should be required in your API App
- FTPS should be required in your function App
- FTPS should be required in your web App
- Function App should only be accessible over HTTPS
- Only secure connections to your Redis Cache should be enabled
- Secure transfer to storage accounts should be enabled
- TLS should be updated to the latest version for your API app
- TLS should be updated to the latest version for your function app
- TLS should be updated to the latest version for your web app
- Web Application should only be accessible over HTTPS
4 Restrict unauthorized network access - Azure offers a suite of tools designed to ensure accesses across your network meet the highest security standards.
Use these recommendations to manage Security Center's adaptive network hardening settings, ensure you’ve configured Azure Private Link for all relevant PaaS services, enable Azure Firewall on your virtual networks, and more.
- Adaptive network hardening recommendations should be applied on internet facing virtual machines
- All network ports should be restricted on network security groups associated to your virtual machine
- App Configuration should use private link
- Azure Cache for Redis should reside within a virtual network
- Azure Event Grid domains should use private link
- Azure Event Grid topics should use private link
- Azure Kubernetes Service clusters should have the Azure Policy Add-on for Kubernetes installed
- Azure Machine Learning workspaces should use private link
- Azure SignalR Service should use private link
- Azure Spring Cloud should use network injection
- Container registries should not allow unrestricted network access
- Container registries should use private link
- Containers should listen on allowed ports only
- CORS should not allow every resource to access your API App
- CORS should not allow every resource to access your Function App
- CORS should not allow every resource to access your Web Applications
- Firewall should be enabled on Key Vault
- Internet-facing virtual machines should be protected with network security groups
- IP forwarding on your virtual machine should be disabled
- Kubernetes API server should be configured with restricted access
- Private endpoint should be configured for Key Vault
- Private endpoint should be enabled for MariaDB servers
- Private endpoint should be enabled for MySQL servers
- Private endpoint should be enabled for PostgreSQL servers
- Public network access should be disabled for MariaDB servers
- Public network access should be disabled for MySQL servers
- Public network access should be disabled for PostgreSQL servers
- Services should listen on allowed ports only
- Storage account should use a private link connection
- Storage accounts should restrict network access using virtual network rules
- Usage of host networking and ports should be restricted
- Virtual networks should be protected by Azure Firewall
- VM Image Builder templates should use private link
4 Enable encryption at rest - Use these recommendations to ensure you mitigate misconfigurations around the protection of your stored data. - Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign
- Transparent Data Encryption on SQL databases should be enabled
- Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
4 Manage access and permissions - A core part of a security program is ensuring your users have the necessary access to do their jobs but no more than that: the least privilege access model. Use these recommendations to manage your identity and access requirements. - Authentication to Linux machines should require SSH keys
- Azure Kubernetes Service clusters should have the Azure Policy Add-on for Kubernetes installed
- Container with privilege escalation should be avoided
- Containers sharing sensitive host namespaces should be avoided
- Deprecated accounts should be removed from your subscription
- Deprecated accounts should be removed from your subscription
- Deprecated accounts with owner permissions should be removed from your subscription
- Deprecated accounts with owner permissions should be removed from your subscription
- External accounts with owner permissions should be removed from your subscription
- External accounts with owner permissions should be removed from your subscription
- External accounts with write permissions should be removed from your subscription
- External accounts with write permissions should be removed from your subscription
- Function apps should have Client Certificates (Incoming client certificates) enabled
- Guest Configuration extension should be installed on your machines
- Immutable (read-only) root filesystem should be enforced for containers
- Least privileged Linux capabilities should be enforced for containers
- Managed identity should be used in your API app
- Managed identity should be used in your function app
- Managed identity should be used in your web app
- Privileged containers should be avoided
- Role-Based Access Control should be used on Kubernetes Services
- Running containers as root user should be avoided
- Service Fabric clusters should only use Azure Active Directory for client authentication
- Service principals should be used to protect your subscriptions instead of Management Certificates
- Storage account public access should be disallowed
- Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers
- Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
4 Remediate security configurations - Misconfigured IT assets have a higher risk of being attacked. Use these recommendations to harden the identified misconfigurations across your infrastructure. - Azure Kubernetes Service clusters should have the Azure Policy Add-on for Kubernetes installed
- Log Analytics agent should be installed on your Linux-based Azure Arc machines
- Log Analytics agent should be installed on your virtual machine
- Log Analytics agent should be installed on your virtual machine scale sets
- Log Analytics agent should be installed on your Windows-based Azure Arc machines
- Overriding or disabling of containers AppArmor profile should be restricted
- Pod Security Policies should be defined on Kubernetes Services (Deprecated)
- SQL databases should have vulnerability findings resolved
- SQL servers on machines should have vulnerability findings resolved
- Vulnerabilities in container security configurations should be remediated
- Vulnerabilities in security configuration on your Linux machines should be remediated (powered by Guest Configuration)
- Vulnerabilities in security configuration on your machines should be remediated
- Vulnerabilities in security configuration on your virtual machine scale sets should be remediated
- Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration)
- Vulnerability assessment should be enabled on your SQL managed instances
- Vulnerability assessment should be enabled on your SQL servers
3 Apply adaptive application control - Adaptive application control is an intelligent, automated, end-to-end solution to control which applications can run on your machines. It also helps to harden your machines against malware. - Adaptive application controls for defining safe applications should be enabled on your machines
- Allowlist rules in your adaptive application control policy should be updated
- Log Analytics agent should be installed on your Linux-based Azure Arc machines
- Log Analytics agent should be installed on your virtual machine
- Log Analytics agent should be installed on your Windows-based Azure Arc machines
2 Protect applications against DDoS attacks - Azure’s advanced networking solutions include Azure DDoS Protection, Azure Web Application Firewall, and the Azure Policy Add-on for Kubernetes. Use these recommendations to ensure your applications are protected with these tools and others. - Azure DDoS Protection Standard should be enabled
- Azure Kubernetes Service clusters should have the Azure Policy Add-on for Kubernetes installed
- Container CPU and memory limits should be enforced
- Web Application Firewall (WAF) should be enabled for Application Gateway
- Web Application Firewall (WAF) should be enabled for Azure Front Door Service service
2 Enable endpoint protection - Security Center checks your organization’s endpoints for active threat detection and response solutions such as Microsoft Defender for Endpoint or any of the major solutions shown in this list.
When an Endpoint Detection and Response (EDR) solution isn’t found, you can use these recommendations to deploy Microsoft Defender for Endpoint (included as part of Azure Defender for servers).
Other recommendations in this control help you deploy the Log Analytics agent and configure file integrity monitoring.
- Endpoint protection health failures should be remediated on virtual machine scale sets
- Endpoint protection health issues should be resolved on your machines
- Endpoint protection health issues should be resolved on your machines
- Endpoint protection should be installed on your machines
- Endpoint protection solution should be installed on virtual machine scale sets
- File integrity monitoring should be enabled on servers
- Install endpoint protection solution on virtual machines
- Install endpoint protection solution on your machines
- Log Analytics agent should be installed on your Linux-based Azure Arc machines
- Log Analytics agent should be installed on your virtual machine
- Log Analytics agent should be installed on your virtual machine scale sets
- Log Analytics agent should be installed on your Windows-based Azure Arc machines
1 Enable auditing and logging - Detailed logs are a crucial part of incident investigations and many other troubleshooting operations. The recommendations in this control focus on ensuring you’ve enabled diagnostic logs wherever relevant. - Auditing on SQL server should be enabled
- Diagnostic logs in Azure Data Lake Store should be enabled
- Diagnostic logs in Azure Stream Analytics should be enabled
- Diagnostic logs in Batch accounts should be enabled
- Diagnostic logs in Data Lake Analytics should be enabled
- Diagnostic logs in Event Hub should be enabled
- Diagnostic logs in Key Vault should be enabled
- Diagnostic logs in Search services should be enabled
- Diagnostic logs in Service Bus should be enabled
- Diagnostic logs in Virtual Machine Scale Sets should be enabled
- Diagnostic logs in your logic apps should be enabled
- Diagnostic logs should be enabled in App Service
0 Implement security best practices - This control has no impact on your secure score. For that reason, it’s a collection of recommendations which are important to fulfill for the sake of your organization’s security, but which we feel shouldn’t be a part of how you assess your overall score. - [Enable if required] Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest
- [Enable if required] Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)
- [Enable if required] Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)
- [Enable if required] Container registries should be encrypted with a customer-managed key (CMK)
- [Enable if required] MySQL servers should use customer-managed keys to encrypt data at rest
- [Enable if required] PostgreSQL servers should use customer-managed keys to encrypt data at rest
- [Enable if required] SQL managed instances should use customer-managed keys to encrypt data at rest
- [Enable if required] SQL servers should use customer-managed keys to encrypt data at rest
- [Enable if required] Storage accounts should use customer-managed key (CMK) for encryption
- A maximum of 3 owners should be designated for your subscription
- Access to storage accounts with firewall and virtual network configurations should be restricted
- All advanced threat protection types should be enabled in SQL managed instance advanced data security settings
- All advanced threat protection types should be enabled in SQL server advanced data security settings
- An Azure Active Directory administrator should be provisioned for SQL servers
- API Management services should use a virtual network
- Audit retention for SQL servers should be set to at least 90 days
- Auto provisioning of the Log Analytics agent should be enabled on your subscription
- Automation account variables should be encrypted
- Azure Backup should be enabled for virtual machines
- Azure Cosmos DB accounts should have firewall rules
- Azure Defender for SQL should be enabled for unprotected Azure SQL servers
- Azure Defender for SQL should be enabled for unprotected SQL Managed Instances
- Cognitive Services accounts should enable data encryption
- Cognitive Services accounts should restrict network access
- Cognitive Services accounts should use customer owned storage or enable data encryption
- Default IP Filter Policy should be Deny
- Diagnostic logs in IoT Hub should be enabled
- Email notification for high severity alerts should be enabled
- Email notification to subscription owner for high severity alerts should be enabled
- Ensure API app has Client Certificates Incoming client certificates set to On
- External accounts with read permissions should be removed from your subscription
- External accounts with read permissions should be removed from your subscription
- Geo-redundant backup should be enabled for Azure Database for MariaDB
- Geo-redundant backup should be enabled for Azure Database for MySQL
- Geo-redundant backup should be enabled for Azure Database for PostgreSQL
- Guest Attestation extension should be installed on supported Linux virtual machine scale sets
- Guest Attestation extension should be installed on supported Linux virtual machines
- Guest Attestation extension should be installed on supported Windows virtual machine scale sets
- Guest Attestation extension should be installed on supported Windows virtual machines
- Guest Configuration extension should be installed on your machines
- Identical Authentication Credentials
- IoT Devices - Agent sending underutilized messages
- IoT Devices - Auditd process stopped sending events
- IoT Devices - Open Ports On Device
- IoT Devices - Operating system baseline validation failure
- IoT Devices - Permissive firewall policy in one of the chains was found
- IoT Devices - Permissive firewall rule in the input chain was found
- IoT Devices - Permissive firewall rule in the output chain was found
- IoT Devices - TLS cipher suite upgrade needed
- IP Filter rule large IP range
- Java should be updated to the latest version for your API app
- Java should be updated to the latest version for your function app
- Java should be updated to the latest version for your web app
- Key Vault keys should have an expiration date
- Key Vault secrets should have an expiration date
- Key vaults should have purge protection enabled
- Key vaults should have soft delete enabled
- Kubernetes clusters should be accessible only over HTTPS
- Kubernetes clusters should disable automounting API credentials
- Kubernetes clusters should not grant CAPSYSADMIN security capabilities
- Kubernetes clusters should not use the default namespace
- Linux virtual machines should enforce kernel module signature validation
- Linux virtual machines should use only signed and trusted boot components
- Linux virtual machines should use Secure Boot
- Machines should be restarted to apply security configuration updates
- MFA should be enabled on accounts with read permissions on your subscription
- MFA should be enabled on accounts with read permissions on your subscription
- Network traffic data collection agent should be installed on Linux virtual machines
- Network traffic data collection agent should be installed on Windows virtual machines
- Network Watcher should be enabled
- Non-internet-facing virtual machines should be protected with network security groups
- PHP should be updated to the latest version for your API app
- PHP should be updated to the latest version for your web app
- Private endpoint connections on Azure SQL Database should be enabled
- Public network access on Azure SQL Database should be disabled
- Public network access should be disabled for Cognitive Services accounts
- Python should be updated to the latest version for your API app
- Python should be updated to the latest version for your function app
- Python should be updated to the latest version for your web app
- Remote debugging should be turned off for API App
- Remote debugging should be turned off for Function App
- Remote debugging should be turned off for Web Applications
- Secure Boot should be enabled on supported Windows virtual machines
- Storage accounts should be migrated to new Azure Resource Manager resources
- Subnets should be associated with a network security group
- Subscriptions should have a contact email address for security issues
- There should be more than one owner assigned to your subscription
- Validity period of certificates stored in Azure Key Vault should not exceed 12 months
- Virtual machines guest attestation status should be healthy
- Virtual machines should be migrated to new Azure Resource Manager resources
- Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
- vTPM should be enabled on supported virtual machines
- Web apps should request an SSL certificate for all incoming requests
- Windows Defender Exploit Guard should be enabled on your machines
- Windows web servers should be configured to use secure communication protocols
0 Apply data classification - Classifying your organization's data by sensitivity and business impact allows you to determine and assign value to the data and provides the strategy and basis for governance. - Sensitive data in your SQL databases should be classified
0 Enable Azure Defender - Use these recommendations to enable any of the Azure Defender plans. - Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed
- Azure Defender for App Service should be enabled
- Azure Defender for Azure SQL Database servers should be enabled
- Azure Defender for container registries should be enabled
- Azure Defender for DNS should be enabled
- Azure Defender for Key Vault should be enabled
- Azure Defender for Kubernetes should be enabled
- Azure Defender for Resource Manager should be enabled
- Azure Defender for servers should be enabled
- Azure Defender for servers should be enabled on your workspace
- Azure Defender for SQL servers on machines should be enabled
- Azure Defender for Storage should be enabled

FAQ - Secure score

If I address only three out of four recommendations in a security control, will my secure score change?

No. It won't change until you remediate all of the recommendations for a single resource. To get the maximum score for a control, you must remediate all recommendations, for all resources.

If a recommendation isn't applicable to me, and I disable it in the policy, will my security control be fulfilled and my secure score updated?

Yes. We recommend disabling recommendations when they're inapplicable in your environment. For instructions on how to disable a specific recommendation, see Disable security policies.

If a security control offers me zero points towards my secure score, should I ignore it?

In some cases, you'll see a control max score greater than zero, but the impact is zero. When the incremental score for fixing resources is negligible, it's rounded to zero. Don't ignore these recommendations as they still bring security improvements. The only exception is the "Additional Best Practice" control. Remediating these recommendations won't increase your score, but it will enhance your overall security.

Next steps

This article described the secure score and the included security controls.

For related material, see the following articles: