Before You Buy Microsoft 365 Copilot, Clean Up Your Tenant First

image

One of the biggest mistakes I continue to see with Microsoft 365 Copilot is treating the licence purchase as the project.

It’s not.

The licence is the easy part. The hard part is making sure the information Copilot can access is actually worth finding.

Copilot doesn’t create information. It exposes what already exists.

If your tenant is messy, overshared and unmanaged, Copilot simply helps users find the mess faster.

What is Microsoft 365 Copilot readiness, really?

Most people think readiness is about licences, supported apps and technical prerequisites.

That’s not readiness. That’s procurement.

Real readiness means asking whether your Microsoft 365 environment contains information that is organised, secured and governed well enough for AI to work across it. Microsoft talks about defining your strategy, protecting sensitive data and checking readiness before rollout in its Microsoft 365 Copilot rollout guidance.

Copilot works across the data users already have access to. That should make every MSP pause.

Because if users already have access to content they shouldn’t, Copilot won’t politely ignore it. It will work with the permissions you’ve given it.

Step-by-Step: Review your tenant before assigning licences
Audit SharePoint permissions

Start with SharePoint.

This is where a lot of the Copilot value lives, and it’s also where many of the surprises hide.

Review high-value sites, external sharing, broad groups, anonymous links and old project workspaces. Microsoft has specific guidance around building a secure and governed data foundation for Copilot, including oversharing remediation and guardrails.

Notice what’s missing?

Most SMB tenants have never had a proper SharePoint permissions review.

Review OneDrive ownership

Every OneDrive is effectively a knowledge repository.

Look for departed staff, abandoned content, sensitive folders and business-critical files that only one person controls.

Copilot won’t know whether that file belongs in a managed SharePoint library instead. It will simply see information the user can access.

Clean up Teams sprawl

Open the Teams admin centre and look at inactive teams, duplicated teams and channels nobody owns.

If humans can’t tell which Team contains the source of truth, don’t expect Copilot to magically understand your operating model.

“We thought Copilot was giving bad answers.”

In many cases, the tenant was giving bad data.

Review sensitivity labels

If you use Microsoft Purview, check whether sensitivity labels exist, whether they’re published to the right users and whether people understand them.

Sensitivity labels are not decoration. They classify and can protect organisational data across Microsoft 365, as Microsoft explains in its sensitivity labels documentation.

Keep labels simple.

A label nobody understands is just another button nobody presses.

Check retention and stale content

Old content is not harmless just because storage is cheap.

Review retention policies, old libraries, archived Teams and documents that should no longer be active reference material.

Copilot can make stale content visible again.

That’s not intelligence. That’s exposure.

Validate identity and device controls

Before assigning Copilot licences, review MFA, Conditional Access, privileged accounts and device compliance.

This is where SMBs often underinvest.

They buy the AI licence, but the tenant still has weak identity hygiene and unmanaged devices.

That’s backwards.

Decide how you’ll measure usage

Don’t wait until renewal time to ask whether Copilot is working.

Set expectations early. The Microsoft 365 admin centre includes a Microsoft 365 Copilot usage report for adoption and usage metrics.

That matters because licence assignment is not adoption.

A user having Copilot and a user changing the way they work are two different things.

Why this actually changes behaviour

Here’s the real win.

A Copilot readiness review improves the tenant even before you assign the first paid licence.

Permissions get cleaned up.

Teams become easier to navigate.

Content ownership improves.

Old information gets archived.

Security conversations become practical instead of theoretical.

Copilot doesn’t get tired. Use that.

But don’t ask it to compensate for years of neglected governance.

The best Copilot deployments I’ve seen don’t start with a licence order. They start with a conversation about data, access and outcomes.

My recommendation?

Treat Copilot readiness as an MSP service, not a pre-sales checklist.

If you’re not showing clients what Copilot might expose before they pay for it, you’re leaving value on the table.

Microsoft 365 Copilot isn’t there to fix a messy tenant.

It’s there to make a well-run tenant dramatically more useful.

Entra ID Password Protection + Smart Lockout

image


People still obsess over password complexity.

Twelve characters. Special symbols. Rotation every 90 days.

And yet accounts still get compromised.

That’s because attackers don’t guess random passwords anymore. They guess human passwords.

That’s not a complexity problem. That’s a behaviour problem.

So instead of arguing about password rules, I push clients to focus on two things they already have in Microsoft 365:

Password Protection and Smart Lockout.

Quietly running. Often ignored. Rarely tuned.

Here’s what actually matters.


What is Entra ID Password Protection + Smart Lockout, really?

It’s not a password policy.

It’s a filter and a shield.

Password Protection stops users from choosing bad passwords in the first place.

It uses a global banned password list driven by Microsoft telemetry and blocks weak or common passwords automatically—no configuration required. [learn.microsoft.com]

On top of that, you can add your own banned terms. Company names. Locations. Products. The obvious stuff attackers try first.

Then there’s Smart Lockout.

This is what most people misunderstand.

It’s not “lock the account after X attempts”.

That’s old thinking.

Smart Lockout can distinguish between a real user fat-fingering a password and an attacker trying thousands of guesses. [learn.microsoft.com]

Same identity. Different treatment.

Attackers get blocked quickly.

Real users keep working.

That’s not a nicer lockout policy.

That’s a signal-driven control.

“But we already have account lockout on-prem.”

Exactly.

And that’s the problem.


Step-by-Step: Tune Password Protection and Smart Lockout

Portal only. No scripts. No excuses.

1. Open Password Protection settings

Go to:

Entra admin centre
Protection
Authentication methods
Password protection

This is the only place you need.

2. Add a custom banned password list

Add terms like:

  • Company name variations

  • Internal product names

  • Common abbreviations

  • Location names

These get evaluated alongside the global list and block weak variants automatically. [learn.microsoft.com]

Not just exact matches.

Variants.

That’s the key.

3. Review Smart Lockout threshold

Default is:

Most SMBs never touch this.

My recommendation?

Lower it slightly only if you understand user behaviour.

Too low and you create support tickets.

Too high and you give attackers room to work.

You’re not tuning numbers.

You’re tuning friction.

4. Set lockout duration

Default starts short (around a minute) and increases with repeated attempts. [learn.microsoft.com]

That’s deliberate.

Short for users.

Painful for attackers.

If you override this, be careful.

Long lockouts punish users.

Short lockouts reward attackers.

5. Leave Smart Lockout on (always)

Important:

Smart Lockout is already enabled.

There’s nothing to “turn on”.

There’s only:

  • Leaving it alone

  • Or breaking it
6. Pair it with MFA (properly)

Password protection is not enough.

Microsoft is very clear on that.

Use it alongside MFA and Conditional Access. [learn.microsoft.com]

Otherwise you’re just slowing attackers down.

Not stopping them.


Why this actually changes behaviour

This is the part most MSPs miss.

These features don’t just block attacks.

They retrain users.

Bad password?

Rejected.

Repeated guessing?

Blocked.

Users learn quickly what works and what doesn’t.

No training session required.

No PDF sent out.

No awareness campaign.

The system corrects behaviour in real time.

“We’ll just educate users instead.”

You can.

Or you can enforce it once and let the platform do it forever.

Ask once. Enforce always.

Here’s the real win:

  • Fewer compromised accounts

  • Fewer lockout tickets

  • Fewer “why is this happening?” calls

And importantly:

  • Better outcomes with less effort

That’s the bit most people overlook.


Notice what’s missing?

No password complexity discussion.

No rotation debates.

No “special characters required”.

Because those don’t solve the real problem.

Attackers aren’t brute-forcing randomly anymore.

They’re spraying expected passwords across thousands of accounts.

Password Protection removes the obvious targets.

Smart Lockout kills the attack path.

Different layers.

Same outcome.


Passwords aren’t going away.

But weak passwords should.

And repeated guessing definitely should.

Password Protection isn’t there to make passwords stronger.

It’s there to make bad passwords impossible.

Before You Buy the Copilot Licence, Do This First

MAI_a705418914201c07

Everyone wants to know what Copilot can do. Almost nobody asks what Copilot will find.

That’s the question that actually matters. Copilot doesn’t create new access — it works entirely within your existing Microsoft 365 permissions. It can only surface what a user is already allowed to see.

Sounds safe. It’s not. Not if your SharePoint environment looks like most tenants I’ve walked through.

Sites shared with “Anyone with the link” since 2021. Files in folders with permissions no one’s reviewed in years. Ownerless sites stuffed with content nobody knows exists. When your finance manager asks Copilot to “summarise what we know about Project X,” it’ll pull from everything she can already access — including documents she’d have had to know to search for directly.

That’s not a Copilot problem. That’s the data governance problem you already had, just made visible.

My recommendation? Run the readiness assessment before you assign a single licence.

What is the Copilot Readiness Assessment, really?

Most people think readiness means “do you have the right licence and update channel.” The Copilot Readiness Report in the Microsoft 365 admin centre does tell you that — which users are technically eligible, which devices are on the right update channel, who your best pilot candidates are.

That’s the easy half.

The hard half is whether your data is in a state that Copilot should be let near. That check lives in a completely different place, and most readiness guides skip it entirely.

Notice what’s missing? Almost every “Copilot readiness checklist” you’ll find online focuses on licence eligibility. The data side is where the actual risk sits.

Step-by-Step: Running a Proper Readiness Check
Open the M365 Copilot Readiness Report

Go to the Microsoft 365 admin centre. In the left nav, select Reports > Usage, then choose Microsoft 365 Copilot and open the Copilot report. Click the Readiness tab.

You’ll see prerequisite licence counts, update channel eligibility, and a user table flagging suggested Copilot candidates. Export the list. It gives you a concrete starting point for a pilot conversation with your client.

Check for Oversharing in SharePoint

Open the SharePoint admin centre. Go to Reports > Data Access Governance. This is where you find the oversharing risk — sites with “Anyone” sharing links active, files broadly accessible across the tenant, high-member-count sites with no clear owner.

Work through the data access governance reports. Anything flagged here is content Copilot can reach on behalf of any user who has permission.

By default, SharePoint sharing is set to the most permissive option. Most tenants have never changed it.

Run the Content Management Assessment

Still in the SharePoint admin centre, go to Advanced Management > Content Management Assessment and select Start assessment. This surfaces inactive sites, ownerless sites, and sites that haven’t been attested by anyone recently.

SharePoint admin centre
  > Advanced Management
    > Content Management Assessment
      > Start assessment

Rerun it every 30 days. This isn’t a one-time exercise. It’s a recurring conversation starter with every client who has Copilot.

Review Your Sensitivity Labels

Open the Microsoft Purview compliance portal > Information protection > Labels. Check whether labels are deployed and whether content users will ask Copilot about is actually labelled.

Sensitivity labels travel with content. Copilot honours them at response time — it won’t surface content a user doesn’t have decrypt rights for. No labels means no enforceable control over what ends up in a Copilot response.

They’re not a Copilot feature. They’re the floor you build on.

Why This Actually Changes Behaviour

Here’s the real win.

Running this before you sell the licence gives you a different kind of client conversation. Not “here’s what Copilot can do” — but “here’s what your data looks like right now, and here’s what we need to fix before Copilot is safe to use.” That’s a trusted adviser conversation, not a licence upsell.

Microsoft’s Secure & Governed Data Foundation blueprint organises this into three pillars: remediate oversharing, set up guardrails, meet regulations. It’s worth reading before your next client review. Print it. Take it in.

If you’re not showing clients this work before you enable Copilot, you’re not protecting them — you’re just adding a powerful AI to a mess.

Copilot doesn’t create oversharing. It reveals it. Fix the foundation first, then turn on the power.

The remote shell you already own and never switched on

MAI_f92fd6ff5e6c3e0b


A client rings. A machine’s behaving strangely — fake-looking PowerShell, a scheduled task nobody created, something. What do most of us do?

We RDP in. Or worse, we send someone onsite.

Here’s the thing. If that device is onboarded to Defender for Endpoint, you already have a remote command line sitting right there in the portal. You can be on the box, reading its running processes, in about thirty seconds. From your desk.

Most MSPs I talk to have never turned it on. For some it’s a checkbox they walked straight past during onboarding. For others — and this is the part that trips people up — it’s a licence they didn’t realise they’re missing. Either way, it’s a gap worth closing.

What is Live Response, really?

Live Response is a secure remote shell into any onboarded device, run entirely from the Defender portal. No RDP. No VPN. No jump box. No asking a panicked user to “click the thing I just emailed you”.

You open a session and you’re talking to the machine in real time. List processes, pull a suspicious file back to the portal for analysis, kill something, drop a registry change, or run a PowerShell script you’ve pre-loaded.

Think of it as the SSH session you always wished you had for your Windows fleet — except the audit trail writes itself and you never went near the network.

Here’s the real win. The thirty minutes you used to burn coordinating remote access to a maybe-compromised box just disappears. You’re simply there.

Step-by-step: getting on the box

This lives in Live Response in Defender for Endpoint, and it needs Defender for Endpoint Plan 2.

Now read this next bit carefully, because it’s where the assumption bites. Business Premium does not give you Plan 2. Business Premium includes Defender for Business — same great EDR detections, and the basic response actions you’d expect (isolate the device, run an antivirus scan, quarantine a file). But Live Response, the remote shell, is not in Defender for Business. It’s a Plan 2-only feature.

So before you promise a client “I’ll just hop on the box,” check what they’re actually licensed for. To get Live Response onto a Business Premium tenant you need either the Defender Suite for Business Premium add-on (around $10/user/month — which also lands you Defender for Office 365 P2, Entra ID P2 and more) or a standalone Defender for Endpoint Plan 2 licence.

And one last gotcha that catches people out: even after you assign the licences, the tenant defaults to the Defender for Business experience. You have to contact Microsoft Support and ask them to switch the tenant to the Plan 2 experience before the remote shell appears. It’s a one-time thing, but it’s a ticket, not a toggle.

None of this is a reason not to do it. It’s a reason to do it deliberately — a line item on the proposal and a switch request, not a feature your client already paid for and forgot about. Honestly, for a managed-security MSP that’s the easy version of this conversation: “for ten dollars a user I can be on any sick machine in thirty seconds” sells itself.

Turn it on first

This is the step everyone misses. Even once you’re licensed, Live Response is off by default.

Go to the Microsoft Defender portal, then Settings > Endpoints > Advanced features. Flip Live Response on. If you want to push scripts to servers too, enable Live Response for Servers. Save. (Configure advanced features walks through every toggle on that page.)

There’s a second switch just below: Live Response unsigned script execution. Leave that off. I’ll come back to why.

Check who’s allowed

Live Response is gated by role. Read-only permissions can look but not touch. To actually run commands and push files, your technician group needs the right Defender permission assigned. Sort this before an incident, not during one.

Open a session

Find the device in the inventory, open its page, and click Initiate live response session. Give it a few seconds to connect, and you’ve got a prompt.

Build your library once

This is where it goes from handy to a service. From the session console — or the Library management page — you can upload PowerShell scripts and run them on demand with a single command (upload to the live response library). Write the scripts once, run them across every client tenant.

A triage runbook might look like this:

run Get-RunningProcesses.ps1
run Get-PersistenceItems.ps1
run Collect-EventLogs.ps1
getfile "C:\Users\Public\suspicious.exe"

Notice what’s missing? No RDP credentials. No copying scripts onto the box and hoping nobody double-clicks them. No “can you read me the error message”. You point at the device, run a vetted script, pull the evidence back. Same four commands, every tenant, every time.

Why this actually changes behaviour

“We don’t touch the machine until we know what we’re dealing with.”

That used to mean waiting. Now it means a thirty-second session and a script you wrote last month.

Here’s what shifts. Triage stops being a scheduling problem and becomes a muscle. Your L1 can open a session and run the runbook before escalating, which means your L3 gets a tidy evidence pack instead of a vague ticket. The work moves down a tier and your senior people stay doing senior work.

And that unsigned-scripts toggle I told you to leave off? That’s the discipline. If every script in your library is signed, a compromised technician account can’t quietly run arbitrary code across your clients’ fleets through your own tooling. Convenience that becomes an attack path isn’t convenience. Leave it off.

If you’re selling managed Defender and you’re still RDP-ing in to triage, you’re billing time for a problem Microsoft already solved for you — assuming you’ve licensed the fix.

Live Response isn’t there to make remote access faster. It’s there to make “let me get on the machine” a non-event.

Check which tenants are licensed, turn it on this week, and the next incident will thank you.

Security baselines in Intune (Windows, Edge, Defender)

MAI_ddc086c935692a84

Most security baseline deployments I walk into were finished in about four minutes.

Someone opened Intune, found Security baselines, picked the Windows one, clicked through the wizard accepting every default, hit Create, and moved on. Box ticked. Tenant “hardened”.

That’s not security configuration. That’s a screenshot for the onboarding report.

Here’s the thing nobody tells you. A baseline you’ve never read isn’t a baseline. It’s a pile of Microsoft’s opinions you’ve agreed to without looking. And one of those opinions might break BitLocker enrolment on every machine without a TPM.

So let’s actually do this properly. It’s already in the licence your client pays for.

What is a security baseline, really?

A security baseline is Microsoft’s own recommended configuration for a product, bundled into one policy you deploy from Intune.

Not a list of suggestions. Not a report. Actual settings that get pushed to the device — BitLocker, firewall, Defender, password rules, SmartScreen — preset to the values Microsoft’s security team uses internally.

The point is speed. Instead of hand-building forty configuration profiles, you deploy one baseline and you’re 80% of the way to a hardened endpoint. Microsoft maintains the recommended settings and ships new versions as Windows evolves.

You get a few flavours: Windows, Microsoft Defender for Endpoint, Microsoft Edge, and Windows 365. There’s no separate SKU to buy. If your client is on Business Premium, this is already sitting in their tenant waiting.

Step-by-Step: deploying your first baseline

Portal only. No PowerShell.

Open the baselines

Sign in to the Microsoft Intune admin center and go to Endpoint security > Security baselines. You’ll see each baseline type with its current version on the right.

Pick one and create the profile

Start with Security Baseline for Windows 10 and later. Click it, then Create profile. Always take the newest version — older ones go read-only the moment a new one ships.

Name it like you’ll see it again

Give it a name your future self can read at a glance, like WIN-Baseline-Pilot. When a tenant has thirty policies, naming is the documentation.

Read the settings. Actually read them.

This is the step everyone skips. Walk the Configuration settings tabs. The defaults are deliberately restrictive — that’s the point — but restrictive settings break things. BitLocker enforcement on hardware without TPM 2.0 will tank an enrolment. Firewall rules will fight on-prem Group Policy on hybrid devices.

Assign to a pilot, not the fleet

Assign to a device group of ten to twenty machines with mixed hardware. Not your IT team’s identical laptops — include the weird old Dell from accounting. That’s where the breakage hides.

Watch the overview

Give it 24 hours, then check the profile’s Overview. You’ll see four buckets:

Succeeded        – applied cleanly
Error            – failed to apply
Conflict         – this setting is fighting another policy
Not applicable   – device can't support it

Notice what’s missing? There’s no “Secure” status. The portal tells you settings applied — never that you’re protected. Those are different claims, and the gap between them is your job.

Why this actually changes behaviour

Two reasons this matters more than the four-minute version.

First, conflicts are real and they’re silent. If the same setting lives in a baseline and a configuration profile, the device gets neither. It sits in Conflict and quietly does nothing. Run a pilot and you catch it. Deploy to everyone on a Friday and you find out Monday.

Second — and this is the one that catches people — baseline settings tattoo. Remove the assignment and the settings don’t roll back. They stay frozen at the last value applied. There’s no undo button.

“So if I unassign it, doesn’t the device go back to normal?”

No. It stays exactly where the baseline left it. You’d have to push the opposite setting to reverse it. Treat every baseline deployment as a one-way door, because it mostly is.

A baseline is a starting line, not a finish line. Microsoft’s Windows baseline covers maybe 150 of the 450-odd settings a CIS benchmark wants. That’s fine. Start here, layer the rest later.

The four-minute deployment and the real one look identical in a screenshot. They behave nothing alike on the device.

Read the settings once. Pilot once. Then you can tell a client their fleet is hardened and actually mean it.

A baseline isn’t there to make you look secure. It’s there to make you secure — but only if you read it first.

Token theft detection and Continuous Access Evaluation

MAI_c1559940f2aebaf3

Everyone’s proud of their MFA rollout. Every tenant I touch has it on now. Good.

But here’s the thing almost nobody checks: MFA only protects the front door. It proves who you are when you sign in. After that, you get a token, and that token is what actually keeps you logged in.

Steal the password? MFA stops you. Steal the token? You walk straight past it.

That’s the attack that’s quietly winning right now. Adversary-in-the-middle phishing kits don’t bother cracking your second factor. They sit between you and Microsoft, let you complete MFA, and pocket the session token on the way through. Now they’re you — no prompt, no challenge, no trace.

So the question isn’t “have I turned on MFA?” It’s “what happens after the token is issued?” And for most tenants, the honest answer is: nothing, for up to an hour.

What is CAE, really?

A Microsoft 365 access token lasts one hour by default. For that hour, the token is trusted. If you disable a compromised account at minute three, the attacker keeps working until minute sixty.

Continuous Access Evaluation closes that gap.

Instead of waiting for the token to expire, Entra and the app — Exchange, SharePoint, Teams — hold an open conversation. The moment something critical changes, Entra tells the app to stop trusting that token now. Account disabled, password reset, admin revokes sessions, ID Protection flags high risk — the session dies in near real time.

Here’s the part most people miss. CAE is already on. Critical-event evaluation runs in every tenant, no Conditional Access policy required. You don’t switch it on. You just need to not switch it off.

Step-by-Step: lock down the token, not just the login
Confirm CAE is still on

Go to the Entra admin centreEntra IDConditional AccessPolicies. Open any policy you’ve built, then look under SessionCustomize continuous access evaluation.

If someone’s ticked Disable in there, untick it. That toggle exists for edge cases, and I’ve walked into tenants where it was flipped off years ago and forgotten. Microsoft documents the disable path — read it so you know what you’re looking at.

Stand up a Token Protection policy

CAE kills the session after a known event. Token Protection stops the stolen token being usable in the first place. It cryptographically binds the sign-in token to the device it was issued on. Steal it, move it to your machine, and it’s a dead key.

Create a new Conditional Access policy. Scope it to a pilot group first. Target Exchange Online, SharePoint Online, and Teams. Under Session, tick Require token protection for sign-in sessions.

Set it to report-only

Do not go straight to On. Set the policy to Report-only and let it run. Watch your sign-in logs for “Token Protection – Sign In Session” and look for Bound versus Unbound. The deployment guidance says the same thing, and it’s right — you want to see what breaks before it breaks for a client.

Here’s the session control you’re actually setting:

Session controls:
  Require token protection for sign-in sessions: ON
  Target resources: Exchange Online, SharePoint Online, Teams
  Device requirement: Entra joined / hybrid joined / registered
  Client apps: native desktop + mobile only

Notice what’s missing? Browsers. Token Protection covers native client apps today, not browser sessions. So an attacker who lifts a token through a browser can still replay it. This isn’t the finish line — it’s one layer in a stack that also needs phishing-resistant MFA and compliant devices.

Why this actually changes behaviour

Once you internalise that the token is the credential, your whole threat model shifts.

“We’re fully MFA’d, we’re fine.” No. You’re protected at sign-in. You’re exposed for every minute after it.

CAE shrinks that exposure window from an hour to near-zero. Token Protection makes the stolen token worthless on the wrong machine. Together they move you from “we hope nobody phishes a session” to “even if they do, it dies fast and travels nowhere.”

And it costs you nothing extra to start. CAE ships in the box. Token Protection now needs only Entra ID P1 — which your Business Premium clients already have.

MFA was the conversation three years ago. Token theft is the conversation now. If you’re still selling clients on the front door while attackers climb through the session, you’re protecting the wrong thing.

MFA proves who walked in. CAE and Token Protection make sure they can’t stay in once you’ve shown them the door.

Microsoft Secure Score for SMB MSPs: Stop Treating It Like a Report Card and Start Running It Like a Work Queue

image

Microsoft Secure Score is one of the most underused operational assets in the Microsoft 365 stack. Most MSPs know it exists. Most have shown it in a QBR. Most do not run it as part of service delivery.

That is the mistake.

If you manage Microsoft 365 for small and midsize businesses, Secure Score is not best understood as a dashboard, a maturity grade, or a client-facing marketing number. It is a Microsoft-maintained, impact-weighted queue of hardening actions, with tenant history, trend data, comparison data, and a Graph API. In practical terms, it is a free source of prioritized security work that many MSPs already pay for through the licenses they sell, then ignore in day-to-day operations.

For SMB-focused MSPs, that matters because the biggest failure mode is not the lack of security tools. It is the lack of an ownership loop. A control regresses, an exception gets added, a legacy app forces a bad compromise, or a policy quietly gets weakened to solve a ticket. Secure Score usually notices the change. The MSP often does not. The issue is not visibility. The issue is that the visibility never enters the workflow.

This article explains how to fix that. We will cover what Secure Score actually measures, why many MSPs do not trust it, where it is operationally useful, where it is incomplete, and how to turn it into a repeatable SMB security process instead of another unused portal tile.

What Microsoft Secure Score Actually Is

Microsoft defines Secure Score as a measurement of an organization’s security posture. A higher score means the tenant has taken more of Microsoft’s recommended actions. Microsoft is also explicit about what the score is not: it is not an absolute measure of breach likelihood, and it should not be treated as a guarantee of security.

That disclaimer is important because it is where many MSP conversations go wrong. When teams argue about whether the score is “accurate,” they are usually asking the wrong question. The useful question is whether the recommendation set helps you prioritize hardening work inside the Microsoft 365 estate. In that role, it is often very useful.

Secure Score groups improvement actions across major areas such as identity, devices, apps, and data. In the Defender portal, you also get historical views, comparison trends, regression tracking, risk acceptance trends, and benchmarks against similar organizations. In Microsoft Graph, the secureScore resource exposes tenant-level score data and control-level score data. Microsoft documents that the secureScores collection retains 90 days of data by default and is sorted by createdDateTime.

For an MSP, that means three things. Microsoft is already maintaining the recommendation model for you. The model is weighted, so high-impact items rise above low-value cleanup work. The data is retrievable, so you are not limited to screenshots and manual review.

Why MSPs Distrust Secure Score

The skepticism is not irrational. MSPs have good reasons to be wary of vendor scoring systems.

Secure Score can be gamed. Some controls can be marked as addressed by third-party solutions. Some organizations can push the percentage higher without meaningfully improving real-world resilience. Some recommendations align cleanly with Microsoft’s commercial interests. And a tenant can look respectable in Secure Score while still being weak against a framework-based assessment such as CIS Microsoft 365 Foundations.

All of that is true.

It is also beside the point if you use Secure Score correctly.

The score itself is not the deliverable. The recommendation queue is the useful artifact.

If you stop treating Secure Score as a grade to defend and start treating it as a stream of prioritized hardening opportunities, most of the common objections lose force. Whether the overall number is inflated matters much less when the MSP’s process is built around four operational questions:

  1. What changed?

  2. Which recommendation regressed?

  3. Who owns the remediation?

  4. Is the exception documented if the control cannot be implemented?

That is the shift SMB MSPs need. Do not sell the number. Operate the queue.

Why This Matters More in SMB Than Enterprise

Enterprise security teams can afford parallel governance structures, dedicated platform owners, and formal architecture boards. Most SMB MSPs cannot. They are working across dozens or hundreds of tenants with a small engineering team, limited time for advisory work, and constant pressure to resolve issues quickly without breaking line-of-business applications.

That environment creates predictable drift:

  • MFA gets partially rolled back to support a legacy workflow.

  • Conditional Access exclusions accumulate because no one wants to block the owner on Monday morning.

  • POP, IMAP, or SMTP AUTH remains enabled longer than intended.

  • Admin accounts sprawl because shared support habits were never fully cleaned up.

  • Secure defaults are deferred until “after onboarding” and then never revisited.

Secure Score will not solve those cultural problems by itself. But it does give the MSP a standardized, per-tenant signal that the drift happened. That is useful when the alternative is discovering the gap after a compromise, an audit finding, or a cyber insurance questionnaire.

For SMB clients, the outcome you want is not elegant theory. It is repeatable motion: detect regressions, turn them into tickets, assign ownership, track exceptions, and report change over time.

The Best Way to Think About Secure Score

The most useful framing for an SMB MSP is this:

Secure Score is a free, Microsoft-maintained, prioritized work queue for Microsoft 365 hardening.

That framing is better than “dashboard” for several reasons.

It turns advisory data into service delivery work

Most MSPs already know how to manage queues. They know how to triage, assign owners, set SLAs, escalate blockers, and review aging items. Once Secure Score is treated as a work source instead of a summary chart, it can be managed with the same disciplines as patching, backups, or incident response.

It gives smaller MSPs prioritization they did not have to build themselves

Building a credible cross-tenant security backlog from scratch is expensive. Microsoft has already done a significant part of that work by maintaining a recommendation catalog and weighting system for the Microsoft 365 estate. That does not replace judgment, but it removes a lot of low-value manual triage.

It creates a missing ownership loop

This is the central operational gap in many MSP practices. Somebody reviews the score at QBR time. Nobody owns the regressions between reviews. A queue model closes that gap by creating named responsibility.

What Secure Score Is Good At

Secure Score is most useful for four operational jobs.

1. Baseline hardening of Microsoft 365 tenants

For Business Premium-heavy client bases, Secure Score is a practical way to identify incomplete baseline work in identity, email, collaboration, and access control. It is especially useful during onboarding and during the first 90 days after standardization.

2. Detecting configuration regression

The most valuable Secure Score capability for MSP operations is not the headline number. It is the visibility into changes, regressions, and trends over time. Microsoft documents history views, score changes, regression trends, and risk acceptance trends in the Defender portal. Those features support a simple but important operating model: when the score moves for a meaningful reason, someone should know why.

3. Supporting client communication

Clients generally do not want a pile of raw control language. They want to know whether their tenant is improving, where material gaps remain, and what decisions are blocked by budget, licensing, or business risk tolerance. Secure Score gives MSPs a way to show movement while still tying the discussion to concrete recommendations.

4. Feeding automations and downstream workflows

The Graph API is what makes Secure Score operationally interesting. The secureScore and secureScoreControlProfile entities mean the data can be extracted, normalized, compared, and pushed into PSA tickets, reporting systems, Power BI, or an internal security dashboard.

What Secure Score Is Not Good At

If you overstate Secure Score, you will lose credibility fast.

It is not a complete security program.

It is not a replacement for CIS-based assessment, conditional access architecture review, privileged identity strategy, incident response readiness, or broader governance work.

It is not proof that a tenant is secure.

It is not enough on its own for cyber insurance, regulated compliance, or board-level assurance.

And it does not reliably represent controls outside the parts of the Microsoft estate it can actually observe and score.

The correct role is upstream triage. If a tenant is weak in Secure Score, it is almost certainly not ready for anyone to pretend the security program is mature. If a tenant is strong in Secure Score, that is useful evidence of operational discipline, but it is still not the same thing as a framework-level assessment.

The MSP Operating Model: How to Turn Secure Score Into Real Work

If you want this to matter, you need a workflow, not a portal habit.

The simplest operating model for SMB MSPs looks like this.

Daily or scheduled collection

Pull each managed tenant’s latest Secure Score data on a schedule. For most SMB practices, daily is enough. The point is not constant polling. The point is to avoid relying on somebody remembering to open the Defender portal.

At minimum, collect:

  • current score

  • max score

  • controlScores

  • createdDateTime

  • comparison data where available

Because Microsoft retains 90 days in the secureScores collection by default, MSPs that want trend history beyond that should store snapshots in their own reporting or data platform.

Change detection

Compare the latest data with the prior snapshot. You are looking for:

  • newly regressed controls

  • high-impact recommendations not yet addressed

  • large score drops

  • repeated exceptions on the same control

This matters more than chasing every available point. A tenant that loses 8 points because a meaningful identity control regressed deserves faster attention than a tenant sitting 12 points below your target because of a lower-priority backlog item.

Ticket creation

Do not create tickets for every single recommendation blindly. That becomes noise.

Instead, define queue rules such as:

  • create a ticket when a control regresses

  • create a ticket when a high-impact control remains open beyond a threshold

  • create a project task when multiple related controls point to the same architectural gap

  • suppress informational items that do not change the actual risk picture

For SMB MSPs, the PSA categories should be simple: remediation, client decision required, license blocker, accepted risk, and monitoring only.

Ownership and SLA

Every generated item needs one owner. Not a team. Not “security.” One owner.

If the ticket requires client approval, assign a technical owner internally anyway. The owner is responsible for moving the item to a decision, not just waiting for the client to act.

Review cadence

The cadence that usually works is:

  • weekly internal review of new regressions and aging items

  • monthly or quarterly client review of trend movement and blocked recommendations

  • onboarding review for every newly managed Microsoft 365 tenant

Without this rhythm, the queue becomes another ignored data source.

What Good Looks Like for an SMB MSP

For most SMB-focused MSPs, “good” is not a perfect score. Good looks like operational discipline.

A mature practice usually has the following traits:

  • a defined Business Premium baseline for standard clients

  • a target Secure Score range by client profile, not one universal number

  • documented exceptions where business requirements block a recommendation

  • automated collection and comparison of score history

  • tickets generated from regressions or materially important open actions

  • reporting that shows trend, ownership, and blocked items rather than just a percentage

This is a much stronger position than telling clients, “Your Secure Score is 71%,” with no explanation of what changed, what remains open, and what the MSP is doing about it.

Practical Guidance for Business Premium-Centric Client Bases

Many SMB MSPs serve clients that standardize on Microsoft 365 Business Premium. That is a useful licensing position because it enables a meaningful portion of the high-value identity and security controls most small clients actually need.

In that environment, Secure Score becomes particularly effective as a baseline enforcement tool.

Examples of actions that usually deserve attention early include:

  • enforcing MFA for admins and users where appropriate

  • blocking or reducing legacy authentication exposure

  • implementing Conditional Access with minimal, well-governed exclusions

  • hardening privileged roles and admin account practices

  • reviewing risky exceptions in Exchange, SharePoint, Teams, and collaboration settings

  • tightening access paths that grew organically during onboarding or support work

The goal is not to squeeze every point out of the platform. The goal is to reach a defensible, supportable baseline and then catch drift quickly.

A Practical Graph API Pattern for MSPs

The technical unlock is Microsoft Graph.

Microsoft documents the Secure Score entities in the Graph security API, including secureScores and secureScoreControlProfiles. That means an MSP can stop relying on manual portal checks and start pulling the data into its own tooling.

At a high level, the pattern is:

  1. authenticate to Microsoft Graph for the tenant context you manage

  2. pull the latest secureScores data

  3. store a normalized daily snapshot

  4. compare the latest snapshot to the previous one

  5. create or update PSA records based on meaningful changes

For example, the REST path for score history is:

GET https://graph.microsoft.com/v1.0/security/secureScores?$top=1

And for a specific score object:

GET https://graph.microsoft.com/v1.0/security/secureScores/{secureScoreId}

If you prefer PowerShell, a lightweight pattern with the Microsoft Graph PowerShell SDK is:

Import-Module Microsoft.Graph.Beta.Security

$latestScore = Get-MgBetaSecuritySecureScore -Top 1

$latestScore | Select-Object createdDateTime, currentScore, maxScore, vendorInformation

That example is intentionally simple. In production, an MSP should enrich it by extracting the control-level detail, normalizing the tenant identifier, storing the snapshot outside the 90-day retention window, and mapping meaningful changes to ticket logic.

Two cautions matter here.

First, the partner security score API is still documented in Graph beta. Microsoft explicitly notes that beta APIs can change and are not supported for production use. That makes it appropriate for research, internal visibility, and forward planning, but not something you should build a fragile client-facing dependency around without a fallback.

Second, do not confuse “we can query the score” with “we have an operational program.” The code is the easy part. The service workflow is the real work.

The Emerging MSP Angle: Microsoft Is Starting to Score the Partner Too

This is the part many MSPs are still underestimating.

Microsoft’s partner security score API preview exists to help partners understand the posture of their own tenant and their customer tenants. That is strategically important because it suggests the market is moving from optional tenant-level scoring toward partner-level accountability.

Even if the preview evolves before it reaches broader production maturity, the direction is clear. Microsoft wants partners to improve, monitor, and evidence security posture across customer estates, not just their own internal environment.

For SMB MSPs, the implication is straightforward: if you do not already have a method for turning customer posture data into operational action, you will eventually be judged as if you should.

Common MSP Mistakes to Avoid

There are a handful of failure patterns that show up repeatedly.

Showing the score without showing the work

If the QBR slide says 74% but you cannot explain the top regressions, top blockers, and next remediation steps, the number is decorative.

Chasing percentage points instead of risk reduction

Not every available point has equal operational value. Some changes are cheap but noisy. Some are strategically important but require client sign-off, licensing, or rollout planning. Mature MSPs do not let the metric outrank judgment.

Treating exceptions as invisible

Accepted risk is still risk. If a recommendation cannot be implemented because of a legacy app, business process, or licensing constraint, document it cleanly and review it on a schedule.

Leaving the score in the portal

If the only place Secure Score lives is inside someone’s browser tab, it is not part of operations. Export it, compare it, and attach action to it.

A 30-Day Rollout Plan for a Small MSP Team

If your MSP wants to operationalize Secure Score without overengineering it, use a staged rollout.

Week 1: Define the baseline

Decide which tenant types you serve and what “good enough” means for each. Separate standard Business Premium SMBs from regulated or higher-risk clients. Define which control categories matter most and which exceptions require formal documentation.

Week 2: Collect and store the data

Pull the latest Secure Score snapshots for a pilot group of tenants. Store the results somewhere you control so you keep history beyond Microsoft’s default retention window.

Week 3: Build ticket rules

Start with one rule only: create a ticket for meaningful regressions. Do not begin by flooding the PSA with every open recommendation. Tune for signal first.

Week 4: Review and report

Run the first internal security review. Validate that the created tickets were useful, not noisy. Adjust thresholds, add owner fields, and prepare a client-facing summary that focuses on movement, blockers, and decisions.

That is enough to move from passive observation to active management.

The Real Opportunity for SMB MSPs

The opportunity here is not that Secure Score is a perfect metric. It is that it is an available one, already present in the client estate, backed by Microsoft-maintained recommendations, visible in the Defender portal, and accessible through Graph.

For SMB MSPs, the winning move is not to argue endlessly about whether the number deserves trust. The winning move is to extract operational value from the recommendation set faster than competitors do.

The MSP that uses Secure Score as a workflow input can prove ownership, detect regressions, preserve history, and tie security posture directly to tasks, exceptions, and client decisions. The MSP that uses it only as a QBR screenshot gets none of that.

Secure Score is not the security program.

It is the free upstream queue that tells you where your Microsoft 365 hardening work should start, where it slipped, and where someone in your team needs to act next.

That is more useful than a dashboard. It is the beginning of an operating model.

Sources

Our Business Isn’t Too Small to Be a Target — It’s the Perfect One

MAI_2f3f3a8c17457d40

I hear the same line at least once a month. It usually comes near the end of a conversation, after I’ve raised the idea of tightening up someone’s security. The owner leans back, gives a little shrug, and says some version of: “Mate, we’re tiny. Why would anyone bother with us?”

I understand the instinct. When you’re running a ten-person business out of a converted warehouse, the idea that someone in another country has you in their sights feels absurd. You’re not a bank. You’re not a government department. You’re just trying to get invoices out and keep the team paid. Surely the criminals are off chasing bigger fish.

That’s exactly the thinking they’re counting on.

Nobody Is Picking You by Name

Here’s the part most owners get wrong. They picture a hacker hunched over a keyboard, deliberately choosing their business out of all the businesses in the world. That’s not how it works. Almost none of it is personal.

Modern attacks are automated. Software quietly scans enormous ranges of the internet, day and night, knocking on every door it can find and noting which ones are unlocked. It doesn’t know you’re a plumbing supplier in Penrith or a three-person design studio. It only knows your front door opened when it shouldn’t have. To that software, “too small to matter” simply doesn’t exist as a category. There’s only “easy” and “hard.”

And small businesses, on the whole, are easy. No dedicated IT person. Passwords reused across half a dozen logins. Multi-factor authentication switched off because it felt like a hassle. That combination is gold to an attacker, because the effort is low and the payoff is real. A single compromised Microsoft 365 account can read every email, reset other passwords, and quietly send invoices with the bank details changed to theirs. You don’t need to be big to be worth a few thousand dollars of someone’s afternoon.

The Invisibility You Feel Is the Vulnerability They Want

The cruel irony is that the very feeling protecting your peace of mind — “we’re invisible, nobody’s looking” — is the thing that leaves you exposed. Because if you believe nobody’s looking, you don’t bother locking up. You stay on the basic plan. You skip the security review. You assume the defaults are fine.

I had a client go through exactly this last year. Small operation, well run, no reason to think they were on anyone’s radar. One staff member clicked a convincing email, typed their password into a fake login page, and that was it. The attacker sat inside the mailbox for the better part of a week — reading, watching, learning the rhythm of how money moved — before redirecting a genuine client payment. The owner’s first words to me were, “I didn’t think we were big enough for this to happen.”

That’s the trap, summed up in one sentence. Feeling small doesn’t make you safe. It just makes you slow to defend yourself.

The Good News: The Locks Are Already in the Building

Here’s what I tell people, and it’s the part worth holding on to. You don’t need an enterprise budget to stop the overwhelming majority of this. The tools are very likely sitting in the Microsoft 365 subscription you already pay for.

Turn on multi-factor authentication for every account — it’s the single biggest difference you can make, and it blocks the password-stealing attack I just described almost entirely. Switch on the security defaults in Microsoft Entra so the obvious gaps close themselves. Let Microsoft Defender do what it’s built to do: catch dodgy attachments and links before a tired staff member clicks them at 4pm on a Friday.

You can even put Copilot to work here. Ask it in plain English to summarise the recent sign-in activity across your tenant, or to walk you through what your current security settings actually mean. I’ve watched owners who’d never open an admin console suddenly understand their own exposure because Copilot explained it in language that made sense to them, sitting right there in their browser.

None of this is glamorous. None of it makes for an exciting Monday. But it’s the difference between being a hard door and an easy one — and easy is the only thing the software scanning the internet actually cares about.

So drop the idea that you’re too small to bother with. You’re not invisible. You’re convenient. The sooner you stop feeling safe and start being protected, the less interesting you become to the only audience that matters here — and that’s a very good place for a small business to sit.