This is the Trace Id: 9a4268e5af5e3fb8eb662fa51b0bb121
Secure Future Initiative

November 2025 SFI Progress Report

The Microsoft Secure Future Initiative (SFI) is a continuous commitment to revolutionize the way we design, build, test, and operate our products and services, to achieve the highest security standards.
Download report Download Executive Summary
In our third progress report, we share updates for every area and engineering pillar, introduce mapping to the NIST Cybersecurity Framework to help customers understand progress made using a recognized industry framework, and highlight new security capabilities delivered to customers. We also share best practices and implementation guidance, aligned to Zero Trust principles, to help customers reduce their risk.
We continue to foster a culture that puts security first across the organization.
  • 95% of employees have already completed the latest security training assigned in July 2025 on Guarding Against AI-Powered Attacks, which remains one of our highest-rated courses.
     
  • Engineering sentiment around security has increased by 9 points since February 2024.
     
  • To reinforce a security-first mindset at work and at home, we developed resources for employees and made them available to customers for the first time to improve security awareness.
     
Get actionable guidance and read more about how security is embedded in how we work, how we lead, and how we measure impact in the full report.
"We have made security a core priority for every single employee at Microsoft, not just the security team.”
Vasu Jakkal
CVP, Microsoft Security
We continue to scale our governance model to address the evolving threat landscape and increased regulatory complexity.
  • Expanded the scope of the Cybersecurity Governance Council to include 3 additional Deputy CISO functions:
    • Supply Chain and Third-Party 
    • Business Functions, Marketing, and Finance 
    • Compliance with EU cybersecurity legislation

  • Created the Microsoft European Security Program to deepen partnerships and better inform European governments about the threat landscape. Continued active engagement in the European Union Cyber Resilience Act Expert Group.

  • Actively collaborated with industry partners to better align existing and future cybersecurity regulations and build cybersecurity capacity through the Advancing Regional Cybersecurity Initiative in the Global South.
Get actionable guidance and read more about how we continue to scale our governance model to address the evolving threat landscape and increased regulatory complexity in the full report.
"We truly believe that you can’t have a sustainable program if your culture isn’t aligned, and you certainly can’t have a measurable program if your governance isn’t aligned.”
Ann Johnson
CVP & Deputy CISO, Customer Security Management Office
Security principles

Secure by Design, Secure by Default, and Secure Operations

Guided by three security principles – Secure by Design, Secure by Default, and Secure Operations – teams across Microsoft continue to deliver innovations to help protect customers and Microsoft.
  • Introduced mandatory secure defaults, expanded hardware-based trust, and updated security benchmarks to help improve cloud security.
    • MFA is now mandatory for all Azure users, reducing the risk of password-related attacks. Additionally, Azure Bastion Developer now offers secure-by-default connectivity to virtual machines in 35 regions.
    • Version 2 of the Microsoft Cloud Security Benchmark (MCSB) provides customers with updated security baseline guidance, which can be implemented using Microsoft Defender for Cloud.
    • Azure Local increased the number of security default settings by 25% (400 settings). This further simplifies customers’ ability to comply with industry standards and better protects Azure Local nodes from additional threats such as fileless malware.
  • We provide best practices and implementation guidance, aligned to Zero Trust principles, to help customers reduce their risk.
Back to tabs
Engineering Pillars

The six SFI pillars include goals and actions that define our approach to security

Out of 28 objectives, 5 are nearing completion, 12 have made significant progress, and we continue to make progress against the rest. As a result of SFI we have improved security in our platform and services, as well as our ability to detect and respond to threats.
  • We have improved identity security for Microsoft services and customers.
    • Migrated 95% of Microsoft Entra ID signing VMs to Azure Confidential Compute.
    • Moved 94.3% of Microsoft Entra ID security token validation to our standard identity Software Development Kit (SDK).
    • Enforced phishing-resistant MFA for 99.6% of Microsoft employees and devices.

    Read more, including links to actionable guidance, in the full report.
  • We continue to increase isolation and reduce the risk of lateral movement.
    • Discontinued the use of Active Directory Federation Services (ADFS) in our productivity environment.
    • Migrated 98% of cloud assets managed by Azure Service Manager (ASM) to Azure Resource Manager (ARM).
    • Decommissioned 560,000 additional unused and aged tenants and 83,000 unused Entra ID apps across Microsoft production and productivity environments.

    Read more, including links to actionable guidance, in the full report.
  • Progress made has improved network security and delivered new capabilities for customers.
    • Achieved complete network device inventory and mature asset lifecycle management.
    • Strengthened security through enhanced isolation and protective controls.
    • Accelerated adoption of Network Security Perimeter (NSP) with more than 1.1 million resources in learning mode and approximately 500,000 in enforced mode.

    Read more, including links to actionable guidance, in the full report.
  • We have improved the security of systems we use to build, test, and deploy code.

    • Code signing is now almost entirely locked to production identities, and secrets detected in code are continuously remediated.
    • Near complete software asset inventory enables rapid incident response and universal policy enforcement.
    • Expanded secure-by-default pipelines and network isolation, with nearly all production builds and 94% of release pipelines using governed templates.

    Read more, including links to actionable guidance, in the full report.
  • We are advancing threat hunting, rapid incident response, and unified security controls.
    • 98% of production infrastructure is centrally tracked, with logs retained for 2 years.
    • 50+ new detections deployed across Microsoft infrastructure, targeting high-priority tactics, techniques, and procedures (TTPs) – applicable detections will be integrated into Microsoft Defender.
    • AI integration is accelerating detection lifecycle improvements – from identification to efficacy validation.

    Read more, including links to actionable guidance, in the full report.
  • We are increasing the speed of identification, triage, and resolution of vulnerabilities.
    • AI-based vulnerability triage contributed to a 72% success rate addressing vulnerabilities within our reduced time to mitigate, despite continued increase in volume and scope.
    • Expedited deployment processes have accelerated vulnerability mitigation.
    • Microsoft published 1,096 CVEs, including 53 no-action cloud CVEs, and paid out USD $17 million in bounties, demonstrating increased transparency and external engagement.

    Read more, including links to actionable guidance, in the full report.
ACTIONABLE GUIDANCE

Put what we learned into practice

In this report we highlight 10 patterns and practices customers can follow to reduce their risk in prioritized areas and share additional best practices and guidance for each area and pillar.
Download the report for more guidance
Resources

Explore Secure Future Initiative resources

  1.
SFI progress report

Hear from our leadership

Read what Charlie Bell has to say about the November 2025 SFI progress report.
Read the blog
A women stands infront of building.
Patterns and practices

Microsoft Secure Future Initiative patterns and practices

Strengthen your organization's security with guidance using proven security architectures and best practices.
Learn more
A man sitting with white hairs and weared a shirt.
Secure Future Initiative

Join in Microsoft’s commitment to security above all else

Mature your organization’s technology and operations to the highest standards of security.
Read more about SFI
SFI progress report

April 2025: Explore our progress

Read the April 2025 SFI report to read where we were and how far we've come.
Read the April 2025 report
Back to carousel navigation controls

Follow Microsoft