How To Generate MSP-friendly Compliance Reports From Microsoft Secure Score

Microsoft Secure Score, an essential security analytics tool integrated with Microsoft 365, provides organizations with a quantifiable measure of their current security posture along with specific, actionable recommendations for improvement. For Managed Service Providers (MSPs), Secure Score acts as more than just an internal dashboard — it becomes a foundation for transparent, data-driven client reporting and standardized compliance tracking across multiple tenants.

Presenting Secure Score data in a clear, branded, and actionable format enables MSPs to tangibly demonstrate the value they deliver. Clients can see improvements over time, get ahead of security risks long before audit or breach events, and confidently align their organization with leading frameworks such as CIS, NIST, and ISO 27001. Efficient and repeatable Secure Score reporting also helps MSPs streamline their internal processes, proactively identify priorities for remediation, and document security maturity.

What is the Microsoft Secure Score report?

The Microsoft Secure Score report is a security analytics feature within Microsoft 365 that evaluates an organization’s security posture by assessing current configurations, user behaviors, and adopted controls across the Microsoft cloud environment. The generated score shows how closely the tenant aligns with Microsoft’s recommended security practices, and provides detailed improvement actions to help reduce risk.

What is the difference between compliance score and secure score?

The difference between “Compliance Score” and “Secure Score” in Microsoft 365 lies in what each metric measures and reports:

Microsoft Secure Score focuses on an organization’s technical security posture. It evaluates current security settings, configurations, and behaviors within Microsoft 365, offering a numerical score and actionable recommendations for strengthening protections against threats. Its primary goal is to help IT teams and MSPs quantify, benchmark, and continually improve security controls to reduce risk.

Microsoft Compliance Score, on the other hand, assesses your organization’s alignment with regulatory and industry compliance requirements (such as GDPR, HIPAA, or ISO 27001). Compliance Score reflects both technical settings and organizational actions, including documented policies, user training, and audit procedures, to provide a broader, governance-focused perspective.

Prerequisites for MS Secure Score reporting

Before extracting and reporting on Secure Score data, ensure the following prerequisites are in place:

• Licensing: Microsoft 365 Business Premium or an Enterprise subscription is required for full Secure Score access.
• Portal Access: You must log in via Microsoft Secure Score in the 365 Security Center.
• PowerShell and SDK: The Microsoft Graph PowerShell SDK must be installed on any automation or reporting workstation.
• Permissions: Assign either the Microsoft Entra Global Reader or Security Reader roles to the administrative account used for data collection.
• Visualizations: Optionally, set up Power BI for more advanced data transformation, analysis, and report presentation.
• RMM/Endpoint: Leverage NinjaOne or a similar remote monitoring and management (RMM) platform to enrich Secure Score data with endpoint-specific context for a deeper compliance report.

Access Secure Score via Microsoft 365 Security Center

The most direct way to review Secure Score data is in the Microsoft 365 Security Center. After authenticating with proper permissions, navigate to the Secure Score dashboard where you’ll find a comprehensive view of your tenant’s security landscape.

Here, you can view:

• Overall security score: Presented as both a raw point value and achievement percentage versus Microsoft’s best practice baseline.
• Category breakdowns: See how your organization scores across Identity, Devices, Apps, Data, and Infrastructure, allowing you to identify gaps in specific areas.
• Export capabilities: Use the Export function to download a CSV file containing your current score, the full list of improvement actions, and the status of each (Implemented, Not Scored, Not Implemented).

Once exported, filter and transform this CSV data with Excel or Power BI for presentation. Organize it by importance, recent improvement, or area of risk to prepare client-friendly summaries that make your MSP’s proactive work tangible and track progress toward security goals.

Use PowerShell and Microsoft Graph to export Secure Score

For repeatability, scale, and automation, MSPs should leverage PowerShell in conjunction with the Microsoft Graph API. This approach enables secure, programmatic extraction of Secure Score data across multiple clients and tenants.

Sample workflow:

1. Connect to Microsoft Graph:

Connect-MgGraph -Scopes “SecurityEvents.Read.All”, “Reports.Read.All”

2. Query the current Secure Score:

Get-MgSecuritySecureScore

3. Query improvement actions and control profiles:

Get-MgSecuritySecureScoreControlProfile

4. Export the full report:

Get-MgSecuritySecureScore | Export-Csv -Path “C:\Reports\SecureScore.csv” -NoTypeInformation

By using stored credentials and secure app registration, you can schedule these scripts to run across multiple tenants on a recurring basis. Automating Secure Score data collection ensures that MSPs always have access to the latest risk assessments for reporting and remediation.

Build branded MSP reports for clients

Raw security data is most effective when transformed into clear, actionable reports customized for each client. Aggregate the Secure Score results into:

• Executive summaries: Give a big-picture overview of the organization’s current security trend, with concise narrative and easy-to-read visuals.
• Category breakdowns: Highlight performance in key areas (Identities, Devices, Apps, etc.), identifying both strengths and weaknesses.
• Actionable next steps: Present top unimplemented controls or recommendations, along with their potential impact on the overall score.
• Historical graphs: Visualize Secure Score progression over time to validate continuous improvement and sustained MSP value.

Brand each report with the client’s name and logo as well as your MSP’s branding and personalized recommendations. Use tools like customizable Excel templates, Word mail merges, or Power BI dashboards to keep reports visually engaging and consistent. Archive individual reports in secure, shared locations such as SharePoint or NinjaOne Documents for streamlined client access and compliance documentation.

Enrich Secure Score with endpoint registry values

One limitation of Secure Score is that it may not always reflect real-time device configurations, especially regarding settings managed outside Microsoft 365. To address this, incorporate endpoint context by validating key security controls via registry entries on client devices.

For example:

BitLocker status:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BitLockerStatus
• Value: ProtectionStatus (DWORD) = 1 indicates BitLocker is active.

Firewall status:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
• Value: EnableFirewall (DWORD) = 1 confirms the Windows Firewall is enabled.

By remotely collecting and merging these registry values with Secure Score reports, MSPs can provide a more complete compliance assessment, bridging the gap between Microsoft 365 telemetry and actual device configuration.

Use Group Policy to enforce score-impacting settings

Secure Score rewards tenants for enforcing baseline controls through Group Policy Objects (GPO). By centrally managing these settings, MSPs can maximize scores while hardening all endpoints:

• BitLocker policies:
  Navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption
  • Enable “Require BitLocker”
  • Disallow standard users from turning off BitLocker
• Antivirus and Defender AV policies:
  Computer Configuration > Windows Defender Antivirus
  • Enable real-time protection
  • Require cloud-based protection
  • Block end-user exclusion policies

Applying these GPOs ensures all devices meet Secure Score criteria and provide validated, measurable improvement over decentralized management. Regularly reviewing and updating group policy settings further standardizes security across diverse SMB client bases.

Use CMD to validate device-specific security settings

To corroborate Microsoft Secure Score findings and confirm configuration at the endpoint level, use built-in Command Prompt tools:

• Check BitLocker status: manage-bde -status
• Review Windows Defender service: sc query Windefend
• Verify firewall status: netsh advfirewall show allprofiles

Document the output of these commands or use scripts to collect results across your entire managed device fleet. Including this endpoint verification in compliance reports helps substantiate Secure Score data and proves controls are truly enforced at the ground level—not just reported in the cloud.

Additional considerations

When using Secure Score for compliance reporting, several points warrant attention:

• Secure Score vs. Compliance Score: Remember that Secure Score tracks technical security configurations, while Compliance Score addresses regulatory and policy adherence.
• Scoring gaps with third-party solutions: If using non-Microsoft security tools, some mitigations may not be recognized by Secure Score, resulting in lower scores despite adequate protection. Clearly document these cases to clients.
• Client education: Always include a short summary in your report explaining Secure Score’s scope and limitations, so clients know what is — and isn’t — measured.
• Process automation: Schedule Secure Score reviews and use score deltas (changes over time) to initiate recurring remediation processes. This proactive approach both satisfies clients and simplifies ongoing security management.

Troubleshooting

Running into obstacles is inevitable; here’s how to address common Secure Score reporting hiccups:

• Score not updating: Note that Secure Score can take up to 24 hours to reflect recent configuration changes or completed improvement actions.
• Empty API queries: If the Microsoft Graph API returns empty results, check that all required permissions are granted, and that the authentication token remains valid.
• Export missing controls: Use Get-MgSecuritySecureScoreControlProfile to ensure a complete improvement action list is queried and exported.
• GPO not applying: If GPO changes aren’t reflected, run gpresult /h to diagnose scope, filtering, or OU targeting issues, ensuring policy application across all required devices.

NinjaOne services

NinjaOne integrates seamlessly with Microsoft Secure Score, enabling MSPs to drive even more efficient and scalable compliance management:

• Scheduled script execution: Automate extraction of Secure Score data from Microsoft Graph, storing per-client results for continuous tracking.
• Registry scanning: Use NinjaOne’s endpoint management to automatically verify that critical registry settings (such as BitLocker or firewall status) align with Secure Score requirements.
• Policy automation: Trigger remediation scripts whenever Secure Score deltas indicate potential regressions, keeping tenants on track with recommended best practices.
• Custom dashboards: Display Secure Score data alongside other key metrics — backup status, patching, endpoint health — to present a holistic view of security and compliance.
• Cross-tenant aggregation: Roll up Secure Score reporting across all managed tenants, making it easy to benchmark, export, and communicate tiered risk postures to clients from a single pane of glass.

When paired with NinjaOne, Secure Score evolves from a static number to an actionable metric, fueling smarter automation, lightning-fast reporting, and demonstrable, ongoing MSP value.

In summary

Microsoft Secure Score report is an indispensable measurement for evaluating and improving the security posture of Microsoft 365 tenants. For MSPs, extracting this data and converting it into actionable, client-focused compliance reports is key to proving value, driving continuous improvement, and maintaining operational transparency. By combining manual exports, API-driven collection, PowerShell automation, endpoint validation, and robust policy enforcement, every MSP can provide clear, branded insights that inspire client confidence.

Integrating these practices with NinjaOne and leveraging advanced tools for registry scanning, scripting, and dashboard creation transforms Secure Score from a back-end diagnostic tool into the centerpiece of a repeatable, evidence-driven compliance service.