Every Microsoft employee now has a metric dubbed “Security Core Priority” tied directly to performance reviews. This is among the changes the software giant has put in place to enforce security internally.
In a blog post outlining the steps the company has taken to harden internal security, Charles Bell, executive vice-president of Microsoft Security, wrote: “We want every person at Microsoft to understand their role in keeping our customers safe and to have the tools to act on that responsibility.”
He said 50,000 employees have participated in the Microsoft Security Academy to improve their security skills and that 99% of employees have completed the company’s Security Foundations and Trust Code courses.
In May 2024, Microsoft introduced a governance structure to improve risk visibility and accountability. Since then, Bell said Microsoft has appointed a deputy chief information security officer (CISO) for business applications and consolidated responsibility across its Microsoft 365 and Experiences and Devices divisions. “All 14 Deputy CISOs across Microsoft have completed a risk inventory and prioritisation,” he said, adding that this creates a shared view of enterprise-wide security risk.
Bell said new policies, behavioural-based detection models and investigation methods have helped to thwart $4bn in fraud attempts.
One example of where modelling can be used is in preventing an attacker that has gained access to one system from moving onto other systems inside the company network. Modelling IT assets using a graph can be beneficial in preventing attackers from successfully moving onto other IT assets once a system has been compromised. Microsoft said that modelling IT assets as a graph reveals unknown vulnerabilities and classes of known issues that need to be mitigated to reduce what it describes as “lateral movement vectors”.
According to its April 2025 progress report, Microsoft has made “significant” steps in adopting a standard software developer’s kit for identity and ensuring 100% of user accounts are resistant to multi-factor authentication (MFA) phishing attacks. However, among the areas it’s still working on is protection of cryptographic signing keys and quantum safe public key infrastructure (PKI).
To protect high-risk production systems, Microsoft said that in November 2024, it moved 28,000 high-risk users, working on sensitive workflows, to a locked-down Azure Virtual Desktop infrastructure, and is working to improve the user experience for these endpoints.
Regarding network protection, the report shows that the company is working on implementing network micro segmentation by reimplementing access control lists.
“Currently, 20% of first-party IPs [internet protocols] are tagged and 93% of first-party services have established plans for allocating IPs from tagged ranges and provisioning IP capacity,” Microsoft said.
It added that it’s also introducing new capabilities to help customers isolate and secure their network resources. These include Network Security Perimeter, DNS Security Extensions and Azure Bastion Premium private-only mode.
In terms of its internal software development practices, Microsoft said it’s been driving four standards to help ensure open source software (OSS) used in its production environments is sourced from governed internal feeds and free of known critical and high-severity public vulnerabilities.
In the report, Microsoft said Component Governance, a software composition analysis tool that tracks OSS usage and vulnerabilities in OSS, has achieved broad adoption and is enabled by default. It also has an offering called Centralized Feed Service, which provides governed feeds for consuming open-source software. According to Microsoft, this has reached broad adoption.
