This chapter covers Microsoft Compliance Manager and the compliance score, a core component of Microsoft 365 security and compliance. For the MS-900 exam, expect 5–10% of questions to touch this topic, primarily focusing on what Compliance Manager is, how the score is calculated, and how to interpret the dashboard. You need to understand the relationship between controls, assessments, and actions, and how the score improves. We will dissect the mechanism, step through the workflow, and highlight exam traps.
Jump to a section
Imagine you're renovating a house to meet strict building codes. You hire an inspector who gives you a detailed checklist with hundreds of items—fire alarms, electrical grounding, window egress, etc. Each item has a point value based on risk: missing a fire alarm costs you 10 points, while a minor paint crack costs 1 point. Your total score starts at 0 and increases as you complete items. The inspector also suggests remediation steps for each item, like 'install smoke detector in hallway.' You can assign the task to an electrician and track progress. Some items are required by law (mandatory), others are best practices (discretionary). Your overall score reflects your compliance level. In Microsoft Compliance Manager, your tenant is the house, the controls are checklist items, the score is your compliance percentage, and the inspector is Microsoft's built-in assessment templates based on regulations like GDPR or ISO 27001.
What is Microsoft Compliance Manager?
Microsoft Compliance Manager is a tool within the Microsoft 365 compliance center (compliance.microsoft.com) that helps organizations manage their compliance posture. It provides a centralized dashboard showing a compliance score, which is a percentage from 0 to 100 indicating how many controls you have implemented. The score is based on assessments that map to regulatory standards (e.g., GDPR, HIPAA, ISO 27001, NIST 800-53) and Microsoft's own Data Protection Baseline (a default set of controls).
Why it exists
Regulatory compliance is complex and costly. Organizations must map controls to multiple regulations, track implementation, and provide evidence. Compliance Manager automates this by providing pre-built assessment templates, continuous monitoring (with Microsoft 365 Defender signals), and actionable improvement suggestions. It reduces manual effort and provides a single pane of glass.
How it works internally
Compliance Manager uses three main components: controls, assessments, and actions. - Controls: A control is a specific requirement from a regulation, e.g., 'Access to customer data must be logged.' Each control has a potential score (e.g., 10 points) and a status (Passed, Failed, Not tested, etc.). The score is weighted by risk: high-risk controls have higher point values. - Assessments: An assessment groups controls for a specific regulation (e.g., GDPR). An assessment can be assigned to a specific scope (e.g., all users, a subset). Each assessment has its own score, and the overall compliance score is the weighted average of all assessments. - Actions: Actions are steps you can take to implement a control. There are two types: Microsoft-managed actions (already implemented by Microsoft, e.g., data encryption at rest) and customer-managed actions (you must implement, e.g., enable audit logging). Customer-managed actions can be mapped to a technical implementation (e.g., a policy in Microsoft 365) or a procedural one (e.g., a training program).
Score calculation
Your compliance score is not a simple pass/fail. It is calculated as:
Score = (Sum of points for implemented controls) / (Total possible points) * 100
But there's nuance:
Points are awarded only for controls that are 'Passed' (i.e., fully implemented). 'Failed' or 'Not tested' controls contribute 0 points.
Microsoft-managed controls are automatically considered passed and contribute to the score. You cannot change them.
Customer-managed controls require you to mark them as implemented and provide evidence (e.g., a screenshot or a link to a policy). Compliance Manager does not automatically verify customer controls unless you use integration with Microsoft 365 Defender or other signals.
The total possible points exclude controls that are not applicable to your tenant (e.g., some GDPR controls may not apply if you process only employee data). You can mark controls as 'Not applicable' to exclude them.
Default values and timers
The default assessment template for all tenants is the 'Data Protection Baseline' which includes about 90 controls.
New tenants start with a base score of around 20–30% from Microsoft-managed controls.
Compliance Manager updates the score every 24 hours (or on demand via the 'Recalculate score' button).
Actions have a due date; if you miss the due date, the control is marked as 'Failed' and score drops.
Evidence must be uploaded; there is no automatic pass for customer controls.
Configuration and verification
To access Compliance Manager, navigate to compliance.microsoft.com > Compliance Manager. You can create custom assessments from templates. To verify your score, click on 'Overview' tab. To see which controls are affecting your score, go to 'Assessments' > select an assessment > 'Controls' tab. You can filter by status. To improve score, go to 'Improvement actions' tab. Each action shows the potential point gain, status, and guidance.
Interaction with related technologies
Microsoft 365 Defender: Compliance Manager can ingest signals from Defender for Cloud Apps, Defender for Identity, etc., to automatically detect if certain controls are implemented. For example, if you enable Conditional Access, Compliance Manager may automatically mark that control as passed.
Microsoft Purview Information Protection: Controls related to data classification and labeling are linked to Purview policies.
Microsoft Entra ID: Controls for identity and access management (e.g., MFA) are linked to Entra ID settings.
Microsoft Priva: For privacy regulations (e.g., GDPR), Priva provides subject rights requests and data inventory, which feed into Compliance Manager.
Key exam points
Compliance Manager is a tool for managing compliance, not for enforcing it. It does not block non-compliant actions.
The compliance score is a snapshot based on self-assessment and Microsoft signals. It is not an official certification.
You can create custom assessments for regulations not in the built-in templates.
The 'Data Protection Baseline' is the default assessment for all tenants.
There are two types of actions: Microsoft-managed (automatic) and Customer-managed (manual).
The score is calculated as a percentage of implemented controls by weight.
You can export assessment reports for auditors.
Trap patterns
Trap: 'Compliance Manager automatically enforces compliance.' Reality: It only reports and suggests actions. You must implement them.
Trap: 'The score is based on all controls in Microsoft 365.' Reality: Only controls included in your assessments matter.
Trap: 'Customer-managed controls are automatically verified.' Reality: You must mark them as implemented and provide evidence.
Trap: 'The score is real-time.' Reality: It updates every 24 hours or on demand.
Summary of commands (PowerShell for Compliance Manager)
While most actions are via GUI, you can use the Compliance Center PowerShell module (ExchangeOnlineManagement) to retrieve compliance score data:
Connect-ExchangeOnline
Get-ComplianceManagerAssessment
Get-ComplianceManagerControl
Get-ComplianceManagerImprovementActionThese return objects with properties like Score, Status, and ImplementationStatus.
Access Compliance Manager Dashboard
Navigate to compliance.microsoft.com and sign in with global admin or compliance admin role. Click 'Compliance Manager' in the left navigation. The dashboard displays the overall compliance score (percentage), the number of assessments, and improvement actions. The score is shown as a gauge with a color indicator (red < 50%, yellow 50-80%, green > 80%). Underneath, you see a breakdown by assessment (e.g., Data Protection Baseline, GDPR). This is the starting point for all compliance management activities.
Review Assessments and Controls
Click on 'Assessments' tab to see all assessments. Each assessment corresponds to a regulation or framework. Click an assessment name to open it. Under 'Controls' tab, you see a list of controls grouped by control family (e.g., 'Access Control'). Each control has a status: Passed, Failed, Not tested, or Not applicable. The 'Score impact' column shows points at stake. You can filter by status to find failing controls. This step identifies where you need to take action.
Examine Improvement Actions
Go to 'Improvement actions' tab. This lists all customer-managed actions that can increase your score. Each action has a 'Potential score increase' (e.g., +5 points), a status (Not started, In progress, Completed), and a due date. Click an action to see detailed implementation guidance, including step-by-step instructions, links to relevant settings, and evidence upload. You can assign the action to a person in your organization and set a due date. This is where you plan and track remediation.
Implement and Verify Controls
For a customer-managed action, you must implement the required configuration in Microsoft 365. For example, if the action is 'Enable audit logging', you go to Microsoft 365 Purview compliance portal and enable audit log. After implementation, return to Compliance Manager, open the action, and change the status to 'Completed'. You should upload evidence (e.g., a screenshot of the enabled setting). Optionally, you can link to a policy document. Compliance Manager does not automatically verify; you must mark it done.
Recalculate and Monitor Score
After marking actions as completed, click the 'Recalculate score' button on the dashboard (or it recalculates automatically every 24 hours). The score updates. You can also schedule recurring assessments to track progress over time. Monitor the score regularly to ensure it stays above your target threshold. Export assessment reports for internal audits or to share with regulators. The 'History' tab shows score changes over time.
Enterprise Scenario 1: Global Financial Institution
A multinational bank must comply with GDPR for EU customer data, SOX for financial reporting, and local banking regulations. They use Compliance Manager to create three separate assessments: GDPR, SOX, and a custom assessment for their country's central bank. They assign a compliance officer to each assessment. The GDPR assessment includes controls like 'Data Protection Impact Assessment' and 'Breach Notification.' The bank uses Microsoft 365 Defender signals to automatically mark some controls as passed (e.g., 'Malware protection'). For customer-managed controls, they upload evidence from their internal GRC system via API. Their score started at 35% (mostly Microsoft-managed) and improved to 82% over six months. Misconfiguration: They initially marked many controls as 'Not applicable' incorrectly, artificially inflating their score. After audit, they had to re-evaluate and adjust.
Enterprise Scenario 2: Healthcare Provider
A hospital uses Microsoft 365 for email and document storage. They must comply with HIPAA. They use the built-in HIPAA assessment template. The assessment includes controls for encryption, access logging, and business associate agreements. The hospital's IT team implements technical controls (e.g., enabling Message Encryption, configuring audit logs). They assign the 'Business Associate Agreement' control to their legal team, who uploads the signed BAA. The hospital's score is 88%. However, they discover that some controls are not applicable because they use third-party email encryption; they mark those as 'Not applicable.' One common mistake: they forgot to update the status of a control after changing a policy, causing the score to drop unexpectedly.
Performance Considerations
Compliance Manager is a SaaS tool; no on-premises infrastructure needed.
For large tenants with thousands of users, the number of assessments and controls can be high. The UI remains responsive, but exporting reports may take a minute.
Evidence storage: Each action can have up to 10 files (each up to 50 MB). For large-scale compliance, consider using a separate document management system.
The score calculation is near-instantaneous on demand, but the automatic update cycle is 24 hours.
What goes wrong when misconfigured
Incorrect status: Marking controls as 'Passed' without actual implementation leads to a false sense of security. During an audit, this can result in fines.
Not applicable abuse: Overusing 'Not applicable' to exclude difficult controls inflates the score and hides real risks.
Ignoring Microsoft-managed controls: Some organizations think they don't need to do anything for those, but they still need to verify that Microsoft's implementation meets their requirements (e.g., encryption key location).
What MS-900 tests
MS-900 objective 3.2 covers 'Describe the compliance management capabilities of Microsoft 365.' Specifically, you need to know:
The purpose of Compliance Manager (to assess and improve compliance posture)
The compliance score (percentage of implemented controls)
The difference between Microsoft-managed and customer-managed controls
The concept of assessments (pre-built templates for regulations)
The Data Protection Baseline as the default assessment
How to use improvement actions to increase score
That Compliance Manager is a tool for reporting, not enforcing
Top wrong answers
'Compliance Manager automatically enforces compliance policies.' Many candidates confuse it with Microsoft Purview Compliance Portal policies (e.g., DLP). Compliance Manager only suggests and tracks.
'The compliance score is the percentage of Microsoft 365 security features enabled.' No, it's specific to controls in assessments.
'Customer-managed controls are automatically marked as passed when the corresponding feature is enabled.' Not true; you must manually mark them and provide evidence.
'Compliance Manager can be used to achieve official certification.' It is a tool to help, but certification requires external audit.
Specific numbers and terms
Default assessment: Data Protection Baseline (about 90 controls)
Score range: 0–100%
Update cycle: Every 24 hours or on demand
Actions: Microsoft-managed vs. Customer-managed
Evidence: Required for customer-managed controls
Roles needed: Global admin or Compliance admin (or Compliance Manager role)
Edge cases
If you have multiple assessments, the overall score is a weighted average based on the number of controls in each assessment. The exam may ask about how the overall score is calculated.
If you mark a control as 'Not applicable,' it is excluded from the total possible points, so it does not hurt your score.
If you delete an assessment, the controls in it no longer affect your score.
How to eliminate wrong answers
If an answer says 'Compliance Manager enforces' or 'blocks non-compliant actions,' it is wrong.
If an answer says 'score is based on all Microsoft 365 security features,' it is wrong.
If an answer says 'customer-managed controls are automatically verified,' it is wrong.
Look for keywords: 'assess,' 'track,' 'improve,' 'report.'
Compliance Manager is a tool to assess and improve compliance posture, not enforce it.
The compliance score is a percentage of implemented controls weighted by risk.
Default assessment is the Data Protection Baseline (about 90 controls).
Score updates every 24 hours or on demand via 'Recalculate score'.
Customer-managed controls require manual status change and evidence.
Microsoft-managed controls are automatically passed and count toward score.
Assessments map to regulations like GDPR, HIPAA, ISO 27001.
You can create custom assessments for any regulation.
Compliance Manager does not grant official certifications.
Roles needed: Global admin or Compliance admin (or Compliance Manager role).
These come up on the exam all the time. Here's how to tell them apart.
Microsoft-managed controls
Automatically marked as passed by Microsoft
Cannot be changed by customer
No evidence required
Contribute to score automatically
Examples: Data encryption at rest, Physical security of datacenters
Customer-managed controls
Must be manually implemented and verified
Customer controls the status (Passed/Failed/Not tested)
Evidence must be uploaded
Requires action to contribute to score
Examples: Enable MFA, Conduct employee training
Mistake
Compliance Manager automatically enforces compliance policies.
Correct
Compliance Manager is a reporting and assessment tool. It does not enforce any policies. Enforcement is done through Microsoft 365 compliance policies (e.g., DLP, retention) configured separately.
Mistake
The compliance score reflects the security of your tenant.
Correct
The score reflects compliance with specific regulatory controls, not overall security. A high score does not mean your tenant is secure; it means you have implemented the controls tracked in your assessments.
Mistake
You can achieve compliance certification directly from Compliance Manager.
Correct
Compliance Manager helps you prepare for audits, but certification (e.g., ISO 27001) requires an independent third-party auditor. Compliance Manager provides reports and evidence but does not certify.
Mistake
Customer-managed controls are automatically marked as passed when you enable the corresponding Microsoft 365 feature.
Correct
You must manually change the status to 'Completed' and upload evidence. Compliance Manager does not automatically detect feature enablement unless integrated with specific signals like Microsoft 365 Defender.
Mistake
The compliance score is calculated in real-time.
Correct
The score is recalculated every 24 hours or on demand when you click 'Recalculate score.' It is not real-time.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The compliance score is calculated as (points from implemented controls) / (total possible points) * 100. Implemented controls include Microsoft-managed controls (always passed) and customer-managed controls that you have marked as 'Passed' with evidence. Controls marked 'Not applicable' are excluded from total points. The points are weighted based on control risk (high-risk controls have more points). The score updates every 24 hours or on demand.
Microsoft-managed controls are implemented by Microsoft (e.g., physical security, infrastructure encryption). They are automatically considered passed and require no action from you. Customer-managed controls are your responsibility (e.g., enabling MFA, training). You must manually implement them, change the status to 'Completed,' and upload evidence. Only customer-managed controls appear in the 'Improvement actions' list.
Compliance Manager helps you track and implement controls required by GDPR, but achieving compliance requires implementing all applicable controls and often a third-party audit. Compliance Manager provides the assessment template (controls), improvement actions, and evidence management, but it does not automatically make you compliant. It is a tool to manage the process.
Users with the Global Admin role or Compliance Admin role (or specific Compliance Manager roles like Compliance Manager Assessment Admin) can access Compliance Manager. The Compliance Manager role can be assigned via the Microsoft 365 admin center. Users without these roles cannot see the Compliance Manager section in the compliance center.
If you mark a control as 'Not applicable,' it is excluded from the total possible points in the assessment. Therefore, it does not negatively impact your score. However, you must have a valid reason for marking it as not applicable, and you may need to provide justification during an audit. Overusing this can artificially inflate your score.
The compliance score updates automatically every 24 hours. You can also manually recalculate the score at any time by clicking the 'Recalculate score' button on the Compliance Manager dashboard. The manual recalculation is instant.
Yes, you can create a custom assessment by selecting 'Create assessment' and choosing 'Custom assessment.' You can then add controls from existing templates or create your own controls. This allows you to track compliance with internal policies or regulations not covered by Microsoft's built-in templates.
You've just covered Microsoft Compliance Manager and Score — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?