Secure Score vs. CIS Benchmark Assessment: What the Numbers Actually Mean

Microsoft Secure Score gives you a number. A CIS Benchmark assessment gives you a different number. Both claim to measure your M365 security posture. They are not measuring the same thing, and the difference matters when an auditor, insurance carrier, or board member asks where you stand.

Secure Score is Microsoft’s built-in security posture metric. It scans your M365 tenant configuration, compares it against Microsoft’s recommended settings, and returns a percentage. It is free, automated, and updates in near real-time. It is also incomplete — by design.

A CIS M365 Foundations Benchmark assessment evaluates your environment against the full set of CIS controls: automated configuration checks plus manual reviews of settings that Microsoft’s APIs do not expose — admin portal configurations, Power BI tenant settings, and security controls that require visual verification through the admin console. The result is a control-by-control report covering 100% of the benchmark.

An organization can score 78% in Secure Score and fail 45% of CIS controls. Both numbers are accurate. They are just answering different questions.

What Secure Score Measures

Secure Score evaluates configuration settings that Microsoft can check programmatically. It covers:

• Identity: MFA enrollment, Conditional Access policy presence, legacy authentication status, PIM activation
• Data: DLP policy configuration, sensitivity labels, external sharing settings
• Devices: Intune compliance policies, endpoint protection status
• Apps: OAuth app consent policies, app governance settings

Each recommendation carries a point value. Implement it, get the points. Your score rises. The denominator is the total points available for your licensed features — so two organizations with different licenses will have different maximum scores.

Secure Score is useful for tracking configuration drift over time and identifying low-hanging hardening opportunities. It is not an assessment.

What Secure Score Does Not Measure

Secure Score cannot evaluate controls where Microsoft has not exposed the setting through an API. These are the manual controls in the CIS Benchmark — a meaningful percentage of the total control set that requires an assessor to navigate admin portals and visually verify configurations. The exact count varies by benchmark version, but the gap is consistent.

Examples of CIS M365 controls that Secure Score cannot check:

Emergency Access Account Verification (CIS 1.1.2) — The Benchmark requires two emergency access (break-glass) accounts — cloud-only Global Admin accounts with .onmicrosoft.com domains, excluded from Conditional Access policies, with FIDO2 security keys stored in a physically secure location. Secure Score does not verify whether these accounts exist, whether they are properly isolated, or whether physical security key storage procedures are in place. If an organization loses access to all admin accounts during an incident like the Stryker attack, recovery without break-glass accounts requires a Microsoft support case that can take days.

Emergency Access Account Monitoring (CIS 2.2.1) — The Benchmark requires that activity on emergency access accounts is actively monitored through Microsoft Defender for Cloud Apps — with a high-severity policy configured to alert on any sign-in. Secure Score does not check whether this monitoring policy exists. Break-glass accounts with Global Admin privileges are high-value targets; without monitoring, a compromised emergency access account could operate undetected.

Entra Admin Center Access Restriction (CIS 5.1.2.4) — CIS requires that access to the Entra admin center is restricted so non-admin users cannot browse directory information. This toggle in Entra ID > Users > User settings is not exposed through Microsoft Graph API, so no automated tool can check it. Without this restriction, any user in the tenant can enumerate every user, group, and application — information that accelerates lateral movement after a compromise.

Teams App Permission Policies (CIS 8.4.1) — The Benchmark requires that app permission policies in Teams are configured to control which third-party and custom apps users can install. These policies are configured in the Teams admin center under org-wide app settings — a portal configuration that automated tools cannot fully evaluate. Unrestricted app permissions allow users to install apps that can access messages, files, and meeting data.

Power BI Tenant Security (CIS 9.1.1–9.1.12) — Multiple Power BI controls covering guest access, publish-to-web restrictions, R/Python visual execution, sensitivity labels, and service principal permissions are all manual because the Power BI admin portal has no comprehensive API coverage. Secure Score does not evaluate any of them. An unrestricted “Publish to web” setting allows any user to publish reports containing potentially sensitive data to a publicly accessible URL — no authentication required.

Why the Gap Matters

The controls that Secure Score misses are not obscure technicalities. They include emergency access account configuration, admin portal restrictions, Teams app permissions, and the entire Power BI security surface — real security settings that affect real attack paths:

Auditors conduct compliance reviews against the full CIS Benchmark, not against Secure Score. When an auditor checks whether emergency access accounts exist and are monitored, whether non-admin users can browse the Entra directory, or whether Power BI data can be published to the open web — Secure Score has no answer for any of it.

Insurance carriers are increasingly specific in their renewal questionnaires. A Secure Score screenshot does not demonstrate that admin portal access is restricted, that Teams app installations are controlled, or that break-glass accounts are properly isolated and monitored.

Board members at PE-backed or regulated organizations want assurance that the full benchmark was evaluated — not just the portion that automated tools can reach. A Secure Score of 82% sounds strong until someone asks about the controls it never checked, including the entire Power BI security posture.

The Practical Comparison

Dimension	Secure Score	CIS Benchmark Assessment
Cost	Free (included in M365)	Professional engagement (wholesale pricing available for MSPs/vCISOs)
Coverage	Only API-accessible controls (incomplete)	100% of CIS controls (manual + automated)
Update frequency	Near real-time	Point-in-time (annual or semi-annual)
Deliverable	Dashboard number + recommendation list	Scored report with control-by-control findings and remediation guidance
Audit acceptance	Not accepted as a formal assessment	Accepted by auditors, insurers, and regulators
Manual controls	Not evaluated	Fully evaluated through admin portal verification
Independence	Self-assessment (Microsoft’s tool, your tenant)	Third-party assessment (independent evaluator)

Secure Score and CIS assessments are not competing tools. Secure Score is a free monitoring dashboard. A CIS assessment is a formal evaluation. Use Secure Score between assessments to track configuration drift. Use CIS assessments to establish the formal, defensible baseline that external parties require.

What This Means for MSPs

If you are presenting Secure Score exports to clients as compliance deliverables, you are exposing yourself to two risks:

1. The client’s auditor or insurer rejects it. Secure Score is not a formal assessment. When the client needs one, they will go to someone who can deliver it — and that someone now has a relationship with your client.

2. A competing MSP offers the real thing. The MSP delivering 100% CIS coverage with a board-ready report wins the compliance conversation. The MSP exporting Secure Score is offering a commodity that the client can pull up themselves.

The margin difference reflects the value difference. A Secure Score export is worth approximately nothing — the client has the same dashboard you do. A full CIS assessment with manual reviews, remediation guidance, and a scored report generates $2,500-$3,500 in margin per engagement at wholesale pricing.

What This Means for vCISOs

If your security program recommendations are built on Secure Score data, you are building on an incomplete foundation. When the board asks “are we CIS compliant?” and your answer references a Secure Score percentage, you are conflating a Microsoft monitoring tool with a formal benchmark assessment.

Commission a third-party CIS assessment through a wholesale partner. Use the full results — including the manual control findings Secure Score never surfaces — to build your security roadmap. Present both metrics to the board: “Secure Score is 82%, which tracks our API-accessible configurations. Our last CIS assessment showed 67% control compliance across all controls — including the manual controls covering emergency access, admin portal restrictions, Teams app governance, and Power BI security that Secure Score does not evaluate. Here is the remediation roadmap to close the gap.”

That level of specificity is what separates a vCISO providing strategic value from one reporting a dashboard number.

---

Genesis delivers CIS M365 Benchmark assessments with 100% control coverage — manual and automated. For MSPs and vCISOs, wholesale pricing with full white-label delivery.

Request a side-by-side comparison: send us your current Secure Score, and we will show you which CIS controls it does not cover in your specific environment. No commitment required.

Contact us to request a Secure Score gap analysis.