The Secure Future Initiative (SFI) is Microsoft’s long-term program to reimagine how security is built into every stage of its products and services. Instead of treating security as an add-on, SFI embeds it into culture, engineering, and operations.

SFI is organized around three core security principles:

• Secure by Design – Security comes first when designing any product or service.
• Secure by Default – Protections are enabled and enforced out of the box, with no extra effort required.
• Secure Operations – Controls, monitoring, and response are continuously improved to keep pace with current and future threats.

To make this concrete, Microsoft has defined 6 engineering pillars and 28 objectives that guide its work. As of the November 2025 progress report:

• 5 objectives are nearing completion.
• 12 objectives have made significant progress.

Examples of what SFI has delivered so far include:

• Identity and access: 99.6% adoption of phishing-resistant MFA for Microsoft users and devices, and 95% of Microsoft Entra ID signing VMs migrated to Azure Confidential Compute.
• Network and tenant protection: Complete network device inventory and lifecycle management, and decommissioning of 560,000 unused tenants and 83,000 unused Entra ID apps.
• Engineering systems: 99.5% detection and remediation of live secrets in code, and nearly all production builds using governed, secure-by-default pipelines.
• Threat detection and response: 50 new detections deployed across Microsoft infrastructure, with applicable ones being integrated into Microsoft Defender.

Behind this work is the equivalent of 35,000 full-time engineers dedicated to security. SFI is also mapped to the NIST Cybersecurity Framework, helping customers understand how Microsoft’s progress aligns with a widely recognized industry standard.

Microsoft is using SFI to reshape its internal culture and governance so that security becomes part of everyday decision-making, not just a technical concern.

Culture and training

• 95% of employees completed the latest security training on Guarding Against AI-Powered Attacks, assigned in July 2025.
• Engineering sentiment around security has increased by 9 points since February 2024.
• Security resources originally built for employees are now being shared with customers to help raise security awareness more broadly.

Governance and accountability

• Security is explicitly prioritized at the top level: when there is a trade-off, security is chosen first.
• Microsoft expanded its Cybersecurity Governance Council to include three additional Deputy CISO functions: Supply Chain and Third-Party Business Functions, Marketing, and Finance.
• Additional governance structures have been put in place to manage cybersecurity risk and compliance across the company.

Global and regional engagement

• Launched the Microsoft European Security Program to deepen collaboration with European governments and improve understanding of the threat landscape.
• Continued active participation in the EU Cyber Resilience Act Expert Group.
• Worked with partners through the Advancing Regional Cybersecurity Initiative in the Global South to help build cybersecurity capacity and align regulations.

These efforts are designed to align internal practices, regulatory expectations, and customer needs, so that security decisions are consistent from engineering teams all the way to regional policy discussions.

Under SFI, Microsoft is not only changing its own environment but also delivering practical capabilities and patterns that customers can adopt.

Key product and platform improvements

• Microsoft Azure
  • Mandatory MFA for all Azure service users, reducing password-related attack risk.
  • Azure Bastion Developer provides secure-by-default VM connectivity in 35 regions, shrinking the exposed attack surface.
  • Azure Local increased security default settings by 25% (400 additional settings), simplifying compliance and protection against threats like fileless malware.
• Microsoft 365 and AI
  • New AI Administrator role to enforce least-privilege for Copilot and other AI capabilities.
  • Centralized controls for agent lifecycle governance to approve, restrict, and audit AI agents.
• Windows and Surface
  • Quick Machine Recovery to automatically detect and remediate boot failures via a secure, cloud-connected environment.
  • Expanded passwordless sign-in with more Windows Hello and passkey support.
  • Surface firmware and drivers increasingly written in memory-safe languages (including Rust) to reduce entire classes of vulnerabilities.
• Security and compliance tools
  • Microsoft Purview DSPM for AI to centrally manage and monitor AI data security across Copilots, agents, and third-party LLM-based apps, including prompt-level auditing of web search behavior.
  • Microsoft Sentinel evolved into an AI-ready SIEM platform with data lake, graph, and MCP capabilities to correlate signals across domains and power AI agents.
  • Security Copilot agents to automate high-volume security and IT tasks, integrated across Microsoft Security and partner solutions.

Actionable patterns and practices for customers

Microsoft has distilled its internal experience into SFI patterns and practices—repeatable approaches you can apply in your own environment. Examples include:

• Phishing-resistant MFA – Adopt cryptographic, phishing-resistant methods such as passkeys, FIDO2 security keys, and certificate-based authentication across users and tenants to reduce credential-based attacks.
• Eliminate identity lateral movement – Segment access, enforce Conditional Access policies, and restrict risky guest authentication so attackers cannot easily pivot across tenants or roles.
• Secure all tenants and resources – Identify and remove shadow tenants, and apply baseline policies (like MFA and Conditional Access) consistently to every tenant.

On the vulnerability side, Microsoft is using AI-based triage to improve remediation speed, achieving a 72% success rate in addressing vulnerabilities within its reduced time-to-mitigate targets. In the last reporting period, Microsoft:

• Published 1,096 CVEs, including 53 no-action cloud CVEs.
• Paid out USD 17 million in security bounties to encourage responsible vulnerability disclosure.

Customers can use these data points and patterns as a roadmap: prioritize phishing-resistant MFA, tenant hygiene, least-privilege access, secure defaults, and AI-assisted detection and response as foundational steps in their own security programs.