Secure Score Expands with Defender for Identity for On Prem Identity Hygiene

Microsoft is expanding how Microsoft Secure Score surfaces identity hygiene recommendations by adding new improvement actions tied to Microsoft Defender for Identity — a move that folds on‑premises Active Directory posture checks directly into the Secure Score experience and gives security teams clearer, prioritized actions for reducing identity risk. The change adds posture assessments such as identifying privileged or inactive service accounts, flagging discovered passwords in AD attributes, and surfacing configuration items like Entra Seamless SSO that increase attack surface; Microsoft’s product pages and message‑center updates already list several of these assessments and the Defender for Identity console now ingests Entra risk data to improve detection context.

---

Background: Secure Score, Defender for Identity, and why this matters now​

Microsoft Secure Score is the unified, numerical metric in Microsoft 365 that tracks how well an organization has implemented recommended security controls across services — from Entra ID and Exchange Online to Defender product lines. Secure Score’s value is in converting defensive posture into prioritized improvement actions that administrators can implement to raise their score and, importantly, reduce real-world risk. Microsoft has been steadily broadening which controls feed into Secure Score, and the latest Defender for Identity additions bring on‑premises identity hygiene firmly into that prioritization engine.
Microsoft Defender for Identity (formerly Azure ATP) monitors Active Directory traffic, analyzes identity behavior, and detects lateral‑movement and credential abuse on hybrid estates. Integrating Defender for Identity posture checks as Secure Score improvement actions closes an operational loop: detection and threat telemetry on one hand, prescriptive posture remediation on the other. That alignment matters because identity compromise is consistently the top root cause of enterprise breaches — attackers target stale service accounts, weak or leaked credentials, and misconfigured SSO paths to escalate and move laterally. Microsoft has also begun exposing Microsoft Entra ID risk level data in Defender for Identity to improve correlation and investigation context.

---

What’s being added to Secure Score via Defender for Identity​

Microsoft’s service updates and message‑center notices show Defender for Identity posture recommendations are being surfaced as Secure Score improvement actions when a Defender for Identity sensor is deployed. Key items listed in official product updates and message summaries include:

• Remove inactive (stale) service accounts — listings of AD service accounts with no activity in the last 90 days to help reduce unused credentials.
• Remove discovered passwords in Active Directory account attributes — detection of plaintext or discovered passwords stored in attributes that can be abused.
• Identify privileged service accounts and accounts with elevated AD permissions (DCSync/AdminSDHolder/local admin on identity assets) for targeted remediation.
• Sensor posture checks — improvement actions to install Defender for Identity sensors on critical identity infrastructure (ADCS, Entra Connect, ADFS) and to rotate passwords for group Managed Service Accounts (gMSA/sMSA) where appropriate.
• Configuration items such as Entra Seamless SSO — surfacing Seamless SSO as a potential posture risk and recommending disabling it where it increases exposure. (This appears in vendor messaging summarizing posture coverage.)
• Operational APIs and automation — a new Graph‑based API in preview to execute response actions from Defender for Identity (useful for automating remediation tied to Secure Score actions).

These improvements are additive: Secure Score will display them as recommended improvement actions when Defender for Identity is present, allowing security teams to measure, prioritize and track remediation across hybrid identity estates.

---

Timeline and rollout: confirmed items versus one‑off reports​

Several Microsoft Learn pages and Message Center summaries published earlier in 2025 already document the new Defender for Identity posture assessments (for example, the “Remove inactive service accounts” assessment and Entra ID risk integration), and some Message Center entries showed staged rollouts earlier in the year tied to sensor‑dependent features.
Independent industry trackers and Microsoft Tech Community posts also recorded phased rollouts of posture recommendations throughout 2025. However, some secondary reports and third‑party writeups have quoted different timelines for when the recommendations will appear as Secure Score improvement actions — ranges in public reporting vary from spring 2025 rollouts to late‑Q3/early‑Q4 deployment windows. Where timelines differ, Microsoft’s product pages and Message Center remain the authoritative source. At the time of this article’s publication, the specific claim that the new Secure Score actions will enter public preview “mid‑November 2025” and reach general availability “late November 2025” was not corroborated by Microsoft’s currently published documentation; those calendar specifics should be treated as unconfirmed until Microsoft issues a Message Center post or an update to the Defender for Identity “What’s new” notice.
(Short version: the features and posture assessments are real and in Microsoft’s rollout plan; exact calendar dates reported by some outlets differ from Microsoft’s official guidance and must be validated in the Microsoft 365 admin center or Message Center for each tenant.)

---

Why this change is meaningful for security teams​

Bringing Defender for Identity posture checks into Secure Score delivers three practical benefits for enterprise defenders:

• Action prioritization with identity context. Secure Score turns raw observations into a ranked list of improvement tasks; adding identity hygiene items means teams can prioritize stale‑account removals or service‑account hardening alongside cloud controls. This helps reduce attack surface where attackers are most likely to gain persistence.
• Cross‑product alignment. When detection telemetry (Defender for Identity alerts and Entra risk signals) and posture remediation live in the same scoring and reporting surface, SOCs and admin teams share a common playbook and can reduce the time between detection and closure. Microsoft’s Defender for Identity now includes near‑real‑time Entra ID risk data to improve correlation.
• Operational automation potential. The Graph‑based API for response actions allows organizations to build automation against Secure Score items (for example, flagging an inactive account and invoking a remediation runbook), bringing measurable, repeatable improvement into the control cycle.

These gains are real, but there are operational caveats (below) that must be weighed before sweeping changes are enforced across production estates.

---

Critical analysis: strengths and operational risks​

Strengths (what to like)​

• Tangible, prioritized identity hygiene: Rather than alert fatigue, admins get prescriptive, graded tasks — remove inactive service accounts, rotate gMSA passwords, or remediate discovered AD passwords — all of which map directly to attacker techniques. This makes planning remediation cycles practical and measurable.
• Hybrid‑aware posture management: Defender for Identity looks at on‑prem AD signals; surfacing these as Secure Score actions closes the visibility gap between cloud identity best practices and on‑prem identity hygiene.
• Investments in automation and telemetry: Graph APIs for response actions and the exposure of Entra risk levels to Defender for Identity improve the fidelity of automated playbooks and hunting use cases.

Risks and limitations (what to watch)​

• False positives and business disruption risk: Automated or blanket remediations (for example, disabling Seamless SSO or removing accounts marked “inactive”) can break legacy automation, service integrations, or vendor tooling that relies on older authentication flows. Any recommendation that disables a capability should be staged and validated in a test tenant or pilot.
• Administrative overhead and alert churn: Introducing new improvement actions can increase the backlog of items for infosec and IT teams. Without clear ownership and runbooks, recommended actions may be ignored, or worse, executed incorrectly. Secure operational processes are needed to coordinate remediation.
• Overreliance on a single vendor metric: Secure Score is a valuable prioritization tool, but it is not a substitute for risk‑based decisioning that factors business criticality, access patterns, and compensating controls. Treat Secure Score actions as recommended inputs — not an absolute mandate.
• Timing ambiguity in public reporting: As demonstrated by differing publication dates across vendors and tech blogs, calendar claims (e.g., “preview mid‑November 2025”) must be validated in each tenant’s Message Center. Admins should not assume a universal tenant‑wide date without confirming via Microsoft 365 admin notifications.

---

How to prepare your organization — a practical checklist​

Security leaders and identity teams should take the following steps to ensure a safe, low‑friction adoption of Secure Score improvement actions from Defender for Identity:

• Inventory and map
• Inventory all service accounts, gMSAs and sMSAs, and map which applications and automation pipelines rely on them.
• Tag service accounts used by CI/CD, backup systems, or third‑party apps to avoid accidental removal.
• Stage and pilot
• Create a staging tenant or pilot boundary where the Defender for Identity Secure Score actions can be observed without changing production configurations.
• Test remediation steps end‑to‑end (for example, rotate a staging gMSA password and validate dependent services).
• Harden and migrate
• Migrate user‑run automation to managed identities or service principals where possible.
• Replace legacy auth flows with modern auth (MSAL/Microsoft Graph) to reduce exposure from protocols that bypass Conditional Access.
• Tune detection and SIEM
• Forward Defender for Identity and Entra logs to your SIEM and add hunts for service‑account activity, secret discovery indicators, and suspicious admin writes. Microsoft exposes Entra ID risk level to Defender for Identity for correlation — use that in your hunts.
• Update runbooks, not just the score
• Author remediation runbooks with rollback steps and test them. Include business owners in the approval flow for any account change that could impact services.
• Communicate and train
• Notify identity owners and application teams about potential changes. Provide a 30/60/90‑day timeline for staged remediation and support windows.
• Monitor Secure Score but prioritize risk
• Use Secure Score as a tracker, but apply risk‑based weighting: remediation that removes a high‑privilege exposure in a production core system should take precedence over low‑impact housekeeping tasks.

Following these steps minimizes breakage risk, accelerates meaningful remediation, and turns Secure Score recommendations into sustainable operational hygiene.

---

Operational playbook (30/60/90 days)​

• First 30 days
• Deploy or validate Defender for Identity sensors on identity infrastructure components (Domain Controllers, ADFS, Entra Connect, ADCS where applicable) in a pilot scope.
• Run an inventory of service accounts and mark “known good” vs “unknown” for each account.
• Configure log forwarding so Defender for Identity telemetry is available in your SIEM.
• Next 30 days (days 31–60)
• Execute a pilot removal/rotation for non‑critical inactive service accounts and verify application resilience.
• Start remediating discovered AD‑attribute passwords in test environments.
• Build automation for routine remediations via the Graph response actions preview where available.
• Days 61–90
• Roll out validated remediations to production in staged waves with rollback playbooks.
• Retire legacy authentication protocols where feasible and migrate scripts/automation to managed identities or Microsoft Graph.
• Review Secure Score trends to measure effectiveness and adapt policy priorities.

---

Detection and hunting guidance for SOC teams​

Defender for Identity’s integration of Entra risk level and the IdentityInfo table in Advanced Hunting provides SOCs with immediate benefits for hunting and triage. Practical SOC steps include:

• Use the IdentityInfo table and the exposed Entra ID risk level as correlation fields for high‑value accounts; prioritize investigation when Entra risk and Defender for Identity detections co‑occur.
• Hunt for administrative changes initiated by service principals or unusual service‑originated actions (these often precede persistence or privilege escalation). Create SIEM rules to escalate any write operations that add a Global Admin, create new app credentials, or rotate service principal secrets.
• Monitor for signs of credential discovery and exfiltration: discovered passwords in AD attributes are a specific indicator that should generate high‑priority alerts. Remediate and rotate any affected credentials immediately.
• Where possible, automate containment steps (e.g., temporarily disable a compromised service account) but ensure that automation requires human approval for high‑impact identities.

These activities help shrink dwell time by turning posture signals into active detection and containment steps.

---

Compliance and governance implications​

• Document all remediation actions tied to Secure Score improvements. Keep an auditable trail of who removed or rotated which account and why.
• For regulated environments, coordinate identity‑hygiene remediation with legal, compliance, and business units before sweeping changes (especially when disabling Seamless SSO or changing gMSA passwords).
• Incorporate Secure Score improvement actions into periodic audits and risk reviews; show measurable score improvements alongside evidence of reduced attack surface.

---

Final judgment: practical benefits with operational caveats​

The extension of Microsoft Secure Score to include Defender for Identity posture recommendations is a practical and overdue enhancement: it aligns on‑premises identity hygiene with cloud posture management, provides tangible, prioritized remediation tasks, and enables SOCs to close the loop between detection and remediation. Microsoft’s product pages already show concrete items like the “Remove inactive service accounts” assessment and the exposure of Entra risk level in Defender for Identity, while Message Center summaries and community posts provide rollout context.
At the same time, organizations must treat these recommendations as operational inputs rather than unilateral mandates. Staged pilots, clear ownership, robust runbooks, and stakeholder communication are essential to avoid accidental outages or broken automation when remediations are applied at scale. Finally, any public reporting of specific GA or preview calendar dates that fall outside Microsoft’s Message Center notifications should be validated in the admin center before planning enforcement schedules.

---

Microsoft’s move makes it materially easier for organizations to find and prioritize identity risks that often underpin large breaches. The technical capability is already present in Defender for Identity and Secure Score; the next step for enterprises is to operationalize remediation responsibly — stage, test, automate, and measure — so identity hardening actually reduces risk without disrupting the business.

---

Source: Petri IT Knowledgebase Microsoft Defender for Identity to Get New Secure Score Recommendations