Join CTOs Felicia King and Shimon Magal for a candid, off-the-cuff conversation that pulls back the curtain on Microsoft Secure Score. They explore its strengths and sharp limitations—where it guides security improvements, where it pushes licensing, and why it falls short for real compliance and legal attestation.

Through real-world MSP and enterprise scenarios, they reveal the importance of risk-prioritized, continuous configuration management, explain how compensating controls and human workflows matter, and outline why non-tamperable reporting and the right licensing are critical. Whether you’re an MSP or an in-house security leader, this episode challenges assumptions and offers a practical roadmap to turn Microsoft security metrics into defensible, actionable posture management.

Shimon is the CTO for Optimize365.io https://www.optimize365.io/

Shimon and Felicia discussed the limitations of Microsoft's Secure Score tool, which Felicia described as being Microsoft-centric and not providing comprehensive compliance reports. They agreed that while Secure Score could be useful as a baseline assessment, organizations need more specific controls for compliance with frameworks like CIS, NIST, or HIPAA. Felicia emphasized that the tool's accuracy is crucial for meaningful risk assessment, though she acknowledged that technology assessments must evolve as the tools themselves change.

Shimon and Felicia discussed the limitations and challenges of Secure Score, a Microsoft tool for assessing security posture. They highlighted that Secure Score's scoring system is not equally weighted across all aspects, making it difficult for organizations to improve in specific areas. Felicia emphasized that Secure Score is primarily used to sell more Microsoft licensing rather than providing meaningful insights for improving security. They also discussed the importance of generating legal attestation reports and tracking changes over time, which Secure Score does not support effectively. Felicia suggested the need for a more comprehensive assessment platform that can produce meaningful reports, facilitate workflows, and provide a customer-facing portal for better visibility and control.

Felicia and Shimon discussed the limitations of Secure Score, noting that it does not account for complementary tools or manual processes, which are crucial for compensating controls. They emphasized the importance of incorporating both technical and human components into risk-prioritized assessments and attestation workflows.

Felicia expressed deep concern about MSPs using Secure Score as a fee-based service without generating legally valid attestation reports, emphasizing the importance of non-tamperable documentation for legal proof and compliance. She highlighted the need for automated systems to generate and publish reports to a secure repository, ensuring retention policies align with legal requirements. Shimon agreed on the shortcomings of Secure Score for MSPs and the need for a robust workflow that includes documentation repositories to meet business and legal needs.

Felicia discussed the importance of having the right licensing, such as Entra IDP2, to access proactive real-time controls and data from Microsoft 365. She emphasized that alerting and diagnostics tools like Petra Security and Optimize can be beneficial for MSPs, but they should not replace Entra IDP2 licensing. Felicia also stressed the need for consistent, regular proactive secure configuration management as a service, not a one-time project, and advised MSPs to ensure their M365 tenants have this service or have explicitly declined it.