[{"content":"A confession I\u0026rsquo;ve been doing security work for a while now, and I\u0026rsquo;ll admit something that took me longer than it should have to sort out: for the first year I was deep into the Microsoft ecosystem, every time someone said \u0026ldquo;let\u0026rsquo;s look at this in Defender\u0026rdquo; I had to quietly think \u0026ldquo;okay, which Defender do they mean?\u0026rdquo; before responding.\nIf you\u0026rsquo;ve felt that too, you\u0026rsquo;re not alone. Microsoft has put the Defender name on so many distinct products that the confusion is genuinely structural, not something you need to be embarrassed about. Even the Microsoft Defender products and services hub on Microsoft Learn — the canonical place to go — lists eight core products, plus a couple of close cousins in a \u0026ldquo;related content\u0026rdquo; section, plus a consumer app that lives entirely outside this world.\nThis post is the friendly walking tour I wish I\u0026rsquo;d had on day one. We\u0026rsquo;ll go through the family the way Microsoft itself organises it, with a sentence or two on each, so by the end you can look at any Defender product name and have a rough idea of what it does, who it\u0026rsquo;s for, and whether it applies to you.\nNo marketing fog. No acronym soup. Just a map.\nThe big umbrella: Microsoft Defender XDR 📷 Image 1 — The Microsoft Defender family, as Microsoft organises it. A single visual grouping the eight core products into two rings: the inner ring with the four Defender XDR workloads (Endpoint, Office 365, Identity, Cloud Apps), the outer ring with Vulnerability Management, Defender for IoT, Microsoft Sentinel, and the Defender XDR umbrella itself. Build in PowerPoint or draw.io using the Microsoft Fluent palette. Export as 1920×1080 PNG. This is the image that makes the whole post click visually.\nWhen someone in an enterprise context says \u0026ldquo;Defender\u0026rdquo; without any qualifier, they almost always mean Microsoft Defender XDR. Microsoft Defender XDR is not itself a product that does anything — it\u0026rsquo;s the umbrella. It\u0026rsquo;s the name for the unified portal at security.microsoft.com, the single incident queue, and the cross-product correlation engine that stitches signals from the underlying workloads into one attack story.\nThink of it like this: if you imagine a security-operations team as an orchestra, Microsoft Defender XDR is the conductor. The actual music comes from the individual instruments — and those are the four workloads we\u0026rsquo;ll look at next.\nThe four core XDR workloads These four are Microsoft\u0026rsquo;s flagship security products. Each one is sold separately (or bundled into Microsoft 365 E5), and each one can exist without the others — but together, under the XDR umbrella, they\u0026rsquo;re much more than the sum of their parts.\nMicrosoft Defender for Endpoint Microsoft Defender for Endpoint protects your devices. Windows laptops, Macs, Linux servers, iPhones, Androids — if an employee does work on it, this is what\u0026rsquo;s watching. It does next-generation antivirus, EDR (Endpoint Detection and Response), attack surface reduction, automated investigation and remediation, and it\u0026rsquo;s the foundation most organisations start their Microsoft security journey with.\nWhen you need it: the moment you realise that endpoint protection in 2026 means more than just antivirus.\n📖 Deep dive: I\u0026rsquo;ve written a dedicated walkthrough of Microsoft Defender for Endpoint — what Plan 1 and Plan 2 actually differ on, how to deploy it, and what to configure first. Read it here: Microsoft Defender for Endpoint, Up Close.\nMicrosoft Defender for Office 365 Microsoft Defender for Office 365 protects the productivity surface most of your users spend their day in — email, Microsoft Teams, SharePoint Online, and OneDrive for Business. It rewrites every URL in inbound email so it can be checked at click-time (not just at delivery), detonates suspicious attachments in a sandbox, catches business email compromise attempts, and includes attack simulation training if you want to test your users.\nWhen you need it: the moment someone on the finance team tells you about the \u0026ldquo;really convincing\u0026rdquo; email they almost replied to.\n📖 Deep dive: Plan 1 vs Plan 2, the policies that actually matter, Safe Links and Safe Attachments configuration step by step. Read: Microsoft Defender for Office 365, Up Close.\nMicrosoft Defender for Identity Microsoft Defender for Identity watches your identity infrastructure — on-premises Active Directory and Microsoft Entra ID — for the kinds of attacks that happen after a password has been stolen. Pass-the-hash, pass-the-ticket, Kerberoasting, golden ticket forgeries, lateral movement, suspicious LDAP reconnaissance. The stuff that doesn\u0026rsquo;t look like anything unusual from an endpoint or email perspective but is very unusual when you\u0026rsquo;re the domain controller watching your own authentication traffic.\nWhen you need it: the moment your risk register includes a credible lateral-movement scenario. For most organisations with any on-premises AD footprint, that\u0026rsquo;s from day one.\n📖 Deep dive: How sensors work, where to install them, what alerts to expect, and how to wire it all up against your on-prem AD. Read: Microsoft Defender for Identity, Up Close.\nMicrosoft Defender for Cloud Apps Microsoft Defender for Cloud Apps is a CASB — a Cloud Access Security Broker. That\u0026rsquo;s a fancy way of saying it sits between your users and the SaaS applications they use, giving you visibility into shadow IT, control over risky OAuth apps, and the ability to extend your information-protection policies into third-party services like Salesforce, Box, or Google Workspace.\nWhen you need it: the moment you realise you have no idea how many SaaS apps your users have actually signed up for. For most mid-market organisations, the real number is roughly four times what IT thinks.\n📖 Deep dive: Shadow IT discovery, OAuth app governance, Conditional Access App Control, and how to actually configure a CASB so it helps rather than annoys your users. Read: Microsoft Defender for Cloud Apps, Up Close.\nThe specialist workloads Beyond the four core XDR workloads, Microsoft groups several more products on the same Microsoft Learn hub. They\u0026rsquo;re equally part of the family — just more targeted.\nMicrosoft Defender Vulnerability Management Microsoft Defender Vulnerability Management tracks known software vulnerabilities across your fleet — which CVEs are present on which devices, which patches are available, which browser extensions users have installed that they shouldn\u0026rsquo;t have, and which applications have reached end-of-support. A chunk of this capability is bundled into Microsoft Defender for Endpoint Plan 2; the standalone product gives you a fuller experience across a wider asset footprint.\nWhen you need it: the moment your ISO 27001 auditor asks you how you handle vulnerability management and you realise \u0026ldquo;we patch Tuesday\u0026rdquo; isn\u0026rsquo;t really an answer anymore.\nMicrosoft Defender for IoT This one is personal for me. I run security at a manufacturing company with real OT and ICS infrastructure — Siemens PLCs, SCADA systems, HMIs — and Microsoft Defender for IoT is the product in the Defender family that addresses that world. It discovers OT devices on the network without requiring agents (which matters because you absolutely cannot install anything on a PLC), builds an asset inventory, identifies vulnerabilities specific to industrial protocols, and detects anomalous behaviour that might indicate an attack on production systems.\nIf you\u0026rsquo;ve read the Greek news on NIS2 and recognised that the new directive has teeth in manufacturing, chemicals, food, water, and energy, Microsoft Defender for IoT is part of the conversation. I\u0026rsquo;ll write a dedicated post on this one later in the series — there\u0026rsquo;s too much to cover in a sentence.\nWhen you need it: the moment you realise your factory floor has more unmanaged devices than your office floor.\nMicrosoft Sentinel Worth pausing on. Microsoft Sentinel is Microsoft\u0026rsquo;s cloud-native SIEM and SOAR — Security Information and Event Management, and Security Orchestration, Automation, and Response. It collects security telemetry from everywhere (Microsoft products, third-party tools, network appliances, custom sources) and gives you a unified place to write detection rules, run investigations, and automate response.\nMicrosoft positions Sentinel as part of the Defender hub now, which is a relatively recent change. In the unified Microsoft Defender portal at security.microsoft.com, Sentinel and Defender XDR have essentially merged into one security operations experience. Microsoft has announced that Sentinel in the Azure portal will be retired entirely — so if you\u0026rsquo;re still using Sentinel only from Azure, the clock is ticking.\nWhen you need it: the moment you need to correlate security signals that don\u0026rsquo;t all come from Microsoft products.\nThe close cousins (Microsoft lists them separately, but they belong in your mental model) On the Microsoft Learn hub page, two more products appear under a separate \u0026ldquo;Other content\u0026rdquo; heading. They\u0026rsquo;re not part of Microsoft Defender XDR strictly speaking, but you absolutely need to know them:\nMicrosoft Security Exposure Management Microsoft Security Exposure Management is where Microsoft Secure Score now lives, alongside broader attack-surface and exposure analytics. It\u0026rsquo;s the posture layer of the Microsoft security story — the answer to \u0026ldquo;how exposed are we?\u0026rdquo; rather than \u0026ldquo;are we under attack right now?\u0026rdquo;.\nIf you\u0026rsquo;re curious about turning this into a full compliance programme, I\u0026rsquo;ve written about that elsewhere: How We Built a Gold-Winning GRC Programme on Microsoft Secure Score.\nMicrosoft Defender for Cloud Microsoft Defender for Cloud is the big one most people confuse with the rest of the Defender family. It protects cloud workloads — Azure VMs, storage, containers, databases, Kubernetes clusters — and extends to AWS and Google Cloud. Completely separate portal (it lives in the Azure portal, not security.microsoft.com), completely separate licensing model (per resource, not per user).\nWe\u0026rsquo;ll cover this properly in Part 3 of the series.\nThe consumer app (brief mention for completeness) If you\u0026rsquo;re a subscriber to Microsoft 365 Personal or Family, you\u0026rsquo;ve probably seen a phone app simply called Microsoft Defender. It\u0026rsquo;s a cross-device security app for your family\u0026rsquo;s phones and laptops — identity-theft monitoring, VPN, basic device security. It\u0026rsquo;s real, it\u0026rsquo;s useful, and it\u0026rsquo;s completely unrelated to everything else we\u0026rsquo;ve talked about. No overlap in licensing, portals, or audience. If someone in your family asks you \u0026ldquo;is Microsoft Defender good?\u0026rdquo;, this is probably what they mean, and the answer is yes, for personal use, it\u0026rsquo;s fine.\nThe sanity check So the next time someone says \u0026ldquo;let\u0026rsquo;s look at this in Defender\u0026rdquo;, you now have a mental map to ask the right follow-up question:\nWhich part of the estate? — tells you the workload (Endpoint, Office 365, Identity, Cloud Apps, IoT) Cloud workloads or user devices? — tells you whether we\u0026rsquo;re in Defender XDR or Defender for Cloud Looking at posture, or at an active incident? — tells you whether we\u0026rsquo;re in Exposure Management or Incidents Is it a Microsoft-only view, or does it include third-party tools? — tells you whether Sentinel is in play That\u0026rsquo;s it. That\u0026rsquo;s the whole family. Eight core products, two close cousins, and one consumer app. You won\u0026rsquo;t need all of them, but you should know they exist.\nOne more thing — where does EMS fit? If you\u0026rsquo;ve been around Microsoft licensing long enough, you\u0026rsquo;ve seen the phrase Enterprise Mobility + Security (EMS) in proposals, quotes, or old contracts. EMS is the identity + management + protection bundle that predates Microsoft 365 E3/E5 and is still actively sold — especially to organisations that don\u0026rsquo;t need the full Microsoft 365 stack but do need the security and management layer on top of their existing productivity suite.\nI\u0026rsquo;ve written a separate post on EMS E3 and EMS E5, what\u0026rsquo;s actually in each, and when it\u0026rsquo;s the right buy instead of (or alongside) Microsoft 365: Enterprise Mobility + Security Explained.\nWhat\u0026rsquo;s next In Part 2 we zoom into the four XDR workloads and look at how they actually correlate signals — with a real multi-stage attack example that walks through all four in sequence.\n🔗 Related deep-dive series: If you\u0026rsquo;re already comfortable with the Microsoft Defender landscape and want to see what\u0026rsquo;s possible on top of it, start here: How We Built a Gold-Winning GRC Programme on Microsoft Secure Score.\nFollow me on LinkedIn for new-post notifications, or subscribe via RSS at the top of the page.\nMicrosoft Learn resources Microsoft Defender products and services hub Microsoft Defender XDR overview Microsoft Defender for Endpoint overview Microsoft Defender for Office 365 overview Microsoft Defender for Identity overview Microsoft Defender for Cloud Apps overview Microsoft Defender Vulnerability Management overview Microsoft Defender for IoT overview Microsoft Sentinel overview Microsoft Security Exposure Management overview Microsoft Defender for Cloud overview ","permalink":"https://thecybersec.gr/posts/defender-demystified-series/defender-demystified-part-1-what-is-microsoft-defender/","summary":"Series introduction. The Microsoft Defender family explained the way Microsoft itself organises it on Microsoft Learn — eight core products, plus a few close cousins, plus one consumer app. Written for IT pros who want the full picture without the marketing fog.","title":"Microsoft Defender Demystified — Part 1: How Many Defenders Are There, Really?"},{"content":" 📌 TL;DR\nΤο Microsoft Secure Score είναι ποσοτικός δείκτης security posture. Διαβάζει configuration data από όλο το Microsoft Defender stack (Entra ID, Defender for Endpoint, Office 365, Cloud Apps, Purview) και δίνει ένα ενιαίο νούμερο. Για τον Έλληνα Υ.Α.Σ.Π.Ε. στο πλαίσιο του Νόμου 5160/2024 (NIS2), αποτελεί την ταχύτερη γέφυρα από τη συμμόρφωση «στα χαρτιά» σε μετρήσιμη μείωση τεχνικού κινδύνου. Δεν αντικαθιστά τη συστηματική ανάλυση κινδύνου — αλλά δίνει μια ιεραρχημένη βάση τεχνικών controls που μπορεί να ξεκινήσει σήμερα. Δευτέρα πρωί χαμένος στο Microsoft Defender portal\u0026hellip; Είναι Δευτέρα πρωί και ένας junior μηχανικός ασφάλειας ανοίγει για πρώτη φορά το Microsoft Defender portal. Αντικρίζει εκατοντάδες ρυθμίσεις διασκορπισμένες σε Entra ID, Exchange Online, SharePoint, Intune και Defender for Endpoint. Από πού να ξεκινήσει; Πώς θα ξέρει ότι αυτό που κάνει σήμερα έχει πραγματικό αντίκτυπο στο επίπεδο ασφάλειας του οργανισμού; Ποια είναι τα Secure Score best practices και ποια Secure Score actions απαιτούνται?\nΗ απάντηση συχνά κρύβεται σε ένα εργαλείο που υποτιμάται: το Microsoft Secure Score με άπειρα Microsoft Secure Score recommendations.\nΓιατί τώρα — NIS2 και ο Νόμος 5160/2024 Στην Ελλάδα, ο Νόμος 5160/2024 ενσωμάτωσε την οδηγία NIS2 και επέκτεινε δραματικά τον αριθμό των οργανισμών με υποχρεώσεις κυβερνοασφάλειας, συμπεριλαμβανομένων εκατοντάδων μικρομεσαίων επιχειρήσεων που βρίσκονται για πρώτη φορά αντιμέτωπες με απαιτήσεις risk management, incident reporting και τεκμηριωμένων μέτρων ασφαλείας.\nΠαράλληλα, ο νόμος επιβάλλει τον ορισμό Υπευθύνου Ασφάλειας Πληροφοριακών και Επικοινωνιακών Συστημάτων (Υ.Α.Σ.Π.Ε.), ρόλος που σε πολλές μικρομεσαίες ανατίθεται σε στελέχη IT χωρίς αμιγώς εξειδίκευση στην ασφάλεια ή σε εξωτερικούς συνεργάτες με περιορισμένο χρόνο εμβάθυνσης. Το αποτέλεσμα είναι ένα γνώριμο μοτίβο: η συμμόρφωση αντιμετωπίζεται ως «paperwork exercise», ενώ τα τεχνικά μέτρα, αυτά που πραγματικά μειώνουν τον κίνδυνο, μένουν πίσω.\nΕδώ ακριβώς το Microsoft Secure Score μπορεί να λειτουργήσει ως γρήγορη πρώτη γραμμή άμυνας: για έναν Υ.Α.Σ.Π.Ε. που διαχειρίζεται έναν Microsoft 365 tenant με Business Premium ή E3/E5 license, προσφέρει έτοιμη, ιεραρχημένη λίστα τεχνικών controls που ευθυγραμμίζονται φυσικά με τα core requirements της NIS2 — MFA, access control, endpoint protection, email security, data protection, audit logging.\nΔεν αντικαθιστά τη συστηματική ανάλυση κινδύνου που απαιτεί ο νόμος, αλλά δίνει στον Υ.Α.Σ.Π.Ε. κάτι εξίσου πολύτιμο: μια μετρήσιμη βάση που μπορεί να βελτιωθεί σταδιακά, να τεκμηριωθεί στους ελέγχους και να παρουσιαστεί στη διοίκηση ως concrete πρόοδος — αντί για ασαφείς διαβεβαιώσεις. Σε ένα τοπίο όπου ο πήχης ανέβηκε απότομα και οι πόροι παραμένουν περιορισμένοι, αυτή η γρήγορη μετάβαση από αμηχανία σε δράση μπορεί να κάνει τη διαφορά ανάμεσα σε έναν οργανισμό που απλώς υπάρχει στα μητρώα και σε έναν που πραγματικά αμύνεται.\nΤι είναι, στ\u0026rsquo; αλήθεια, το Microsoft Secure Score Το Microsoft Secure Score είναι ένα ποσοτικό μέτρο της θέσης ασφάλειας (security posture) του κάθε οργανισμού εντός του Microsoft 365 και ευρύτερα του οικοσυστήματος Defender. Το βρίσκουμε στη διεύθυνση security.microsoft.com/securescore, ως ενσωματωμένο τμήμα του Microsoft Defender portal.\nΣε απλή γλώσσα: αναλύει τις τρέχουσες ρυθμίσεις του tenant μας, τις συγκρίνει με τις βέλτιστες πρακτικές της Microsoft και μας δίνει έναν αριθμό. Όσο υψηλότερο το ποσοστό, τόσο περισσότερα από τα συνιστώμενα actions έχουμε εφαρμόσει.\nΔεν είναι όμως εγγύηση ότι δεν θα παραβιαστούμε\u0026hellip;και αυτό είναι κρίσιμο να εμπεδώσει κάθε junior μηχανικός. Το score αντικατοπτρίζει το πόσο χρησιμοποιούμε τα διαθέσιμα controls, όχι την πραγματική πιθανότητα παραβίασης.\n📷 Image 1 — Το Microsoft Secure Score overview page. Microsoft Defender portal → Exposure management → Microsoft Secure Score.\nΠώς δουλεύει μηχανικά το Microsoft Secure Score Κάθε recommended action έχει αξία σε πόντους, βασισμένη στο πόσο μειώνει τον κίνδυνο. Η ενεργοποίηση MFA για όλους τους χρήστες, για παράδειγμα, αξίζει σημαντικά περισσότερους πόντους από μια μικρή ρύθμιση στο SharePoint — γιατί ακριβώς κλείνει μεγαλύτερη επιφάνεια επίθεσης.\nΔύο πράγματα αξίζει να κρατήσουμε:\nΥπάρχει partial credit. Αν προστατεύουμε 50 από τους 100 χρήστες μας με MFA, παίρνουμε τους μισούς πόντους. Δεν είναι all-or-nothing, οπότε ξεκινάμε από κάπου, όσο μικρό κι αν φαίνεται. Κάθε recommendation έχει status που μπορούμε να ορίσουμε: To address, Planned, Risk accepted, Resolved through third party, Resolved through alternate mitigation, Completed. Είναι πολύτιμο όταν χρησιμοποιούμε ένα control που η Microsoft δεν «βλέπει» άμεσα, π.χ. ένα third-party MFA solution. Δηλώνουμε χειροκίνητα την ισοδύναμη αντιμετώπιση και κερδίζουμε τους πόντους χωρίς να αλλοιώνεται η εικόνα της θέσης μας. 📷 Image 2 — Status dropdown σε recommendation. Οι επιλογές status. Το «Resolved through alternate mitigation» είναι αυτό που χρησιμοποιούμε όταν ένα third-party tool καλύπτει το control.\nΟι ενημερώσεις των πόντων γίνονται περίπου κάθε 24 ώρες — δεν περιμένουμε, λοιπόν, να δούμε την αλλαγή που κάναμε άμεσα μετά από ένα toggle.\nΗ σύνδεση με το Microsoft Defender — γιατί το Secure Score δεν δουλεύει σε vacuum Εδώ το Secure Score αποκτά την πραγματική του αξία. Δεν είναι standalone tool, είναι ο κοινός δείκτης που ενοποιεί σήματα από όλο το Defender stack. Πρέπει να το σκεφτούμε ως το κεντρικό dashboard που μαζεύει ό,τι βλέπει το καθένα από τα παρακάτω εργαλεία:\nMicrosoft Defender for Endpoint — δίνει τα δεδομένα για την κατηγορία Devices (γνωστή και ως Microsoft Secure Score for Devices). Αξιολογεί misconfigurations, vulnerabilities και security baselines στους endpoints. Microsoft Defender for Office 365 — τροφοδοτεί συστάσεις για email \u0026amp; συνεργασία: Safe Links, Safe Attachments, anti-phishing policies, impersonation protection. Microsoft Entra ID \u0026amp; Defender for Identity — υπεύθυνα για τον πυλώνα Identity. Εδώ μπαίνουν MFA, conditional access, αποσύνδεση από legacy authentication, privileged identity management. Microsoft Defender for Cloud Apps — καλύπτει ορατότητα και έλεγχο σε cloud εφαρμογές, OAuth permissions, shadow IT. Microsoft Purview / Information Protection — φροντίζει για τον πυλώνα Data: DLP policies, sensitivity labels, audit log retention. Όταν αλλάζουμε λοιπόν μια ρύθμιση π.χ. στο Intune ή στο Entra, δεν «δουλεύουμε στο Secure Score» — δουλεύουμε στην πηγή και το score απλώς αντικατοπτρίζει το αποτέλεσμα. Αυτή η σύνδεση είναι που μετατρέπει το score από έναν αριθμό σε οδηγό προτεραιοτήτων.\nΟι τέσσερις πυλώνες του Microsoft Secure Score Για να σχηματίσουμε πραγματική εικόνα, πρέπει να σκεφτούμε το score ως τέσσερα διακριτά και διαφορετικά μέτωπα:\nΤαυτότητα (Identity) Ο πιο κρίσιμος πυλώνας. Οι περισσότερες σύγχρονες επιθέσεις ξεκινούν από credentials, και οι actions εδώ έχουν τη μεγαλύτερη αξία πόντων και όχι τυχαία. Προτεραιότητες: MFA για όλους, απενεργοποίηση legacy auth (POP3, IMAP, SMTP basic), conditional access policies, just-in-time admin πρόσβαση μέσω PIM.\nΣυσκευές (Devices) Onboarding όλων των endpoints στο Defender for Endpoint, εφαρμογή security baselines για Windows, encryption (BitLocker), συμμόρφωση μέσω Intune ως προϋπόθεση πρόσβασης σε εταιρικά δεδομένα.\nΕφαρμογές (Apps) Safe Links και Safe Attachments στο Defender for Office 365, anti-phishing policies με impersonation protection, αυστηρός έλεγχος OAuth grants σε cloud εφαρμογές.\nΔεδομένα (Data) Sensitivity labels για ταξινόμηση και κρυπτογράφηση, DLP policies σε Exchange και Teams, ενεργοποίηση audit log search σε επίπεδο tenant.\nΤι ΔΕΝ είναι το Secure Score — μια αναγκαία διευκρίνιση Μας ρωτάει ο compliance manager αν ο οργανισμός μας είναι GDPR-compliant; Το Secure Score δεν θα μας απαντήσει. Για αυτό υπάρχει το Microsoft Purview Compliance Manager, εργαλείο διαφορετικό σε σκοπό και μοντέλο. Το Secure Score εστιάζει σε configuration \u0026amp; posture, όχι σε regulatory adherence.\nΕπίσης, μην το συγχέουμε με το Cloud Secure Score του Microsoft Defender for Cloud — αυτό αξιολογεί την υποδομή Azure (VMs, Storage, SQL) με διαφορετικό μοντέλο υπολογισμού. Είναι συμπληρωματικό, όχι ισοδύναμο.\nΑπό πού να ξεκινήσει ένας junior μηχανικός με το Microsoft Secure Score Αν αύριο μπούμε για πρώτη φορά στο Defender portal, μια λογική σειρά ενεργειών είναι:\n📷 Image 3 — Recommended actions ταξινομημένα κατά Score impact. Microsoft Secure Score → Recommended actions tab.\nΤαξινομούμε τα recommended actions με βάση το Score impact σε φθίνουσα σειρά. Φιλτράρουμε για κατηγορία Identity πρώτα — εδώ είναι το low-hanging fruit με τη μεγαλύτερη μείωση κινδύνου. Πριν ενεργοποιήσουμε οτιδήποτε, διαβάζουμε το πεδίο User impact. Ορισμένα actions — όπως block legacy auth — μπορούν να σπάσουν παλαιές εφαρμογές. Πάντα pilot σε μικρή ομάδα πριν την ευρεία εφαρμογή. Χρησιμοποιούμε το History tab για να παρακολουθήσουμε trends και να αποδείξουμε πρόοδο σε stakeholders και διοίκηση. Συγκρίνουμε τη βαθμολογία μας με το benchmark παρόμοιων οργανισμών (μέγεθος, κλάδος) — δίνει ένα κρίσιμο context στο νούμερο που έχουμε επιτύχει. Το μεγάλο συμπέρασμα Το Microsoft Secure Score δεν είναι παιχνίδι gamification για να ανέβουμε στο 80%. Είναι ένας πρακτικός μηχανισμός μετάφρασης ανάμεσα στις best practices της Microsoft και στο τι μπορούμε να κάνουμε σήμερα, αυτή τη στιγμή, στο tenant μας. Για τον junior μηχανικό που νιώθει χαμένος μπροστά στο εύρος του Defender ecosystem, είναι ο πιο γρήγορος τρόπος να μετατρέψει το χάος σε προτεραιότητες — και τις προτεραιότητες σε μετρήσιμη μείωση κινδύνου σε ταυτότητες χρηστών, συσκευές, εφαρμογές και δεδομένα.\nΤο Microsoft Secure Score από μόνο του δεν έχει αξία· η αξία γεννιέται όταν κάθε πόντος μεταφράζεται σε μια ρύθμιση που πραγματικά μειώνει την έκθεση του οργανισμού μας. Και αυτή ακριβώς η μετάφραση είναι το πραγματικό έργο της κυβερνοασφάλειας.\nΘες να εμβαθύνεις περισσότερο; 🔗 Αν θες να δεις πώς το Microsoft Secure Score μπορεί να γίνει η ραχοκοκαλιά ενός ολοκληρωμένου GRC προγράμματος ευθυγραμμισμένου με ISO 27001:2022 και NIS2, ρίξε μια ματιά στη σειρά Microsoft Secure Score as a Cyber GRC Instrument:\nSeries Introduction — How We Built a Gold-Winning GRC Programme on Microsoft Secure Score Part 1 — Opening Your First Recommendation Part 2 — Where It Sits in the Microsoft Defender World Διάβασέ τα με τη σειρά όταν είσαι έτοιμος. Καλή ανάγνωση! 📚\nFollow me on LinkedIn for new-post notifications.\nΠηγές \u0026amp; επιπλέον υλικό Microsoft Secure Score overview How Microsoft Secure Score is calculated Microsoft Defender XDR overview Microsoft Purview Compliance Manager Microsoft Defender for Cloud — Secure Score Νόμος 5160/2024 ","permalink":"https://thecybersec.gr/posts/secure-score-defender-praktikos-odigos/","summary":"Πρακτικός οδηγός Microsoft Secure Score για τον Έλληνα junior μηχανικό και Υ.Α.Σ.Π.Ε. — από το score στην πραγματική μείωση κινδύνου, στο πλαίσιο NIS2 και του Νόμου 5160/2024.","title":"Microsoft Secure Score για τον Έλληνα ΥΑΣΠΕ (NIS2)"},{"content":"The Mid-Market GRC Problem: NIS2 and ISO 27001 Without a Big Budget If you run security in a mid-market organisation that is in scope for NIS2 or pursuing ISO 27001, you know the squeeze. Regulatory demands are growing fast. Audit cycles are tight. Boards want cyber risk in numbers, not narratives. And the GRC budget, let\u0026rsquo;s be honest, is never what it should be.\nMost teams answer this by buying a dedicated GRC platform or by hiring more analysts. We took a different route — and that route is called Microsoft Secure Score. This series is the practical playbook for using Microsoft Secure Score as a GRC engine for ISO 27001 and NIS2 compliance, built entirely on tools you already have inside Microsoft 365. The approach is reproducible by almost any organisation running an E3 or E5 tenant — and it\u0026rsquo;s how we delivered a Gold-Award-winning GRC programme without buying a third-party platform.\n⚡TL;DR for the impatient: Microsoft Secure Score, paired with Microsoft Purview Compliance Manager, can evidence 60-70% of ISO 27001:2022 Annex A and NIS2 Article 21 technical controls automatically, using only the licensing you already pay for. The remaining 30-40% is covered by Purview tooling and documented procedures. Total third-party GRC spend: 0€.\nThe Microsoft Secure Score GRC Engine Hidden Inside Microsoft 365 We were already licensed for Microsoft 365 E5. We already used Microsoft Defender XDR every day. And right there, in the Microsoft Defender portal, was something most teams treat as a vanity dashboard: Microsoft Secure Score.\n📷 Image 1 — The Microsoft Secure Score dashboard.\nLooking at it with fresh eyes, we realised Microsoft had already done most of the heavy GRC lifting:\nA continuously refreshed assessment of our tenant configuration against a control catalogue Microsoft maintains and updates as the threat landscape shifts. A machine-readable dataset, exposed via the Microsoft Graph Security API, that any modern reporting tool can consume. Native integration with Microsoft Purview Compliance Manager, Microsoft Sentinel, and Power BI, platforms we already owned. The gap we had to bridge was small: connect Microsoft\u0026rsquo;s data to our compliance frameworks, build the right reports, and put governance around the risk decisions. Additional third-party spend: essentially nothing.\nThe Gold Award at Cyber Security Awards 2026 (Built on Microsoft Secure Score) 📷 Image 2 — The Gold Award Logo.\n📷 Image 3 — The Gold Award Plate.\n📷 Image 4 — The Gold Award Ceremony with colleagues.\nThe programme we built on this foundation received the Gold Award in Governance, Risk \u0026amp; Compliance at the Cyber Security Awards 2026 — Honoring Cyber Excellence, under the title \u0026ldquo;From theory to measurable compliance: Microsoft Secure Score as a Cyber GRC tool\u0026rdquo;.\nThe principle the panel recognised is the same one that runs through this entire series: Microsoft 365 already contains the GRC engine most organisations are paying separately to acquire. They just need to recognise it for what it is and wire it correctly.\nHow we did it? Four building blocks on top of Microsoft 365 The full implementation is unpacked, with screenshots and worked examples, across the rest of this series. Here is the shape, so you can decide whether to follow along.\nBuilding block 1: Microsoft Secure Score as the single source of truth 📷 Image 5 — A Secure Score recommendation about \u0026ldquo;Ensure \u0026lsquo;Phishing-resistant MFA strength\u0026rsquo; is required for Administrators\u0026rdquo;, expanded.\n📷 Image 6 — A general recommendation regarding this specific Secure Score action.\n📷 Image 7 — A Secure Score implementation for the specific action.\nWe stopped treating Secure Score as a number to raise. We started treating each recommendation as a continuously tested control. Microsoft tells us, in real time, which controls are configured, which are not, and crucially provides the implementation guidance and user-impact analysis right inside each recommendation. That guidance, written by Microsoft engineering, is gold for any GRC team that previously had to draft remediation plans from scratch.\nBuilding block 2: Bridging Microsoft Compliance Manager with Secure Score for live evidence Here is where the Microsoft platform already does an enormous amount of the work, and most teams don\u0026rsquo;t realise it.\nMicrosoft Purview Compliance Manager ships with pre-built assessments for ISO/IEC 27001:2022, NIS 2 Directive, GDPR, NIST CSF, and over 300 other regulations. Microsoft has done the foundational mapping for you: each framework control is linked to one or more Improvement Actions concrete configuration changes you can make across Microsoft 365, Entra ID, Microsoft Purview, and Azure to satisfy that control.\n📷 Image 8 — Microsoft Purview Compliance Manager, ISO 27001:2022 assessment, Authentication Information, Control ID A.5.17.\nWhat Compliance Manager does not give you out of the box is a live link between an Improvement Action and the corresponding Microsoft Secure Score recommendation that proves the control is currently configured correctly across your tenant. The Improvement Action tells you what to do; Secure Score tells you, in real time, whether it is done.\nThis is exactly the gap we closed. We built a thin mapping layer that, for each Compliance Manager Improvement Action covered by ISO 27001:2022 Annex A and NIS2 Article 21, identifies the matching Microsoft Secure Score recommendation and pulls its current state via the Microsoft Graph API. The result: a live evidence view over Microsoft\u0026rsquo;s own framework mappings, so a control is not \u0026ldquo;satisfied\u0026rdquo; because someone ticked a box, it is satisfied because Microsoft Secure Score confirms today, with a timestamp, that the configuration is in place.\nRoughly 60–70% of the technical controls in ISO 27001:2022 Annex A and NIS2 Article 21 can be evidenced this way directly from Microsoft Secure Score telemetry. The remaining 30–40% are covered either by other Microsoft Purview tooling (Data Loss Prevention, Information Protection, Insider Risk Management) or by documented organisational procedures. The mapping self-maintains: when Microsoft adds or revises an Improvement Action or a Secure Score recommendation, we triage the change once and the live evidence pipeline picks it up automatically.\nBuilding block 3: Microsoft Graph API + Power BI for live audit evidence Using the Microsoft Graph Security API, we pull Secure Score telemetry into a Power BI workspace daily. The output is a live evidence dashboard that auditors can be given read-only access to, with full timestamped history. No more screenshot-scrambles before the next surveillance audit.\n📷 Image 9 — Microsoft PowerBi for live audit evidence.\nThis is pure Microsoft stack: no scripts running outside the tenant, no data leaving Microsoft 365, no extra licensing.\nBuilding block 4: Microsoft Purview Compliance Manager for the board view For board reporting we pair Secure Score data with Microsoft Purview Compliance Manager, which Microsoft pre-populates with assessments aligned to ISO 27001, NIS2, GDPR, and dozens of other frameworks. The combination gives the board both a security-configuration view (Secure Score) and a regulatory-conformance view (Compliance Manager) in a single quarterly slide.\nThe business results: from weeks of audit prep to live evidence Within the first year of running the programme:\nAudit preparation time for ISO 27001 surveillance dropped from weeks to days. Board cyber-risk reporting moved from qualitative narratives to live, defensible numbers backed by Microsoft telemetry. Microsoft Secure Score itself improved by 30% and every remaining gap is a documented, board-approved risk decision. Total external GRC tooling cost: €0. Everything was delivered on the existing Microsoft 365 E5 investment. And, the Gold Award. What you will get from this series The goal of the series is simple: help you understand Microsoft Secure Score well enough to turn it into a real governance and compliance instrument for your organisation, the same way we did for ours.\nTo get there without skipping steps, the recommended reading path is:\nFoundation first: The Microsoft Defender family\nIf the names Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, or Microsoft Defender for Cloud Apps don\u0026rsquo;t mean much to you yet, start with the companion series that covers the whole Microsoft Defender ecosystem end to end:\nMicrosoft Defender Demystified, Part 1: How Many Defenders Are There, Really? (coming soon) the whole family map in one post. Microsoft Defender Demystified, Part 2: The Four Core XDR Workloads, Up Close (coming soon) what each workload protects. Microsoft Defender Demystified, Part 3: Microsoft Defender for Cloud (coming soon) the Azure and multicloud story. Microsoft Defender Demystified, Part 4: Which Defender Do You Actually Need? (coming soon) licensing across Microsoft 365 and Enterprise Mobility + Security. Microsoft Defender Demystified, Part 5: A Walk Through the Microsoft Defender Portal (coming soon) where everything lives. Enterprise Mobility + Security Explained (coming soon) the security bundle many organisations already own and don\u0026rsquo;t fully use. Want to go deeper into any single workload? The Microsoft Defender Up Close series has hands-on, configuration-level walkthroughs of Microsoft Defender for Endpoint, Office 365, Identity, and Cloud Apps.\nThen, the Secure Score series itself\nOnce the Microsoft Defender landscape feels familiar, come back here. You\u0026rsquo;ll now have the context to follow what Microsoft Secure Score is actually measuring.\nOpening Your First Recommendation every field on a Microsoft Secure Score recommendation, explained the way a friendly colleague would. Written for people opening the score for the first time. Where Microsoft Secure Score Sits in the Microsoft Defender World how the scoreboard actually works, which Microsoft products feed it, and how to trace one score point back to its source. Why read Parts 1 and 2 first\nSecure Score is the destination of this series — the daily dashboard that will show you where your organization stands regarding secure maturity, regardless of the organization\u0026rsquo;s size, geographic location, and presence, and help you decide what to tackle first and what can wait, across applications, data, devices, and user identity. But for it to be genuinely useful and not just another number you stare at without knowing what it means, you first need to understand how it is built (Part 1: Anatomy) and the ecosystem it lives in (Part 2: Ecosystem). Once these two parts are clear, the Defender Secure Score stops being a \u0026ldquo;magic number\u0026rdquo; and becomes a decision-making tool. So read Parts 1 and 2 in order. After that, everything we cover in the Defender chapters will carry a concrete meaning within your own environment.\nYou don\u0026rsquo;t need to be a developer. You don\u0026rsquo;t need a third-party GRC platform. You need a Microsoft 365 tenant, a few focused hours per week, and the willingness to look at Microsoft Secure Score with fresh eyes.\nIf you already know the Microsoft Defender landscape well, feel free to skip the foundation section and dive straight into the Secure Score posts.\nReady to start? Part 1 — Opening Your First Recommendation is already published and available, you can read it whenever you\u0026rsquo;re ready. Enjoy!\n[Part 2 — Where It Sits in the Microsoft Defender World] is already published and available, you can read it whenever you\u0026rsquo;re ready. Enjoy!\nMore parts coming in the following weeks, so check the series page for the latest.\nFollow me on LinkedIn for new-post notifications.\n","permalink":"https://thecybersec.gr/posts/secure-score-grc-part-0-intro/","summary":"Series introduction. The business problem, what Microsoft 365 already gives you for free, the four building blocks of the programme that won Gold, and what the next 7 posts will teach you to replicate.","title":"How We Built a Gold-Winning GRC Programme on Microsoft Secure Score — Series Introduction"},{"content":"Before we start — What is Microsoft Secure Score, in one paragraph Microsoft Secure Score is a measurement tool within the Microsoft Defender portal that evaluates an organization\u0026rsquo;s security posture across identity, devices, apps, and data. It produces a single percentage score and a prioritised list of recommendations to improve it.\nIf you\u0026rsquo;ve just started a role as a Microsoft 365 Junior Administrator, a Tier 1 SOC Analyst, or an entry-level Cloud Security Engineer, chances are someone has already said the words \u0026ldquo;check our Microsoft Secure Score\u0026rdquo; at you. Maybe your manager. Maybe an auditor. Maybe a colleague asking if you can \u0026ldquo;just pull the number for the quarterly review\u0026rdquo;.\nAnd chances are you opened the Microsoft Defender portal, found the Microsoft Secure Score page, looked at a bunch of cards and lists and numbers, and thought, okay, but what am I actually looking at, and how Microsoft Secure Score actually works?\nYou’re not the only ones, I was in the same boat, and it wasn’t easy. Nobody looks at Microsoft Secure Score for the first time and immediately understands all of it (like Microsoft Secure Score recommendations or Microsoft Secure Score calculation). It\u0026rsquo;s one of those Microsoft surfaces that\u0026rsquo;s genuinely simple once you know what each piece means, but completely confusing the first time. This post is a friendly guide that I wish someone had given me on my first day.\nTogether, we’ll open up a specific configuration, examine every field on the screen, and by the end, you’ll understand and know exactly what you’re seeing and what deserves your attention. No philosophy, no discussion of the GRC framework just yet—just the screen in front of you.\n📌 This post is Part 1 of a series that builds up to something bigger, using Microsoft Secure Score as the engine of a compliance programme. If you\u0026rsquo;re curious about the bigger picture, the How We Built a Gold-Winning GRC Programme on Microsoft Secure Score — Series Introduction covers it. But you don\u0026rsquo;t need to read that first. Start here.\nGetting to Microsoft Secure Score in 30 seconds First, regarding navigation: since the site was recently moved, links in older blog posts may direct you to the wrong address, so please follow the instructions below:\nOpen https://security.microsoft.com (this is the Microsoft Defender portal) In the left navigation, expand Exposure management Click Microsoft Secure Score 📷 Image 1 — The Microsoft Secure Score overview page.\nWhat you\u0026rsquo;ll see on the overview page, from left to right:\nA big circular number: your current Secure Score as a percentage A historical trend graph: how the score has moved over time A Top actions to review: list, the recommendations Microsoft thinks would improve your score the most Comparison cards: how your score compares to tenants of similar size Don\u0026rsquo;t worry about the overall number yet. We\u0026rsquo;re going to click into a single recommendation.\nOpening your first recommendation Click the Recommended actions tab at the top of the page. You\u0026rsquo;ll get a list of every Microsoft Secure Score recommendation, usually somewhere between 100 and 250 of them, depending on what products you\u0026rsquo;re licensed for.\n📷 Image 2 — The Recommended actions list.\nFor this walkthrough, pick a recommendation that sounds familiar. Good starting choices:\n\u0026ldquo;Require multifactor authentication for administrative roles\u0026rdquo; \u0026ldquo;Ensure all users can complete multifactor authentication\u0026rdquo; \u0026ldquo;Enable self-service password reset\u0026rdquo; \u0026ldquo;Enable audit log search\u0026rdquo; Click on any one of them. A details pane opens on the right side of the screen. This is where we\u0026rsquo;ll spend the next 10 minutes or maybe more.\nEvery field on the recommendation details pane, explained 📷 Image 3 — A single recommendation details pane, fully expanded.\nLet\u0026rsquo;s go through everything you see, top to bottom.\nThe title Exactly what it sounds like, a short description of the control. Example: \u0026ldquo;Require multifactor authentication for administrative roles.\u0026rdquo;\nWhat matters to notice: Microsoft wrote this title, not your organization. These titles are standardised across every Microsoft 365 tenant in the world. When you search for help on a specific recommendation, search for the exact title, you\u0026rsquo;ll find official Microsoft documentation and community posts that refer to it.\nThe product badge A small icon indicating which of the four Microsoft products the suggestion comes from. Below are all four examples:\nIdentity: from Microsoft Entra ID Data: from Microsoft 365 Defender for Office or Microsoft Purview Device: from Microsoft Defender for Endpoint Apps: from Microsoft Defender for Cloud Apps Why this matters: if you don\u0026rsquo;t have a particular product licensed, you won\u0026rsquo;t see its recommendations. If you see very few Device recommendations, for example, it usually means Microsoft Defender for Endpoint isn\u0026rsquo;t deployed to your devices yet, not that you have no device problems.\nThe description A paragraph from Microsoft explaining why this recommendation exists, what attack or risk it addresses, what happens if it\u0026rsquo;s not configured.\nA small but useful tip: read this paragraph every time, even when the title seems obvious. The description often mentions specific attack techniques or compliance frameworks this control addresses. Understanding why a recommendation exists helps you defend it when someone pushes back on implementing it.\nImplementation status The values for the implementation status that you should pay attention to, are as follows:\nTo address: the control isn\u0026rsquo;t configured (or not fully) in your tenant Planned: someone in your organization marked it as \u0026ldquo;we\u0026rsquo;re working on this\u0026rdquo; Risk accepted: someone decided not to implement it, and documented why Resolved through third party: you have a non-Microsoft tool doing this job Completed: Microsoft Secure Score confirms the control is configured This is a field you update, not Microsoft. When Microsoft\u0026rsquo;s automated check confirms you\u0026rsquo;ve implemented the control, the status flips to Completed automatically. But if you plan to implement it later, or decide not to, you set it manually.\nUser impact Microsoft\u0026rsquo;s assessment of how much friction implementing this recommendation will cause for your users. Typically Low, Moderate, or High.\nThis is an important piece of information that is often overlooked, but don\u0026rsquo;t do it. A recommendation labelled High user impact might still be worth implementing, but you should be prepared for user questions, support tickets, and possibly a communication plan. A Low user impact recommendation can usually be rolled out quietly.\nImplementation cost Microsoft\u0026rsquo;s rough estimate of how much work implementing this recommendation requires from your team. Again, Low, Moderate, or High. Useful when you\u0026rsquo;re prioritising a long list, start with low-cost, high-score-impact items.\nScore impact How many points your Secure Score will go up when this recommendation is completed. Usually something like +5.3 points or +12.7 points.\nNotice: this is an absolute number, not a percentage. If your current score is 347 out of 600, and this recommendation is worth 10 points, implementing it takes you to 357 out of 600, which translates to a small percentage change.\nCategory Broad groupings Microsoft uses to organise recommendations:\nIdentity Data Device Apps Same as the product badge, essentially. You\u0026rsquo;ll see the categories filtered at the top of the Recommended actions list so you can focus on one area at a time.\nTags Small labels Microsoft applies to the recommendation, things like GDPR, NIST, CIS, ISO 27001. These are useful hints about compliance framework coverage but they\u0026rsquo;re not definitive control mappings. If you need real framework alignment, that lives in Microsoft Purview Compliance Manager, not here.\nThe \u0026ldquo;Implementation\u0026rdquo; tab Below the summary, there\u0026rsquo;s usually a tab with step-by-step implementation instructions. For most recommendations, Microsoft has written a short, numbered guide that tells you exactly where to click to configure the control.\n📷 Image 4 — The Implementation tab contents.\nThis is the single most useful thing in Microsoft Secure Score for someone new to the platform. Microsoft has essentially written the remediation documentation for you. Read it. Follow it. In many cases you\u0026rsquo;ll be able to implement the recommendation in 10 minutes without needing any other resource.\nThe \u0026ldquo;Details\u0026rdquo; or \u0026ldquo;Data\u0026rdquo; tab (when it exists) For some recommendations, a second tab shows you the actual current state, how many users are affected, which ones, what specific settings are not configured. This is invaluable when you want to understand what \u0026ldquo;partial credit\u0026rdquo; looks like, sometimes a recommendation shows 60% implemented, and this tab tells you exactly which 40% is missing.\nFour small habits that make this all easier Some of these aren\u0026rsquo;t obvious, but they save you real time as you get comfortable with the platform.\nHabit 1 — Always read the title and the description The title alone is often ambiguous. Two recommendations might have similar-sounding titles but address genuinely different controls. Reading the description (even just the first sentence) is the fastest way to avoid confusion.\nHabit 2 — Filter by category before prioritising Instead of scrolling through 200 recommendations, filter by one category (Identity, for example) and prioritise within that group. Most security improvements cluster by category, fixing three or four Identity recommendations together is more efficient than hopping between areas.\n📷 Image 5 — The category filter applied to the Recommended actions list.\nHabit 3 — Sort by score impact, not by status The default view is usually ranked by Microsoft\u0026rsquo;s own risk prioritisation, which is good, but when you\u0026rsquo;re new and want quick wins, sorting by Score impact (descending) shows you the highest-value recommendations first. Implementing two or three of those gives you a visible improvement in the overall number, which helps build confidence and momentum.\nHabit 4 — If a recommendation confuses you, search Microsoft Learn with the exact title Copy the full title of the recommendation and paste it into Google with site:learn.microsoft.com. You\u0026rsquo;ll almost always find official Microsoft documentation explaining the control in more depth than the recommendation pane itself. This is your secret weapon, every recommendation maps to official docs.\nWhat you can extract in under an hour If you\u0026rsquo;re doing this for the first time today, here\u0026rsquo;s a reasonable 60-minute goal:\nMinutes 0–10: Navigate to Microsoft Secure Score, read the overview page, note your overall score. Minutes 10–25: Open five different recommendations from different categories. Read title, description, implementation status, and the Implementation tab for each. Don\u0026rsquo;t change anything. Minutes 25–40: Sort the full list by Score impact. Identify the top three highest-impact items that are currently \u0026ldquo;To address\u0026rdquo;. Minutes 40–55: For one of those three, read the Implementation tab carefully. Estimate whether you could do it safely today, or whether it needs planning. Minutes 55–60: Write down the three recommendations you identified. Ask your manager or senior colleague whether any of them are safe to implement. This is a really useful exercise for the first day and probably for the whole day. You don’t need to implement anything yet. Just understanding what the page entails and being able to point out three or maybe four specific elements and say, \u0026ldquo;These three or four elements would boost the score faster if we implemented them,\u0026rdquo; puts you ahead of where most new professionals are on their first day.\nWhat\u0026rsquo;s next In Part 2 we zoom out from the single recommendation and look at where Microsoft Secure Score actually lives inside the Microsoft Defender portal and, more importantly, which Microsoft products feed it. You\u0026rsquo;ll see why your score is really a scoreboard reading configuration data from Microsoft Entra ID, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Purview and you\u0026rsquo;ll learn how to trace a single score point back to the product that generated it.\n🔗 For a ground-up tour of the Microsoft Defender ecosystem, the upcoming Microsoft Defender Demystified series will start there. Subscribe via LinkedIn to be notified when it drops.\nFollow me on LinkedIn for new-post notifications.\nMicrosoft Learn resources Microsoft Secure Score overview How Microsoft Secure Score is calculated Respond to Microsoft Secure Score recommendations Microsoft Security Exposure Management ","permalink":"https://thecybersec.gr/posts/secure-score-grc-part-1-anatomy/","summary":"Part 1 of the Secure Score series. A beginner-friendly walk through a single Microsoft Secure Score recommendation — every field on the screen, what each one means, and the small observations that help new professionals start extracting value in under an hour.","title":"Microsoft Secure Score — Part 1: Opening Your First Recommendation"},{"content":"A small moment most beginners hit In Part 1 we opened a single Microsoft Secure Score recommendation and walked through every field. By now you can look at a recommendation and understand what you\u0026rsquo;re seeing.\nBut if you\u0026rsquo;ve been clicking around for a few days, you\u0026rsquo;ve probably hit this moment: you look at your overall score, and you wonder, where does this number actually come from? Who\u0026rsquo;s measuring what? Is Microsoft running some kind of scan on my tenant? And why are there recommendations about products I didn\u0026rsquo;t even know I had?\nThese are good questions. The answers are genuinely useful to know, and once they click, the whole Microsoft Defender portal stops feeling like a random collection of features and starts feeling like a system.\nThis is that post.\nThe honest, short version Microsoft Secure Score isn\u0026rsquo;t a product on its own. It\u0026rsquo;s a scoreboard that reads configuration data from a bunch of other Microsoft products and gives you a single number.\nEach of those other products already knows what it should be configured like. Microsoft Secure Score asks them \u0026ldquo;hey, is this specific thing configured correctly in this tenant?\u0026rdquo;, gets a yes/no back, tallies the results, and shows you the total.\nThat\u0026rsquo;s really it. The rest of this post is just unpacking which products contribute what, and how to trace a score point back to its source.\nThe Microsoft Defender family in one paragraph The short version for now: Microsoft groups its security products into a family called Microsoft Defender, the umbrella brand being Microsoft Defender XDR, as described in the (Microsoft Defender XDR documentation). Inside that umbrella are several workloads, Microsoft Defender for Endpoint (devices), Microsoft Defender for Office 365 (email and Teams), Microsoft Defender for Identity (Active Directory), Microsoft Defender for Cloud Apps (SaaS apps), plus a couple of close cousins like Microsoft Defender for Cloud (Azure workloads). A full deep dive into the Microsoft Defender family is on the way in a dedicated companion series, Microsoft Defender Demystified, starting in June 2026.\nMicrosoft Secure Score reads from most of these.\nWhere Microsoft Secure Score physically lives Remember from Part 1, the navigation path is:\nsecurity.microsoft.com → Exposure management → Microsoft Secure Score\nThe important word is Exposure management. Microsoft Secure Score moved into that section a while back, and it lives alongside other posture-related features.\n📷 Image 1 — The Exposure management section in the left navigation.\nMicrosoft Security Exposure Management is a newer Microsoft surface that tries to answer \u0026ldquo;how exposed are we?\u0026rdquo;. It includes:\nYour attack surface (what an attacker could see from outside) Your exposure insights (what risks matter most right now) Microsoft Secure Score (how configured-correctly your tenant is) Other posture signals Microsoft Secure Score is one of several posture instruments that live here. For now you don\u0026rsquo;t need to use the other ones, just notice they exist and they\u0026rsquo;re related.\nThe products that feed your Microsoft Secure Score This is the part that usually surprises new professionals. Your Microsoft Secure Score is calculated from configuration data in many different Microsoft products. Here\u0026rsquo;s the main list:\n📷 Image 2 — The Recommended actions list with the Category column visible.\nMicrosoft Entra ID (identity) Microsoft Entra ID is Microsoft\u0026rsquo;s cloud identity and access management service. It provides a big chunk of your Microsoft Secure Score recommendations, things like:\nMultifactor authentication policies Conditional Access policies Password protection Risk-based sign-in policies Self-service password reset Privileged account controls Any recommendation with a badge or category of Identity comes from Microsoft Entra ID.\nMicrosoft Defender for Endpoint (devices) Microsoft Defender for Endpoint protects the devices in your fleet. Its Microsoft Secure Score contribution covers:\nWhether antivirus is enabled and up to date Whether attack surface reduction rules are configured Whether network protection is on Device security baselines and exposure levels Recommendations with the Device category come from here. If you see very few Device recommendations, it usually means Microsoft Defender for Endpoint isn\u0026rsquo;t fully deployed yet.\nMicrosoft Defender for Office 365 (email and Teams) Microsoft Defender for Office 365 protects email and Microsoft Teams. Its Microsoft Secure Score contributions include:\nAnti-phishing policies Safe Links and Safe Attachments policies Anti-spam and anti-malware configurations DKIM, SPF, DMARC email authentication Attack Simulation Training usage (in Plan 2) These show up mostly under the Apps or Data category, depending on the specific recommendation.\nMicrosoft Defender for Cloud Apps (SaaS apps) Microsoft Defender for Cloud Apps watches over your SaaS application usage. Its recommendations include:\nCloud app governance policies OAuth app review status Anomaly detection policy coverage Microsoft Purview (data protection and compliance) Microsoft Purview handles data protection and compliance. It contributes recommendations about:\nSensitivity labels being configured Data Loss Prevention (DLP) policies being active Audit log search being enabled Retention policies and records management These show up under the Data category.\nMicrosoft Exchange Online (mail flow) Some foundational email configuration recommendations come directly from Microsoft Exchange Online, things like mailbox auditing settings, modern authentication, and external forwarding restrictions. They usually appear with Apps or Data badges.\nTracing one score point back to its source Here\u0026rsquo;s a concrete exercise that makes all this click. Open your Microsoft Secure Score, pick any recommendation that\u0026rsquo;s currently To address, and we\u0026rsquo;ll trace it back to its source together.\nExample: let\u0026rsquo;s say the recommendation is \u0026ldquo;Ensure internal phishing protection for Forms is enabled\u0026rdquo;.\n📷 Image 3 — A recommendation\u0026rsquo;s Implementation tab showing which Microsoft product configures it.\nThe Implementation tab tells you to go to Microsoft 365 admin center → Settings → Org Settings → Microsoft Forms and enable internal phishing protection. Notice what just happened:\nScoreboard: Microsoft Secure Score (in the Defender portal) Source product: Microsoft Forms (configured in Microsoft 365 admin center) Score answers the question: Is internal phishing protection enabled in Forms? Data collected by: Microsoft Forms, continuously, from tenant settings When you implement the policy in Microsoft 365 admin center, Microsoft Entra ID reports back to Microsoft Secure Score that the configuration has changed. The recommendation\u0026rsquo;s status flips to Completed (usually within a few hours), and your score goes up by the recommendation\u0026rsquo;s point value.\nThe insight: Microsoft Secure Score never did anything in your tenant. It\u0026rsquo;s just asking Microsoft Entra ID a question and reading the answer. The same pattern applies to every other source product.\nWhy don\u0026rsquo;t I see all Secure Score recommendations? This is a common beginner moment of confusion. You\u0026rsquo;ve read an article or watched a webinar that mentioned a specific Microsoft Secure Score recommendation, and when you look in your own tenant, it isn\u0026rsquo;t there.\nThe reason is almost always licensing. Microsoft Secure Score only shows you recommendations for products you\u0026rsquo;re licensed for. If your tenant doesn\u0026rsquo;t have Microsoft Defender for Office 365 Plan 2, you won\u0026rsquo;t see the recommendations that are specific to Plan 2 (like the Attack Simulation Training ones). If you don\u0026rsquo;t have Microsoft Defender for Cloud Apps, you won\u0026rsquo;t see any Cloud App recommendations at all.\n📷 Image 4 — The Microsoft 365 admin center licenses page.\nThis is why two people comparing their scores can get confusing numbers. A company with Microsoft 365 E5 might have 180 recommendations; a company with Microsoft 365 E3 might have 120. They\u0026rsquo;re not being scored against the same set of questions.\nFor a deeper walk through what each license includes, an upcoming post, the Microsoft Defender Demystified — Part 4 (licensing decoder) will cover this in plain language.\nHow long does Microsoft Secure Score take to update? Not instantly. When you make a configuration change in Microsoft Entra ID, Microsoft Defender for Endpoint, or any other source product, there\u0026rsquo;s a lag before Microsoft Secure Score picks it up.\nIn practice:\nMost recommendations: refresh within 24 hours Some identity and policy recommendations: can take up to 48 hours to update Certain Microsoft Defender for Endpoint recommendations: depend on device check-in frequency, can be longer If you implement a change and your score hasn\u0026rsquo;t moved by the next day, don\u0026rsquo;t panic, come back the day after. If it still hasn\u0026rsquo;t moved after 72 hours, that\u0026rsquo;s when you\u0026rsquo;d start investigating, usually the configuration isn\u0026rsquo;t quite what Microsoft Secure Score is checking for happens occasionally.\nThe history tab tells a story One last part of the page worth knowing about: History.\n📷 Image 5 — The Microsoft Secure Score History tab.\nThe History tab shows every score event over time, when a recommendation got completed, when a new one was added (which drops the score temporarily), when configuration drifted (which can also drop the score).\nThis is genuinely useful when:\nYour score dropped unexpectedly and you want to find out why You want to see progress over a reporting period (\u0026ldquo;we improved by 12 points last quarter\u0026rdquo;) You want to track which configuration changes actually moved the number As you get more comfortable with Microsoft Secure Score, the History tab becomes your evidence source for \u0026ldquo;yes, we did that work\u0026rdquo; and \u0026ldquo;here\u0026rsquo;s when the drop happened\u0026rdquo; conversations.\nA quick wrap-up Everything we covered in one paragraph: Microsoft Secure Score is a scoreboard inside the Microsoft Defender portal\u0026rsquo;s Exposure management section. It reads configuration data from several Microsoft products, Microsoft Entra ID, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, Microsoft Purview, Microsoft Exchange Online, and gives you a single number. When you implement a recommendation, you\u0026rsquo;re not changing anything in Microsoft Secure Score itself; you\u0026rsquo;re changing configuration in one of those source products, which then reports back. The score refreshes within 24–48 hours of configuration changes. Licensing determines which recommendations you can see. The History tab tells you everything that\u0026rsquo;s happened.\nThat\u0026rsquo;s the whole mental model. Once you have it, everything else in Microsoft Secure Score, and a surprising amount of the broader Microsoft Defender portal, makes intuitive sense.\nWhat\u0026rsquo;s next In Microsoft Defender Demystified Series we move into actually managing Microsoft Secure Score as part of a compliance programme, how to prioritise recommendations when you have 150 of them, how to document risk decisions for auditors, and how to start thinking about score as evidence rather than as a target.\n🔗 For a ground-up tour of the Microsoft Defender ecosystem, the upcoming Microsoft Defender Demystified series will start there. Subscribe via LinkedIn to be notified when it drops.\nFollow me on LinkedIn for new-post notifications.\nMicrosoft Learn resources Microsoft Secure Score overview How Microsoft Secure Score is calculated Microsoft Security Exposure Management overview Microsoft Defender XDR overview Microsoft Entra ID overview Microsoft Purview overview ","permalink":"https://thecybersec.gr/posts/secure-score-grc-part-2-ecosystem/","summary":"Part 2 of the Secure Score series. Where Microsoft Secure Score physically lives, how it feeds off the Microsoft Defender family, what each source product contributes, and a practical exercise to trace one score point back to the product that generated it.","title":"Microsoft Secure Score — Part 2: Where It Sits in the Microsoft Defender World"},{"content":"If you\u0026rsquo;re here, you probably manage, secure, or architect Microsoft 365 environments and you\u0026rsquo;ve hit the same wall I keep hitting: the official docs tell you the what but rarely the why or the what-if.\nThat\u0026rsquo;s the gap this blog tries to fill.\nWhat you\u0026rsquo;ll get Every post here is built on three rules:\nHands-on. No theory dumps. If I cover a feature, I configure it, break it, and tell you what happened. Production-realistic. I write from the perspective of someone who has to live with the configuration on Monday morning, not just demo it in a lab. No vendor cheerleading. Microsoft does some things brilliantly. It also ships features that aren\u0026rsquo;t ready. I\u0026rsquo;ll tell you which is which. What\u0026rsquo;s coming first The first series I\u0026rsquo;m planning for 2026:\nMicrosoft Secure Score as a Cyber GRC Instrument — A 4 to 6 parts series on turning Secure Score into a board-level governance tool. (Part 0, Part 1, Part 2 already published.) A note on the format Posts will often be long. Some will run 15–20 minutes of reading time. That\u0026rsquo;s intentional short posts on these topics tend to leave the most important questions unanswered. There\u0026rsquo;s a table of contents on every long post, and a search box in the menu. Use them.\nIf a post is part of a series, you\u0026rsquo;ll see a Series badge in the header and links to the other parts at the bottom.\nGet in touch If you spot a mistake, have a better way to do something, or want to suggest a topic, ping me on LinkedIn.\nRelated technical notes, implementation details, and supporting references are maintained here: Github\nThanks for reading. The next post drops soon. ","permalink":"https://thecybersec.gr/posts/welcome/","summary":"An intro to the blog, the topics I\u0026rsquo;ll cover, and the first series planned for 2026.","title":"Welcome — what this blog is (and isn't)"},{"content":"About me Hi, I\u0026rsquo;m Dimosthenis — a Senior Cloud Architect specialising in Microsoft 365 and Microsoft Security Copilot.\nI work day-to-day with the Microsoft cloud security stack — Defender XDR, Sentinel, Entra ID, Intune, Purview, and the rapidly evolving Security Copilot platform — and I write here to share what works in the real world, what doesn\u0026rsquo;t, and what\u0026rsquo;s worth your attention as a practitioner.\nThis blog is practical, hands-on, and opinionated. It\u0026rsquo;s not a copy of Microsoft Learn. The goal is to fill the gap between official documentation and what you actually face in production.\nWhat you\u0026rsquo;ll find here Microsoft Security Copilot — prompts, plugins, integration patterns, cost optimisation, and security guardrails. Microsoft 365 hardening — Conditional Access, attack-surface reduction, Defender configuration, baseline architectures. Identity \u0026amp; access — Entra ID, hybrid identity, Kerberos trust, privileged access, and zero-trust building blocks. Detection \u0026amp; response — KQL hunting queries, custom analytics, automation with Logic Apps, incident playbooks. Architecture deep dives — multi-tenant patterns, cross-cloud integrations, and design decisions for regulated industries. Expertise areas Category: Microsoft 365 Expertise area: Microsoft 365, Microsoft Security Copilot Credentials ISC2 Certified in Cybersecurity (CC) ISO/IEC 27001 Lead Auditor (Add your Microsoft certifications, MVP status, etc. here) Get in touch 🐙 GitHub: dimosatteia(https://github.com/dimosatteia) 💼 LinkedIn: dimosthenisatteia(https://www.linkedin.com/in/dimosthenisatteia/) ✉️ Email: dimosatteia@gmail.com Disclaimer: All views expressed here are my own and do not represent the views of my employer or any organisation I work with. Code samples and guidance are provided as-is — always validate in a non-production environment before applying to live systems.\n","permalink":"https://thecybersec.gr/about/","summary":"About the author","title":"About"}]