This chapter covers the Regulatory Compliance Dashboard in Microsoft Defender for Cloud, a critical tool for Azure Security Engineers to manage and demonstrate compliance with industry standards and regulations. For the AZ-500 exam, this topic appears in the Security Operations domain (Objective 4.3) and typically accounts for 5-10% of questions. You must understand how to configure, interpret, and troubleshoot the dashboard, including custom standards, compliance scores, and integration with Azure Policy. We'll dive deep into the mechanics, configuration steps, and exam traps.
Jump to a section
Imagine you own a large office building that must comply with fire safety codes, occupancy limits, and accessibility laws. You hire a team of inspectors who constantly walk the halls with clipboards, checking every floor for violations. They don't fix anything themselves, but they note every broken sprinkler, blocked exit, or missing wheelchair ramp. Each violation is recorded with a severity level (critical, high, medium, low) and the exact location. The inspectors produce a daily report that maps each violation to a specific regulation (e.g., NFPA 101, ADA Title III). As you fix issues, the inspectors verify and update the report. If you ignore critical violations, the city can fine you or shut down the building. The inspectors also compare your building to industry standards (e.g., BOMA 2019) and show gaps. This is exactly how Microsoft Defender for Cloud's Regulatory Compliance Dashboard works: it continuously scans your Azure resources against built-in or custom compliance standards (e.g., SOC 2, PCI DSS, Azure CIS), assigns controls and assessments, reports compliance state per standard, and alerts you to non-compliant resources. Just like the building inspector, it does not auto-remediate but provides the data and recommendations to fix issues. The dashboard aggregates all findings across subscriptions, maps them to regulatory controls, and shows a compliance score. You can also assign custom initiatives to enforce specific policies. The key difference: the inspector never sleeps, runs 24/7, and covers every Azure resource in scope.
What is the Regulatory Compliance Dashboard?
The Regulatory Compliance Dashboard in Microsoft Defender for Cloud provides a unified view of your Azure environment's compliance posture against various regulatory standards (e.g., SOC 2, PCI DSS, ISO 27001, Azure CIS, NIST SP 800-53) and custom compliance initiatives. It is not a separate service but a feature of Defender for Cloud that leverages Azure Policy to continuously assess resources and map results to regulatory controls. The dashboard shows a compliance score (percentage) per standard, a breakdown of passed/failed controls, and recommendations for remediation.
Why it Exists
Organizations must prove compliance to auditors, customers, and regulators. Manual evidence collection is error-prone and time-consuming. The dashboard automates continuous monitoring, provides evidence of controls, and generates reports. For the exam, know that the dashboard is part of Defender for Cloud (formerly Azure Security Center and Azure Defender) and requires enabling Defender for Cloud on your subscriptions. Free tier includes basic compliance assessment; enhanced security features (e.g., regulatory compliance) require the paid plan (Azure Defender).
How it Works Internally
The Regulatory Compliance Dashboard operates through a multi-step pipeline:
Policy Assignment: You assign Azure Policy initiatives (built-in or custom) that define controls for a specific standard. Each initiative contains multiple policy definitions that audit or enforce resource configurations.
Continuous Evaluation: Azure Policy evaluates resources against these definitions every 24 hours (or on change). Results are stored in compliance state (Compliant, Non-compliant, Unknown, Not started).
Mapping to Controls: Each policy definition is mapped to one or more regulatory controls (e.g., 'AC-1' in NIST). The dashboard aggregates control-level compliance based on underlying policy results. A control is compliant only if all its mapped policies are compliant.
Scoring: The dashboard calculates a compliance score per standard as the percentage of passed controls out of total applicable controls. Controls are weighted equally by default, but you can customize weights.
Recommendations: Failed controls generate security recommendations in Defender for Cloud. You can remediate by fixing the underlying resource configuration (e.g., enabling encryption) or by exempting resources.
Reporting: You can export compliance data to CSV, connect to Azure Monitor workbooks, or integrate with Azure Event Hubs for SIEM ingestion.
Key Components, Values, Defaults, and Timers
Compliance Standards: Built-in standards include SOC 2 Type II, PCI DSS 3.2.1, ISO 27001:2013, Azure CIS 1.1.0/1.3.0, NIST SP 800-53 R4, FedRAMP Moderate, and more. Each standard is a policy initiative with a specific ID (e.g., /providers/Microsoft.Authorization/policySetDefinitions/...).
Compliance Score: Ranges from 0% to 100%. Default refresh is every 24 hours. You can trigger a manual scan via Azure Policy or REST API.
Controls: A control is a group of policies. For example, 'PCI DSS 3.2.1 Requirement 10' maps to policies about audit logging.
Assessment: A resource-level evaluation of a policy. Results are 'Healthy', 'Unhealthy', or 'Not applicable'.
Default Policy Assignment: When you enable Defender for Cloud, it assigns the 'Azure Security Benchmark' initiative by default. This is the baseline for compliance.
Custom Initiatives: You can create custom policy initiatives and assign them to management groups, subscriptions, or resource groups. They appear in the dashboard under 'Custom' standards.
Exemptions: You can exempt resources or subscriptions from a policy evaluation (e.g., for non-production). Exemptions are recorded in audit logs.
Compliance Refresh Interval: Azure Policy evaluates on resource change and also runs a full compliance scan every 24 hours. The dashboard reflects the latest state.
Configuration and Verification Commands
To view the Regulatory Compliance Dashboard in Azure Portal: Go to Defender for Cloud > Regulatory compliance. You can also use Azure CLI and PowerShell.
Azure CLI:
# List all regulatory compliance standards assigned to a subscription
az security regulatory-compliance-standards list --subscription <sub-id>
# Get compliance state for a specific standard
az security regulatory-compliance-standards show --name <standard-name> --subscription <sub-id>
# List controls for a standard
az security regulatory-compliance-controls list --standard-name <standard-name> --subscription <sub-id>
# List assessments for a control
az security regulatory-compliance-assessments list --standard-name <standard-name> --control-name <control-name> --subscription <sub-id>PowerShell:
# Get regulatory compliance standards
Get-AzRegulatoryComplianceStandard -SubscriptionId <sub-id>
# Get compliance state for a standard
Get-AzRegulatoryComplianceStandard -Name <standard-name> -SubscriptionId <sub-id>
# Get controls
Get-AzRegulatoryComplianceControl -StandardName <standard-name> -SubscriptionId <sub-id>REST API:
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/regulatoryComplianceStandards?api-version=2019-01-01-previewInteraction with Related Technologies
Azure Policy: The foundation. Without policy assignments, the dashboard has no data. Custom standards are essentially custom policy initiatives.
Defender for Cloud: Provides the dashboard UI and security recommendations. The 'Security posture' page shows overall security score; regulatory compliance is a subset.
Azure Blueprints: You can include policy assignments in blueprints to enforce compliance at scale.
Azure Monitor: Compliance data can be sent to Log Analytics for custom queries and alerts.
Microsoft 365 Compliance Center: For workloads like Office 365, but Azure-specific compliance is in Defender for Cloud.
Step-by-Step: Enabling a New Compliance Standard
Go to Defender for Cloud > Regulatory compliance.
Click 'Manage compliance policies'.
Select the management group or subscription.
Click 'Add more standards' and choose from the list (e.g., PCI DSS 3.2.1).
The standard is assigned as a policy initiative. It may take up to 24 hours to populate.
You can also create a custom standard by creating a custom initiative in Azure Policy and assigning it.
Exam Tip: The dashboard shows compliance per standard, not per resource. Questions often ask 'Which blade shows compliance against SOC 2?' Answer: Regulatory compliance dashboard in Defender for Cloud.
Enable Defender for Cloud
Ensure Microsoft Defender for Cloud is enabled on the subscription. Without it, the Regulatory Compliance Dashboard is not available. You can enable it via the Azure Portal under Defender for Cloud > Getting started. There is a free tier (basic) and a paid tier (with enhanced features). Regulatory compliance requires at least the basic tier, but some advanced standards require the enhanced tier. The default setting is 'Off' for new subscriptions. You must explicitly enable it. The exam expects you to know that the dashboard is part of Defender for Cloud, not a standalone service.
Assign Compliance Standards
Navigate to Defender for Cloud > Regulatory compliance > Manage compliance policies. Select the scope (management group or subscription). Under 'Security policy', you see the currently assigned initiatives. Click 'Add more standards' to assign built-in standards like SOC 2, PCI DSS, etc. Each standard is a policy initiative. You can assign multiple standards. The assignment triggers Azure Policy to start evaluating resources. The exam may ask: 'How do you add a new compliance standard?' Answer: Via 'Manage compliance policies' in the Regulatory compliance dashboard.
Review Compliance State
After assignment, the dashboard shows a tile for each standard with a compliance score. Click a standard to see controls and their compliance state (Passed, Failed, Not applicable). Each control has a list of assessments (policy evaluations). The dashboard updates every 24 hours or on resource change. You can filter by subscription, resource group, or resource type. The exam may present a scenario where a control shows 'Failed' and ask what to do: review the underlying policy recommendations and remediate.
Remediate Non-Compliant Resources
For each failed control, there is a 'View recommendations' link that opens the Defender for Cloud recommendations page. You can fix issues manually (e.g., enable encryption) or use 'Quick fix' if available. Some policies have a 'Deny' effect that prevents creation of non-compliant resources. After remediation, the compliance state updates on next scan. The exam may test that remediation does not happen automatically; you must take action.
Export Compliance Reports
You can export compliance data for auditing. In the dashboard, click 'Download CSV' for a specific standard. For continuous export, use Azure Policy's 'Export' feature or stream to Event Hubs. You can also create workbooks in Azure Monitor to visualize compliance over time. The exam may ask about exporting to Excel or SIEM. Answer: Use CSV download or Event Hubs integration.
Enterprise Scenario 1: PCI DSS Compliance for a Payment Processing Company
A company processes credit card transactions and must comply with PCI DSS v3.2.1. They have hundreds of Azure resources across multiple subscriptions. The compliance team uses the Regulatory Compliance Dashboard to monitor Requirement 10 (audit logging) and Requirement 3 (encrypted cardholder data). They assign the PCI DSS 3.2.1 initiative to their production subscription. The dashboard shows a 68% compliance score. They drill into Requirement 10 and see that several SQL servers have auditing disabled. They create an Azure Policy that enables auditing on all SQL servers (DeployIfNotExists effect). After remediation, the score rises to 92%. The remaining failures are due to legacy resources that cannot be modified; they apply exemptions with justification. The auditor accepts the exemption evidence from the dashboard's CSV export. Key lesson: The dashboard provides a single pane of glass for auditor evidence, but you must actively remediate or exempt.
Scenario 2: ISO 27001 for a SaaS Provider
A SaaS company needs ISO 27001 certification. They use the Azure Security Benchmark as a baseline and add the ISO 27001 initiative. The dashboard shows a control 'A.8.2.1' about information classification. They have no policy for tagging resources with classification. They create a custom policy that requires a 'Classification' tag on all resources. The dashboard picks it up as a new control. Over time, they achieve 95% compliance. The remaining 5% are resources in a sandbox subscription that they exempt. The exam may test that custom standards require custom policy initiatives.
Scenario 3: FedRAMP Moderate for a Government Contractor
A contractor must comply with FedRAMP Moderate. They assign the FedRAMP Moderate initiative. The dashboard shows a critical failure for 'AC-2' (account management) because they have unused accounts. They use Azure AD Access Reviews to automate account reviews. The dashboard reflects the improvement. They also set up continuous export to a SIEM for real-time monitoring. When misconfigured (e.g., wrong scope), the dashboard shows no data. Common mistake: assigning the standard to a management group but resources are in a different management group. Always verify scope.
What AZ-500 Tests on Regulatory Compliance Dashboard
Objective 4.3: 'Configure and manage regulatory compliance in Defender for Cloud.' The exam focuses on:
Understanding the dashboard's location and purpose.
Assigning built-in vs custom standards.
Interpreting compliance scores and controls.
Remediation and exemptions.
Integration with Azure Policy.
Common Wrong Answers and Why
'Compliance Dashboard is in Azure Policy' - Wrong. It's in Defender for Cloud. Azure Policy provides the engine, but the dashboard is a Defender for Cloud feature.
'Compliance score is calculated per resource' - Wrong. It's per standard/control. The score is the percentage of passed controls.
'You can auto-remediate from the dashboard' - Wrong. The dashboard shows recommendations; remediation is done via Azure Policy (DeployIfNotExists) or manual action.
'Custom standards are created in Defender for Cloud' - Wrong. Custom standards are created as policy initiatives in Azure Policy, then assigned in Defender for Cloud.
Specific Numbers and Terms
Default refresh: 24 hours.
Built-in standards: SOC 2, PCI DSS 3.2.1, ISO 27001, Azure CIS 1.1.0/1.3.0, NIST SP 800-53, FedRAMP Moderate.
Compliance score range: 0-100%.
Control states: Passed, Failed, Not applicable.
Assessment states: Healthy, Unhealthy, Not applicable.
Edge Cases and Exceptions
If no policy initiative is assigned, the dashboard shows 'No data'.
If a subscription is not covered by Defender for Cloud, the dashboard is unavailable.
Exemptions do not change the underlying resource; they only affect compliance reporting.
The 'Azure Security Benchmark' is assigned by default when you enable Defender for Cloud.
How to Eliminate Wrong Answers
If the question mentions 'compliance score' and 'standard', think of the Regulatory Compliance Dashboard.
If the answer says 'Azure Policy' alone, it's incomplete; the dashboard is in Defender for Cloud.
If the answer says 'automatic remediation', it's wrong; remediation is manual or via policy.
If the answer says 'per resource compliance', it's wrong; it's per control/standard.
The Regulatory Compliance Dashboard is in Defender for Cloud, not Azure Policy.
Compliance score = percentage of passed controls, not resources.
Default compliance refresh interval is 24 hours.
Custom standards are created as policy initiatives in Azure Policy.
Exemptions do not fix resources; they only exclude from compliance reporting.
Azure Security Benchmark is assigned by default when enabling Defender for Cloud.
Remediation requires manual action or DeployIfNotExists policy, not automatic.
Export compliance data via CSV or Event Hubs for SIEM integration.
The dashboard supports multiple standards per subscription.
Control states: Passed, Failed, Not applicable.
These come up on the exam all the time. Here's how to tell them apart.
Built-in Compliance Standards
Provided by Microsoft, e.g., SOC 2, PCI DSS.
Cannot be modified; you can only assign or remove.
Updated by Microsoft to reflect regulation changes.
Includes default policy mappings to controls.
Quick to assign, no custom policy creation needed.
Custom Compliance Standards
Created by you as custom policy initiatives in Azure Policy.
Fully customizable: choose policies and map to controls.
You must maintain and update them.
Requires deep knowledge of both regulations and Azure Policy.
Flexible for niche or internal compliance requirements.
Mistake
The Regulatory Compliance Dashboard automatically fixes non-compliant resources.
Correct
The dashboard only reports compliance state. Remediation requires either manual action or a policy with DeployIfNotExists/Modify effect. The dashboard itself does not auto-remediate.
Mistake
Compliance score is based on the number of compliant resources.
Correct
The score is the percentage of passed controls (each control can contain multiple policies). It is not resource-count-based.
Mistake
You can create custom compliance standards directly in Defender for Cloud.
Correct
Custom standards are created as custom policy initiatives in Azure Policy. They then appear in Defender for Cloud after assignment.
Mistake
The dashboard updates in real-time.
Correct
Compliance data is refreshed every 24 hours by default, or on resource change. It is not real-time; you can trigger a manual scan via API.
Mistake
Regulatory compliance is a separate service from Defender for Cloud.
Correct
It is a feature within Defender for Cloud. You must have Defender for Cloud enabled to access it.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
First, enable Microsoft Defender for Cloud on your subscription. Then navigate to Defender for Cloud > Regulatory compliance. If no data appears, assign a compliance standard via 'Manage compliance policies'. The dashboard will populate within 24 hours.
Yes, create a custom policy initiative in Azure Policy that maps your internal controls to policy definitions. Assign it to your subscription/management group, and it will appear under 'Custom' standards in the dashboard.
Security score in Defender for Cloud measures overall security posture based on recommendations. Compliance score measures adherence to specific regulatory standards. They are separate metrics.
By default, every 24 hours. However, Azure Policy also evaluates on resource configuration changes. You can trigger a manual compliance scan via the Azure Policy REST API or PowerShell.
It means the control's policies do not apply to any resources in scope. For example, a control about SQL auditing is 'Not applicable' if there are no SQL servers.
Yes, you can create an exemption in Azure Policy for a specific resource or scope. Exemptions are recorded in audit logs and can be used for resources that are intentionally non-compliant (e.g., test environments).
In the dashboard, click 'Download CSV' for a specific standard. For continuous export, use Azure Policy's export feature to send data to Log Analytics or Event Hubs.
You've just covered Regulatory Compliance Dashboard in Defender — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?