This chapter covers Microsoft Compliance Manager, a key tool within the Microsoft Purview compliance portal for managing regulatory compliance in Azure. For the AZ-900 exam, you need to understand what Compliance Manager does, its key components (assessments, templates, actions), and how it helps organizations meet compliance obligations. This objective falls under Domain 3: Azure Management and Governance, which carries approximately 20-25% of exam weight. Mastering Compliance Manager will help you answer questions about compliance management tools and the shared responsibility model.
Jump to a section
Imagine your company is a restaurant that must pass health inspections from multiple authorities: the local health department, the fire marshal, and a corporate head office. Each inspector has a different checklist — some overlap, some are unique. You have a binder of policies, but keeping track of which checklist items are done, who signed off, and what evidence is needed is a nightmare. Microsoft Compliance Manager is like hiring a single, tireless inspector-in-a-box. You give it your restaurant’s layout (your Azure subscriptions and workloads). It automatically pulls the latest checklists from every relevant authority (regulatory standards like GDPR, ISO 27001). It then walks through each checklist item, asks you for proof (e.g., ‘Show me the firewall rule that blocks port 23’), and scores you from 0 to 100 on how well you’re complying. It even suggests actions to improve your score and tracks your progress over time. The key mechanism: it doesn’t enforce rules — it assesses and guides. Just like a real inspector, it points out gaps but doesn’t close them for you. The restaurant manager (you) must still implement the fixes. The box remembers every inspection history, so you can show auditors a log of continuous improvement.
What is Microsoft Compliance Manager?
Microsoft Compliance Manager is a cloud-based service within the Microsoft Purview compliance portal that helps organizations manage their compliance posture. It provides a centralized dashboard to assess, track, and improve compliance with regulatory standards and certifications (e.g., GDPR, ISO 27001, SOC 2, NIST). Think of it as a compliance scorecard that continuously evaluates your Azure environment against chosen standards and provides actionable recommendations.
The business problem it solves: Organizations must comply with multiple, often overlapping regulations. Manually preparing for audits is time-consuming, error-prone, and lacks continuous visibility. Compliance Manager automates the assessment process, provides a unified score, and offers step-by-step guidance to close compliance gaps.
How It Works – Step by Step
1. Select a Template: Choose from over 350 pre-built assessment templates for global, regional, and industry-specific regulations. Each template maps to a specific standard (e.g., ISO 27001:2013). 2. Create an Assessment: Assign the template to a specific Azure subscription or workload. This creates an assessment instance that will evaluate that scope. 3. Automatic Data Ingestion: Compliance Manager automatically pulls configuration data from Microsoft 365 and Azure via the Microsoft Graph and Azure Policy. For example, it checks if MFA is enabled, if audit logs are retained, or if encryption is in place. 4. Scoring: Each control in the template is scored based on implementation status. Actions are categorized as: - Microsoft-managed actions: Controls implemented by Microsoft (e.g., physical security at datacenters). These are automatically marked as completed. - Customer-managed actions: Controls you must implement (e.g., configure MFA). You provide evidence (screenshots, policy documents) to mark them as implemented. 5. Continuous Monitoring: As your environment changes, Compliance Manager re-evaluates controls. You receive alerts when your score drops or when new actions are needed. 6. Audit Reporting: Generate reports that show your compliance score, action status, and evidence for auditors.
Key Components
Assessments: A container for a set of controls from a specific template applied to a specific scope (e.g., subscription, resource group).
Templates: Pre-defined mappings of regulatory controls to Azure services. You can also create custom templates.
Actions: The individual steps you or Microsoft must take to satisfy a control. Each action has a status (Passed, Failed, Not Started) and a point value.
Score: A percentage from 0-100 that reflects how many points you’ve earned out of the total possible. The score is calculated per assessment and aggregated across all assessments.
Evidence: Documents, screenshots, or configuration exports you upload to prove a control is implemented.
Tiers and Licensing
Compliance Manager is available in two tiers: - Microsoft 365 E3/A3: Includes basic compliance management features with limited templates. - Microsoft 365 E5/A5: Includes advanced capabilities, all templates, and automated data ingestion. For Azure-only environments, you typically need an E5 license or a standalone Compliance Manager license.
Comparison to On-Premises Compliance Management
In an on-premises environment, compliance management is often manual: spreadsheets, shared drives with evidence, and periodic audits. There is no automated scoring or continuous monitoring. Azure Compliance Manager provides:
Automated evidence collection from cloud services.
Real-time score updates.
Centralized dashboards.
Integration with Azure Policy and Microsoft Defender for Cloud.
Azure Portal Touchpoints
Access Compliance Manager via the Microsoft Purview compliance portal (https://compliance.microsoft.com). From the left navigation, select Compliance Manager. You can also use the Microsoft Graph API to programmatically manage assessments. There is no direct Azure CLI or PowerShell module for Compliance Manager; management is through the portal or Graph API.
Example Graph API call to list assessments:
GET https://graph.microsoft.com/v1.0/compliance/assessmentsConcrete Business Scenario
A financial services company must comply with SOC 2. They create a SOC 2 assessment in Compliance Manager, assign it to their production subscription. The tool automatically checks for required controls like encryption at rest and in transit, logging, and access reviews. It scores them at 65/100. The company then implements missing controls (e.g., enabling Azure SQL transparent data encryption) and uploads evidence. Their score rises to 92. During the annual audit, they generate a report from Compliance Manager showing continuous compliance over the past year, reducing audit effort by 80%.
Access the Purview Compliance Portal
Navigate to https://compliance.microsoft.com and sign in with an account that has the Compliance Manager Admin role (e.g., Compliance Administrator, Compliance Data Administrator). The portal provides access to all compliance tools. From the left menu, select 'Compliance Manager' to open the dashboard. This is the central hub where you can view your overall compliance score, create new assessments, and review actions.
Monitor Score and Generate Reports
Scenario 1: Healthcare Provider Achieving HIPAA Compliance A mid-sized hospital moves patient records to Azure. They must comply with HIPAA. The compliance team creates an assessment using the HIPAA template in Compliance Manager. They assign it to their Azure subscription containing the Azure SQL Database and Blob Storage. The assessment automatically identifies 45 customer-managed actions, including enabling audit logging, encrypting PHI at rest, and configuring role-based access control. The team implements these actions and uploads evidence (e.g., screenshots of encryption settings). Their score goes from 30 to 88. During an external audit, they generate a report showing continuous monitoring, which satisfies the auditor. Common mistake: they initially forgot to assign the assessment to the correct subscription, resulting in a false high score. They had to reassign and re-evaluate.
Scenario 2: E-Commerce Company Managing Multiple Standards A global e-commerce company must comply with GDPR in Europe, PCI DSS for payment data, and ISO 27001 for overall security. They create three separate assessments in Compliance Manager, each with the appropriate template. The dashboard shows an aggregated score of 72. The compliance officer notices that the PCI DSS score is low (45) due to missing controls on their payment gateway. They prioritize those actions and improve the score to 85. The company uses the Graph API to pull assessment data into their internal reporting dashboard. What went wrong initially: they used a single assessment for all standards, which mixed controls and confused the team. They had to delete and recreate separate assessments.
Scenario 3: Startup Using Free Tier A small startup with Microsoft 365 E3 licenses uses Compliance Manager for basic GDPR compliance. They have limited templates (only 10) and no automated data ingestion. They manually evaluate controls and upload evidence. Their score is 60. As they grow, they upgrade to E5 to get the full template library and automation, which reduces manual effort by 70%.
AZ-900 Objective Code: 3.2 Describe the tools for managing compliance (e.g., Compliance Manager, Azure Policy, Blueprints). The exam specifically tests your ability to differentiate Compliance Manager from other compliance tools.
Common Wrong Answers and Why Candidates Choose Them: 1. 'Compliance Manager enforces compliance policies automatically.' – Wrong. Compliance Manager only assesses and recommends; it does not enforce. Azure Policy enforces. Candidates confuse assessment with enforcement. 2. 'Compliance Manager is part of Azure Security Center.' – Wrong. It is part of Microsoft Purview (formerly Microsoft 365 Compliance Center). Security Center focuses on security posture, not regulatory compliance. 3. 'Compliance Manager can create custom policies to block non-compliant resources.' – Wrong. That is Azure Policy's job. Compliance Manager cannot block resources. 4. 'Compliance Manager is free with any Azure subscription.' – Wrong. It requires a Microsoft 365 E3 or E5 license. Azure-only subscriptions do not include it.
Specific Terms and Values:
Compliance score range: 0-100.
Templates: over 350 pre-built.
Actions: Microsoft-managed vs. customer-managed.
Evidence upload is manual for customer-managed actions.
Compliance Manager is accessed via compliance.microsoft.com, not portal.azure.com.
Edge Cases:
You can create custom templates for non-standard regulations.
Compliance Manager integrates with Azure Policy: you can import Azure Policy results as evidence.
The score is weighted; critical controls have higher point values.
Memory Trick: 'Compliance Manager = Scorecard + Checklist. Azure Policy = Cops. Blueprints = Blueprint templates.' For exam questions asking 'Which tool assesses compliance?', pick Compliance Manager. For 'Which tool enforces compliance?', pick Azure Policy. For 'Which tool provides pre-built environments?', pick Blueprints.
Microsoft Compliance Manager is a compliance assessment tool, not an enforcement tool.
It provides a weighted compliance score from 0 to 100 based on implemented controls.
There are over 350 pre-built templates for regulations like GDPR, ISO 27001, and SOC 2.
Actions are divided into Microsoft-managed and customer-managed; customer-managed actions require manual evidence upload.
Compliance Manager is accessed via the Microsoft Purview compliance portal (compliance.microsoft.com).
It requires a Microsoft 365 E3 or E5 license; not included with Azure subscriptions alone.
Custom templates can be created for non-standard regulations.
Compliance Manager integrates with Azure Policy to import policy compliance data as evidence.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Compliance Manager
Assesses compliance against regulatory standards (GDPR, ISO).
Provides a weighted score (0-100).
Does not enforce; only recommends and tracks.
Part of Microsoft Purview compliance portal.
Requires Microsoft 365 E3/E5 license.
Azure Policy
Enforces compliance by applying rules to resources.
Does not provide a score; only shows compliance state (compliant/non-compliant).
Can automatically remediate non-compliant resources (e.g., deployIfNotExists).
Part of Azure portal (Azure Policy service).
Included with Azure subscription (no additional license).
Mistake
Compliance Manager automatically fixes non-compliant resources.
Correct
Compliance Manager only assesses and recommends; it does not enforce or fix anything. You must manually implement actions or use Azure Policy for enforcement.
Mistake
Compliance Manager is available in all Azure subscriptions without extra cost.
Correct
Compliance Manager requires a Microsoft 365 E3 or E5 license. Azure subscriptions alone do not include it. Some features require E5.
Mistake
Compliance Manager and Azure Security Center are the same tool.
Correct
Azure Security Center focuses on security posture (vulnerabilities, threats). Compliance Manager focuses on regulatory compliance (GDPR, ISO). They are separate services within different portals.
Mistake
Compliance Manager can only use Microsoft-provided templates.
Correct
You can create custom templates for regulations not in the library. This allows flexibility for industry-specific or internal standards.
Mistake
The compliance score is a simple percentage of controls passed.
Correct
The score is weighted based on control criticality. Passing a critical control gives more points than passing a low-priority control. The score reflects the overall compliance posture, not just a pass/fail count.
Yes. Compliance Manager is part of Microsoft 365 compliance offerings. It requires at least a Microsoft 365 E3 license for basic features, and E5 for advanced capabilities like automated data ingestion and all templates. Azure-only subscriptions do not include Compliance Manager.
No. Compliance Manager is an assessment and recommendation tool. It does not enforce anything. For enforcement, use Azure Policy. However, you can import Azure Policy results into Compliance Manager as evidence for controls.
The Microsoft Purview compliance portal is the overarching portal that hosts multiple compliance tools, including Compliance Manager, Data Loss Prevention, eDiscovery, and more. Compliance Manager is a specific tool within that portal focused on regulatory compliance assessments.
Each control in an assessment has a point value based on its criticality. Microsoft-managed actions automatically earn points. Customer-managed actions earn points when you mark them as implemented and upload evidence. The score is the sum of earned points divided by total possible points, expressed as a percentage.
Compliance Manager primarily assesses Microsoft cloud services (Azure, Microsoft 365). For non-Microsoft services, you can create custom controls and manually upload evidence, but automated data ingestion is limited to Microsoft services.
Deleting an assessment removes all its data, including evidence and scores. It cannot be recovered. It is recommended to export reports before deletion.
Yes, Compliance Manager is available in GCC, GCC High, and DoD environments, but with some template limitations. Check Microsoft documentation for specific availability.
You've just covered Microsoft Compliance Manager — now see how well it sticks with free AZ-900 practice questions. Full explanations included, no account needed.
Done with this chapter?