![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 1%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENK%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 69%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVD%3C/text%3E%3C/svg%3E)
Thank you for reaching out Please find steps below:
Why Are Apps, Data, and Identity Scores Always 0.0 in Microsoft Graph Secure Scores API
If you're seeing only a Device score while Apps, Data, and Identity scores are 0.0, it's usually due to licensing, configuration, or how the API works.
1. Only Device Services Are Licensed
- The Device score comes from Microsoft Defender for Endpoint, which is commonly used.
- Other categories require separate licenses:
- Identity: Azure AD Premium or Defender for Identity
- Apps: Defender for Cloud Apps
- Data: Microsoft Purview or DLP/Sensitivity Labels
Without these, scores stay at 0.0.
2. Scores Must Be Calculated Manually
The API doesn’t return category scores directly. What you see in averageComparativeScores is just benchmark data.
To get actual scores:
- Sum
scoreandmaxScorefromcontrolScoresby category - Use this formula:\
category_score = (total_score / total_max_score) * 100
If maxScore is missing, fetch it using:
GET /beta/security/secureScoreControlProfiles
3. No Data = No Score
Even with licenses, if no policies or activity exist (e.g., no DLP, no identity protection), the system can't generate scores.
4. Check API Permissions
Ensure your app has:
-
SecurityScore.Read.All -
Security.Read.All(with admin consent)
Also, use the beta endpoint:
https://graph.microsoft.com/beta/security/secureScores
5. Compare with Defender Portal
Check the Microsoft 365 Defender portal to confirm whether scores are visible there. If they are, the API should eventually reflect them.
6. Use secureScoreControlProfiles for More Context
This endpoint provides detailed descriptions of each control, including category, implementation status, and maxScore.
Python Script to Calculate Category Scores
import requests
from collections import defaultdict
# Replace with your actual token
access_token = "YOUR_ACCESS_TOKEN"
headers = {
"Authorization": f"Bearer {access_token}",
"Content-Type": "application/json"
}
# Fetch secure scores
secure_scores_url = "https://graph.microsoft.com/beta/security/secureScores"
response = requests.get(secure_scores_url, headers=headers)
data = response.json()
# Aggregate scores by category
category_scores = defaultdict(lambda: {"score": 0, "maxScore": 0})
for score_entry in data.get("value", []):
for control in score_entry.get("controlScores", []):
category = control.get("controlCategory")
category_scores[category]["score"] += control.get("score", 0)
category_scores[category]["maxScore"] += control.get("maxScore", 0)
# Calculate percentage scores
for category, values in category_scores.items():
score = values["score"]
max_score = values["maxScore"]
percent = (score / max_score * 100) if max_score else 0
print(f"{category}: {percent:.2f}%")
Let us know if the issue persists after following these steps. We’ll be happy to assist further if needed.