The quarterly security review has one slide everybody dreads. Secure Score: 62%. Same as last quarter. Same as the quarter before that. Below the number sits the reason nobody wants to click into: hundreds of Defender for Cloud recommendations spread across a dozen subscriptions, none of them owned by anyone in the room.
The score is not stuck because people are ignoring security. It is stuck because the recommendations arrive as an undifferentiated wall, and a wall is not a workflow.
The Problem: A Score Without a Story
Secure Score compresses your entire posture into one number, which makes it great for slides and poor for decisions. The number tells you where you stand. It cannot tell you whether you are moving, and movement is what reviews actually ask about. The friction is structural:
- Everything is per subscription. Each subscription gets its own score and its own recommendation list. Leadership wants one answer for the environment; producing it means manual aggregation.
- Findings are a snapshot. Defender shows what is unhealthy right now. It does not distinguish the regression that appeared last Tuesday from the finding that has been sitting untouched for a year, and those deserve very different responses.
- Volume defeats triage. A few hundred assessments, mixed across severities and resource types, all rendered with equal urgency. Picking the ten that matter is left to you.
Querying Score and Findings Across Subscriptions
Azure Resource Graph is the honest first step, because it fixes the worst part of the portal experience: it queries every subscription at once. The securityresources table exposes both the scores and the underlying assessments.
Secure Score per subscription:
securityresources
| where type =~ 'microsoft.security/securescores'
| extend current = todouble(properties.score.current),
maxScore = todouble(properties.score.max)
| project subscriptionId, current, maxScore
| order by current asc
Unhealthy assessments, grouped by severity:
securityresources
| where type =~ 'microsoft.security/assessments'
| extend status = tostring(properties.status.code),
severity = tostring(properties.metadata.severity),
displayName = tostring(properties.displayName)
| where status =~ 'Unhealthy'
| summarize findings = count() by severity
Swap the summarize for a project and you have the full worklist, cross-subscription, in one query. That alone beats clicking through Defender's portal blades per subscription.
These queries deserve a place in your toolkit. Now look at what they still leave open:
- It is still a snapshot. Run the query today and next month, and the delta between them is a diff you maintain by hand, in saved CSVs.
- New and stale look identical. Nothing in the result says which findings appeared since the last review and which have been rotting in the list all year.
- The trend line is a spreadsheet. Proving to leadership that remediation work is landing means keeping historical exports and charting them yourself.
- Triage is unassisted. Severity counts do not tell you which subscription regressed this month or which finding keeps reappearing after every deployment.
Tracking Posture Instead of Rerunning Queries
StratoLens ingests your Defender for Cloud findings on its scheduled scans and treats them the way it treats the rest of your infrastructure: as history, not just current state. Against the gaps above:
- One view across every subscription, so the environment-wide answer exists without manual aggregation.
- Change tracking on findings: each scan identifies new alerts and resolved issues, so "what appeared since the last review" is a list, not an investigation.
- Historical trend analysis shows how your posture moves over time, which turns the dreaded flat slide into an actual measurement of whether remediation is working.
- Filter and prioritize by severity, category, or subscription, so the wall of findings becomes a sortable worklist.
All of it runs from within your own Azure tenant. The findings, and the history StratoLens builds from them, stay inside your subscription.
Bring a Trend Line to the Next Review
A stuck score changes the conversation when you can show its trajectory and name what moved it. Start with the Resource Graph queries above and save the results somewhere durable between reviews. If you would rather have the aggregation, the new-versus-resolved delta, and the trend line maintained for you continuously, take a look at Microsoft Defender Integration in StratoLens.