![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 21%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDL%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
A cloud-native solution that protects workloads across hybrid and multi-cloud environments with threat detection and security recommendations
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Several platform behaviors in Defender for Cloud explain why secure score can drop even when individual recommendation max scores and some health ratios appear stable or improving.
- Causes of a consistent secure score drop
From the classic secure score model in the Azure portal:
- Secure score is calculated per security control, not per individual recommendation in isolation. Each control has:
- A fixed Max score for the control.
- A Current score = Score per resource × Number of healthy resources.
- A Potential score increase = Score per resource × Number of unhealthy resources.
- Defender for Cloud recalculates each control every eight hours per subscription or cloud connector. Recommendations inside a control are updated more frequently than the control itself, so there can be temporary discrepancies between recommendation resource counts and the control’s score. Over 120 subscriptions, these asynchronous refreshes can manifest as visible daily swings.
- Score is impacted only by built‑in recommendations from the Microsoft cloud security benchmark (MCSB). If recommendations are:
- Newly added to MCSB,
- Moved between controls (for example, from a scoring control into Implement security best practices, which is worth 0 points), or
- Deprecated, the distribution of points across controls changes. Release notes show examples where recommendations were moved between controls or removed from scoring, which changed scores even though resource configuration did not change.
- Recommendations marked as Preview do not affect secure score. If items move into or out of Preview, or if new Preview recommendations appear, the visible recommendation list can change without directly explaining the score movement.
- When recommendations move between controls with different Max score values, the overall score can go up or down even if the max score of that specific recommendation appears unchanged in the UI. For example, release notes show recommendations moving from a 6‑point control to a 4‑point control, reducing their impact on secure score.
Across 120 subscriptions, small posture changes, new resources, or control/recommendation reclassification can aggregate into a noticeable drop from 60 → 54 → 52 → 48 even if one specific recommendation (like “System cumulative update”) improved.
- Strategy to improve secure score across all subscriptions
Defender for Cloud guidance for the classic secure score model:
- Focus on security controls, not individual recommendations. Each control is a logical group of related recommendations representing an attack surface (for example, “Remediate vulnerabilities”).
- To get the full points for a control, all resources must comply with all recommendations in that control. Partial remediation (for example, fixing only some recommendations or only some resources) yields only partial score.
- Recommended approach at scale:
- Identify the controls with the highest Max score and largest Potential score increase; these represent the biggest posture and score gains.
- Use the Fix option where available to remediate a recommendation on multiple resources at once.
- Use Enforce or Deny policies to prevent creation of non‑compliant resources across subscriptions. This is the primary way to drive consistent posture across a large environment.
This control‑first, policy‑driven approach scales better than treating each subscription independently.
- Relation to the updated Secure Score model in the XDR (Defender) portal
- There are two different secure score models:
- Cloud Secure Score (risk‑based) in the Microsoft Defender portal (XDR experience).
- Classic Secure Score in the Azure portal.
- These models are completely different, with different calculations and values. Changes in the new Cloud Secure Score model do not change the classic secure score calculation itself.
- If comparing or mixing numbers from the Defender portal and Azure portal, they will not match by design. Ensure that the observed drop (60 → 48) is being tracked consistently within the same model (classic secure score in Azure portal) when analyzing fluctuations.
- What to verify
Within the constraints of the classic secure score model and the provided documentation, the following should be checked:
- Control‑level scores:
- For each high‑impact control (high Max score), compare Current score and Potential score increase over time.
- Look for controls where the Current score has dropped or Potential score increase has grown; these are the sources of the overall decline.
- Recommendation classification and movement:
- Confirm whether any recommendations have moved into Implement security best practices (worth 0 points) or have been deprecated. Release notes show that such moves directly affect secure score.
- Check whether any recommendations have become Preview (no score impact) or moved out of Preview.
- Resource posture changes:
- New resources onboarded without required configurations can increase the number of unhealthy resources in a control, lowering the control’s score even if existing resources improved.
- Assessment timing:
- Because recommendations and controls refresh on different schedules, verify whether the apparent drop aligns with control recalculation cycles across subscriptions.
- Tracing which change caused a score decrease or increase
- Defender for Cloud exposes the secure score at the control level, with:
- Max score
- Current score
- Potential score increase
- By reviewing these fields per control over time, it is possible to identify which controls contributed to a score change.
- Within a control, the UI shows the underlying recommendations and their healthy/unhealthy resource counts. Comparing these over time highlights which recommendations and resources changed posture.
- The documentation does not describe a dedicated “secure score change log” that pinpoints a single recommendation as the cause of a specific score delta. Instead, the supported method is to:
- Track control‑level scores and potential score increases.
- Drill into recommendations within those controls to see which ones have changed health or classification.
Stabilizing and improving secure score across 120 subscriptions therefore relies on:
- Prioritizing high‑impact controls and fully remediating all recommendations within them.
- Using Fix, Enforce, and Deny to apply and maintain posture consistently.
- Monitoring control‑level scores and release‑note changes (such as recommendation moves or deprecations) that affect how points are allocated.
References: