This chapter covers Compliance Score and Improvement Actions in Microsoft 365, a key component of the Compliance Center that helps organizations measure and improve their compliance posture. For the MS-102 exam, this topic falls under Security Threats (Objective 3.3) and typically appears in 5–10% of questions, often in scenario-based formats. Understanding the mechanics of how scores are calculated, how improvement actions are prioritized, and how to interpret the results is critical for passing the exam and for real-world compliance management.
Jump to a section
Imagine you own a house and want to sell it. A home inspector walks through, checking every system: electrical, plumbing, roofing, HVAC, and safety features. For each item, the inspector assigns a score based on how well it meets building codes and best practices. The overall home inspection score is a weighted average of all item scores, where critical systems like electrical and structural integrity have higher weights than cosmetic items like paint condition. The inspector also provides a list of improvement actions: specific repairs or upgrades to increase the score, each with an estimated effort and impact on the overall score. For example, replacing outdated wiring might increase the electrical score by 30 points and the overall score by 5 points. As you complete each action, the inspector updates the report, and your score rises. In Microsoft 365, Compliance Score works exactly like this: it evaluates your tenant against data protection and regulatory standards, assigns a weighted score out of 100, and offers improvement actions with point values and implementation effort. Just as a home buyer uses the inspection score to gauge a property's condition, auditors and compliance officers use Compliance Score to assess your organization's security posture. The home inspector's report is dynamic—as you fix issues, the score improves, mirroring how Microsoft 365 updates the score when you implement actions.
What is Compliance Score and Why It Exists
Compliance Score is a feature in the Microsoft 365 Compliance Center that provides a quantitative measurement of your organization's compliance posture against regulatory standards and best practices. It aggregates data from various Microsoft 365 services (Exchange Online, SharePoint, Teams, etc.) and evaluates configurations, user activities, and policies to generate a score from 0 to 100. The primary purpose is to help organizations identify gaps in their compliance controls, prioritize remediation efforts, and demonstrate progress over time. The MS-102 exam tests your understanding of how this score is calculated, what influences it, and how to use improvement actions to raise it.
How Compliance Score Works Internally
Compliance Score is built on the Microsoft Purview Compliance Portal and integrates with the Compliance Manager. The system works by:
Assessing Controls: Microsoft defines hundreds of controls based on regulatory frameworks (e.g., ISO 27001, NIST, GDPR, HIPAA). Each control is mapped to specific configurations or activities in Microsoft 365. For example, a control for 'Enable multi-factor authentication for all users' checks if MFA is enforced via Conditional Access policies.
Collecting Data: The service uses the Microsoft 365 Security & Compliance Center's data connectors and the Microsoft Graph API to collect signals. Data sources include:
- Azure Active Directory (user settings, MFA status) - Exchange Online (mail flow rules, retention policies) - SharePoint Online (sharing settings, external sharing) - Teams (guest access settings) - Microsoft Defender for Cloud Apps (app permissions) - Microsoft 365 Data Loss Prevention (DLP policies)
Scoring Each Control: Each control has a potential maximum score. The actual score is determined by the percentage of applicable users, devices, or configurations that meet the control requirement. For example, if a control requires MFA for all users and 80% of users have MFA enabled, the control scores 80% of its maximum.
Weighting: Controls are grouped into assessments (e.g., GDPR Assessment, NIST 800-53 Assessment). Each assessment has an overall score that is a weighted average of its control scores. The weights are determined by the control's criticality and the regulatory framework's emphasis. For example, controls related to encryption and access control typically have higher weights than those related to user training.
Aggregating to Overall Compliance Score: The overall Compliance Score displayed in the dashboard is the weighted average of all active assessments. You can select which assessments contribute to the overall score. By default, all assessments are included, but you can customize the scope.
Key Components, Values, Defaults, and Timers
- Compliance Score Scale: 0 to 100, where 100 indicates full compliance with all selected assessments. - Improvement Actions: Specific tasks that, when implemented, increase the score. Each action has: - Point Value: The number of points added to the overall score when fully implemented. - Effort: Estimated time to implement (e.g., Low, Medium, High). - Category: Such as 'Access Control', 'Data Protection', 'Incident Response'. - Status: Not started, In progress, Completed, or Acknowledged. - Refresh Frequency: The Compliance Score is recalculated approximately every 24 hours. However, some changes (like enabling MFA) may trigger a near-real-time update. - Default Assessments: Microsoft provides out-of-the-box assessments for major regulations (GDPR, HIPAA, ISO 27001, etc.). You can also create custom assessments. - Data Retention: Historical scores are kept for 90 days, allowing trend analysis.
Configuration and Verification Commands
To view and manage Compliance Score, you use the Microsoft 365 Compliance Center at https://compliance.microsoft.com. There is no direct PowerShell cmdlet for Compliance Score, but you can use the following cmdlets from the Exchange Online PowerShell module to retrieve related data:
# Check MFA status (affects compliance score)
Get-MsolUser -All | Select-Object UserPrincipalName, StrongAuthenticationRequirements
# Check Conditional Access policies
Get-AzureADMSConditionalAccessPolicy | Select-Object DisplayName, State
# Check DLP policies
Get-DlpCompliancePolicy | Format-Table Name, ModeFor monitoring, use the Microsoft 365 Defender portal's Advanced Hunting to query events related to compliance controls.
Interaction with Related Technologies
Compliance Score integrates deeply with:
Microsoft Purview Compliance Manager: The engine that calculates scores and manages improvement actions.
Microsoft 365 Defender: Provides signals for threat protection controls (e.g., anti-phishing policies).
Azure Active Directory: Identity and access management controls (MFA, Conditional Access).
Microsoft Information Protection: Sensitivity labels and DLP policies.
Microsoft 365 Service Trust Portal: Provides audit reports and certification documents that support compliance claims.
Exam-Relevant Details
The exam will test that you know Compliance Score is a measurement of controls implemented, not a guarantee of compliance.
You must understand that Improvement Actions are the primary way to increase the score.
Know that the score is not real-time; it refreshes every 24 hours.
Be aware that you can exclude certain assessments from the overall score calculation.
The exam may present a scenario where a company has a low score and ask which improvement action to prioritize. The correct answer is often the one with the highest point value relative to effort.
Common Calculations
The overall score for an assessment is:
Assessment Score = (Sum of (Control Score * Control Weight)) / (Sum of (Maximum Control Score * Control Weight)) * 100For example, if an assessment has three controls:
Control A: max 10 points, weight 2, score 8 (80%)
Control B: max 20 points, weight 1, score 10 (50%)
Control C: max 5 points, weight 3, score 5 (100%)
Then:
Weighted sum = (8*2) + (10*1) + (5*3) = 16 + 10 + 15 = 41
Max weighted sum = (10*2) + (20*1) + (5*3) = 20 + 20 + 15 = 55
Assessment Score = (41/55)*100 ≈ 74.5
This calculation is important for understanding why some actions yield more points than others.
Access Compliance Score Dashboard
Navigate to the Microsoft 365 Compliance Center at https://compliance.microsoft.com. Under 'Solutions', select 'Compliance Manager'. The dashboard displays your overall Compliance Score, a breakdown by assessments (e.g., GDPR, HIPAA), and a list of top improvement actions. The dashboard refreshes every 24 hours, so recent changes may not immediately reflect. The exam expects you to know this location and the refresh cycle.
Review Improvement Actions
Click on 'Improvement actions' to see the full list. Each action shows its current status (Not started, In progress, Completed, Acknowledged), point value, category, and associated controls. You can filter by status, assessment, or category. The exam may ask you to identify which improvement action would have the greatest impact on a specific assessment. Look for actions with high point values and low effort.
Implement an Improvement Action
Select an improvement action to view details. The details pane provides instructions on how to implement the action, including links to relevant configuration pages (e.g., Azure AD for MFA, Exchange admin center for DLP). After implementing the change, you must manually mark the action as 'In progress' or 'Completed' in Compliance Manager. The system does not automatically detect changes. This is a key exam point: you must update the status yourself.
Monitor Score Changes
After marking an action as completed, the Compliance Score recalculates at the next scheduled refresh (within 24 hours). To see the impact, check the dashboard the next day. You can also view historical trends under 'Reports'. The exam may test that the score is not updated in real-time; expect a 24-hour delay.
Customize Assessments
Go to 'Assessments' to add or remove assessments from your overall score. You can create custom assessments by copying Microsoft templates. Each assessment can be assigned to a specific group or tenant. The exam may ask about custom assessments: they allow you to add your own controls and point values, but they do not automatically verify compliance; you must self-report.
Enterprise Scenario 1: Healthcare Organization Achieving HIPAA Compliance
A large hospital network uses Microsoft 365 for email, document storage, and telehealth. They need to demonstrate HIPAA compliance. The compliance officer accesses Compliance Manager and sees an overall score of 65. The top improvement actions include 'Enable encryption for email communications' (point value: 15), 'Implement data loss prevention policies for patient data' (point value: 20), and 'Configure audit logging for all user activities' (point value: 10). The team prioritizes DLP policies because of the highest point value. They create DLP rules to detect and protect Protected Health Information (PHI) in Exchange and SharePoint. After implementation, they mark the action as completed. The next day, the score increases to 85. However, they notice that the score is not automatically updated if they later disable the DLP policy; they must manually re-assess. In production, this organization also uses custom assessments to track internal controls not covered by Microsoft templates. Common misconfiguration: assuming that enabling a feature automatically updates the score—it does not; you must mark the action as completed.
Enterprise Scenario 2: Financial Services Firm Preparing for ISO 27001 Audit
A bank uses Microsoft 365 and needs to achieve ISO 27001 certification. They enable all relevant assessments in Compliance Manager. The overall score is 72. They focus on improvement actions like 'Enable multi-factor authentication for all administrators' (point value: 8) and 'Implement conditional access policies to block legacy authentication' (point value: 12). The IT team implements MFA for all admin accounts and creates a Conditional Access policy to block legacy authentication. They mark both actions as completed. The score rises to 82. However, the audit reveals that the score does not prove compliance; it only indicates that certain controls are in place. The bank must still provide evidence (logs, policies) to the auditor. A common pitfall is relying solely on the Compliance Score as proof, which the exam will highlight as incorrect. The score is a monitoring tool, not an audit certificate.
Performance Considerations
In large tenants with thousands of users, Compliance Score calculations can take longer to refresh. The 24-hour refresh cycle is standard, but Microsoft may throttle API calls if the tenant has excessive data. It is advisable to implement changes in batches and check the score after each batch to avoid confusion. When misconfigured, such as marking actions as completed without actually implementing them, the score becomes inaccurate, leading to false confidence. The exam may present a scenario where the score is high but the organization fails an audit—this illustrates the danger of self-reporting without verification.
The MS-102 exam tests Compliance Score and Improvement Actions under Objective 3.3: 'Implement and manage compliance solutions for Microsoft 365'. Specifically, you need to:
Understand the purpose of Compliance Score: it measures implementation of controls, not regulatory compliance.
Know how to navigate the Compliance Manager dashboard.
Identify the refresh cycle (24 hours) and the fact that score updates are not real-time.
Recognize that improvement actions must be manually marked as completed.
Distinguish between built-in assessments and custom assessments.
Common Wrong Answers and Why Candidates Choose Them
'Compliance Score is a real-time measurement.' Candidates often assume that because the portal looks dynamic, the score updates instantly. The correct answer is that it refreshes every 24 hours. The exam will explicitly ask about the refresh interval.
'Enabling a security feature automatically increases the score.' Many think that once they enable MFA in Azure AD, the score updates immediately. In reality, you must go to Compliance Manager and mark the improvement action as completed. The exam loves to test this manual step.
'A high Compliance Score guarantees compliance with regulations.' This is a trap. The score only indicates that certain controls are configured; it does not prove compliance because the organization must also have evidence and processes. The exam will present a scenario where the score is 95 but an audit fails, and ask why.
'Custom assessments automatically verify controls.' Custom assessments are self-reported; they do not automatically check configurations. Candidates might think they work like built-in assessments.
Specific Numbers and Terms on the Exam
The refresh interval: 24 hours.
The score range: 0 to 100.
The name of the feature: Compliance Score (not 'Security Score' or 'Secure Score').
The location: Microsoft 365 Compliance Center > Compliance Manager.
The term Improvement Actions (not 'Recommendations' or 'Remediation steps').
Edge Cases and Exceptions
If you have multiple assessments, the overall score is a weighted average, not a simple average.
You can exclude assessments from the overall score. This is useful if an assessment is not relevant.
The 'Acknowledged' status is for actions that are not applicable to your organization (e.g., a control for a feature you don't use). Marking as 'Acknowledged' does not increase the score but removes the action from the 'Not started' list.
How to Eliminate Wrong Answers
If an answer says 'real-time' or 'immediately', it is wrong.
If an answer says 'guarantees compliance', it is wrong.
If an answer says 'automatically detected', it is wrong.
Look for answers that mention 'manually mark as completed' or '24-hour refresh'—these are correct.
Compliance Score is a measurement of control implementation, not a guarantee of compliance.
The score refreshes every 24 hours; it is not real-time.
Improvement actions must be manually marked as completed after implementation.
The overall score is a weighted average of all selected assessments.
You can exclude irrelevant assessments from the overall score calculation.
Custom assessments are self-reported and do not automatically verify configurations.
The exam often tests the difference between Compliance Score and Secure Score.
These come up on the exam all the time. Here's how to tell them apart.
Compliance Score
Measures compliance with regulatory standards (GDPR, HIPAA, etc.)
Located in Microsoft 365 Compliance Center > Compliance Manager
Score range 0-100 based on weighted controls
Improvement actions are specific to compliance controls
Refresh cycle: every 24 hours
Secure Score
Measures security posture against best practices (e.g., enabling MFA, reducing attack surface)
Located in Microsoft 365 Defender portal > Secure Score
Score range 0-100 based on security recommendations
Improvement actions are security recommendations
Refresh cycle: near-real-time (within minutes)
Mistake
Compliance Score updates in real time as soon as you change a setting.
Correct
Compliance Score refreshes every 24 hours. Changes you make are not reflected until the next scheduled refresh. You must also manually mark improvement actions as completed.
Mistake
A high Compliance Score means you are fully compliant with regulations.
Correct
Compliance Score only measures the implementation of controls; it does not guarantee compliance. You still need to have proper processes, evidence, and audits to prove compliance.
Mistake
Improvement actions are automatically detected and marked as completed by Microsoft.
Correct
You must manually update the status of improvement actions. The system does not automatically detect configuration changes. This is a common exam trap.
Mistake
Custom assessments automatically verify your configurations like built-in assessments.
Correct
Custom assessments are self-reported. You define the controls and point values, and you manually mark them as completed. There is no automatic verification.
Mistake
Compliance Score and Secure Score are the same thing.
Correct
Compliance Score focuses on regulatory compliance (e.g., GDPR, HIPAA), while Secure Score measures security posture (e.g., vulnerability management, threat protection). They are separate features in different portals.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Compliance Score refreshes approximately every 24 hours. This is not real-time. If you make a configuration change, you must wait until the next refresh to see the score update, and you must also manually mark the associated improvement action as completed. The exam frequently tests this refresh interval.
Yes. Microsoft does not automatically detect when you implement a control. After you make the configuration change (e.g., enabling MFA), you must go to Compliance Manager, find the improvement action, and change its status to 'Completed'. Otherwise, the score will not reflect the change. This is a common exam trap.
Yes, you can create custom assessments by copying Microsoft templates or starting from scratch. Custom assessments allow you to add your own controls and point values. However, they are self-reported; you must manually mark controls as completed. The exam may ask about custom assessments as a way to track internal policies.
Compliance Score focuses on regulatory compliance (e.g., GDPR, HIPAA) and is found in the Compliance Center. Secure Score focuses on security posture (e.g., enabling MFA, reducing attack surface) and is found in the Defender portal. They have different refresh cycles: Compliance Score every 24 hours, Secure Score near-real-time. The exam may test this distinction.
Yes. In Compliance Manager, under 'Assessments', you can choose which assessments contribute to the overall score. This is useful if an assessment is not relevant to your organization. The overall score is then recalculated based only on the selected assessments.
No. Compliance Score only indicates that certain controls are configured. It does not provide evidence of compliance (e.g., logs, policies). Auditors require documentation and proof, not just a score. The exam may present a scenario where a high score does not prevent audit findings.
The 'Acknowledged' status is for controls that are not applicable to your organization. Marking an action as 'Acknowledged' removes it from the 'Not started' list but does not increase your score. This is useful for ignoring irrelevant recommendations. The exam may test this as a way to reduce clutter.
You've just covered Compliance Score and Improvement Actions — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?