Back to Blog

5 reasons why MSPs can’t win the Microsoft 365 security game using Secure Score (and what to do about it)

P1. Limited Scope of Security Metrics

Microsoft Secure Score assesses security configurations and behaviors within the Microsoft 365 ecosystem but does not account for external threats. MSPs need a holistic security approach that includes network security, endpoint protection, and third-party integrations, which Secure Score does not cover (S:1). Throw in the multi-tenant M365 scenarios that MSPs typically manage and the workload / volume of logins becomes a serious business overhead - it's not L1 friendly and ties up L3s. It’s also extremely hard for MSPs to achieve a 100% Secure Score leaving the door open for their clients to ask, ‘are we really secure?’


Octiga enables MSPs to set client relevant M365 security postures and metrics with one login across clients and single pane multi-tenant visibility. MSPs save hundreds of hours vs. relying on Secure Score. It becomes possible to ‘turn the board green’ and demonstrate to clients that they are secure. Octiga’s in-built reporting functions arm MSPs with client shareable proof. L1s are empowered, letting costly L3s get on with more complex work / wider security aspects.

‘’Octiga’s security reporting is great. Our boss uses these reports for quarterly business reviews with our clients to demonstrate to them that their business is secure.’’ Samantha M, MSP.

2. Reactive Rather Than Proactive

Secure Score often promotes a reactive security approach, highlighting issues post-identification rather than preventing potential threats proactively. MSPs must implement advanced threat intelligence and predictive analytics to stay ahead of cyber threats (S:2)


Octiga’s templated M365 security baselines enable rapid on-boarding of tenants to proven security postures and instantly highlight potential security threats. These can be triaged and remediated before breaches arise (either manually or automatically).

‘’Octiga’s consolidation of security notifications across clients into one place means we can easily attend to alerts, such as those that are travel related. Octiga gives us one pane of glass for a whole bunch of Microsoft 365 security settings.’’ Marc P, MSP

3. Overemphasis on Compliance Over Security

Secure Score can lead to a compliance-centric approach, where MSPs focus on meeting security standards rather than enhancing overall protection. This compliance-focused view can leave significant security gaps unaddressed (S:3)


Octiga’s focus is tune-able to reflect the security needs of each individual business. It combines secure baseline postures, tuned alerts that create incident tickets in the MSPs chosen PSA, contextual threat detail; empowers L1s to confidently triage and resolve alerts, prevents time wasted by L3s analysing false alarms.

‘’Using Octiga allows us to rapidly onboard new clients to a minimum baseline, immediately picking up security issues such as missing MFA & phishing policies. Having clients on similar baselines saves us a lot of time.’’ Samantha M, MSP.

4. Lack of Contextual Threat Analysis

Secure Score provides a numerical value reflecting security posture but lacks contextual analysis specific to each organisation’s threat landscape. This makes it tricky for L1s to triage and remediate risks. Given MSPs must consider industry-specific risks and targeted attack vectors, which Secure Score may overlook, work falls to expensive L3 resources (S:4)


Octiga provides drill down threat details so that L1s can confidently triage and resolve alerts with clients. This frees L3s for other tasks.

‘’Octiga's cut down support time. What would normally take 3-4 hours work can be accomplished in 10 minutes. M365 is tenant by tenant with too many individual settings portals. Octiga brings everything together, multi-tenant.’’ Michael M, MSP.

5. Dynamic and Evolving Threat Landscape

The cyber security landscape evolves rapidly, with new threats emerging daily. Secure Score, although periodically updated, cannot keep pace with these changes. MSPs need agile and adaptive security measures to respond to real-time threats effectively (S:6 & 7)


Octiga is constantly updated to reflect emerging risks and MSP needs. Its alert, triage, remediate approach means that new threats are resolved in minutes, even automatically while MSPs sleep.  

‘‘I can't justify NOT having Octiga. It makes security alignment of tenants much easier. If something's not set right, Octiga alerts you. Microsoft secure score doesn't help the team manage tenants' security; Octiga's red flag system does.’’ Zack C, MSP.


Microsoft Secure Score is a valuable tool for assessing certain security aspects within Microsoft 365. However, it does not provide MSPs with a comprehensive, proactive, and context-aware security strategy to effectively protect their clients. By understanding the limitations of Secure Score and supplementing it with broader security measures, such as those provided by Octiga, MSPs can enhance their defences against the ever-evolving threat landscape and prove to their clients that they are secure.


1. Microsoft. Microsoft Secure Score.

2. Cybersecurity Ventures. Cybersecurity Ventures.

3. CSO Online. CSO Online.

4. FireEye. FireEye.

5. Krebs on Security. Krebs on Security.

6. Dark Reading. Dark Reading.

More from the Blog

Microsoft 365 Breaches - As preventable as they are common

Sash Vasilevski, Octiga co-founder and cyber security expert, explains why stopping unauthorised access to Microsoft 365 is complex, requiring specialist tools, like Octiga.

Read Story

Octiga Announces Benefit Partnership with The ASCII Group

Members of The ASCII Group gain preferential Octiga terms

Read Story

A Closer Look at the Midnight Blizzard Crew

Russian group the Midnight Blizzard crew (Nobelium, APT29, Cozy Bear, Iron Hemlock, The Dukes) has been targeting personal credentials.

Read Story

Never miss a minute.

Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa.
We will never share your email address with third parties.