This chapter covers regulatory compliance assessment using Microsoft Purview Compliance Manager and related tools, a critical topic for the SC-200 exam. You will learn how to assess, monitor, and report compliance posture against standards like GDPR, HIPAA, ISO 27001, and NIST. Approximately 10–15% of exam questions touch on compliance assessment, often integrated with Microsoft Defender for Cloud and Microsoft Sentinel. Mastery of this topic is essential for the 'Manage a security operations environment' domain.
Jump to a section
Imagine a large office building that must pass a fire safety inspection from the city. The building has fire alarms, sprinklers, extinguishers, and emergency exits. The inspector doesn't just check that these exist; they test each component: they pull an alarm to see if it triggers the fire department, they check the sprinkler pressure gauges are within 100–150 psi, they verify extinguishers have current inspection tags (monthly visual checks, annual professional service), and they time how long it takes to evacuate a floor (target under 2 minutes). The inspector also reviews logs: the building's fire drill records, maintenance schedules, and any past incidents. If a fire extinguisher is missing a tag, the building fails that item. If the evacuation time exceeds 2 minutes, they must redesign exit routes. The building's compliance is a continuous process—not just a one-time pass. Similarly, regulatory compliance in the cloud involves continuously proving that controls are in place and effective. Microsoft Purview Compliance Manager acts as the inspector, checking your security controls (like fire extinguishers) against regulatory standards (like the fire code). It runs continuous assessments, tests control effectiveness (technical and manual), and generates evidence reports. Just as the building must remediate any deficiencies to maintain its occupancy permit, your organization must remediate compliance gaps to meet regulatory requirements like GDPR, HIPAA, or SOC 2. The analogy holds: both require documented policies, regular testing, and evidence of corrective actions.
What is Regulatory Compliance Assessment?
Regulatory compliance assessment is the process of evaluating an organization's adherence to legal, regulatory, and industry standards. In the context of Microsoft 365 and Azure, this involves using tools like Microsoft Purview Compliance Manager, Microsoft Defender for Cloud, and Microsoft Sentinel to continuously monitor and report on compliance posture. The SC-200 exam focuses on how a Security Operations Analyst uses these tools to assess compliance, identify gaps, and generate evidence for auditors.
Why It Exists
Organizations must comply with numerous regulations such as GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), PCI DSS (Payment Card Industry Data Security Standard), and SOC 2 (Service Organization Control 2). Non-compliance can result in fines, legal action, and reputational damage. Compliance assessment provides a systematic way to measure and improve adherence, automate evidence collection, and reduce the manual effort of audits.
How It Works Internally
Microsoft Purview Compliance Manager uses a risk-based scoring model. It assigns a compliance score (0–100%) based on the implementation status of control actions. Each control action is mapped to one or more regulatory standards. The score is calculated as: - Implemented controls: Fully implemented and tested controls contribute full points. - Tested controls: Controls that have been tested (via automated or manual testing) receive additional weight. - Partially implemented or not implemented: These reduce the score.
The tool integrates with Microsoft Defender for Cloud to assess Azure resources, Microsoft 365 Defender for workloads, and Microsoft Entra ID for identity controls. It also ingests signals from Microsoft Sentinel for continuous monitoring.
Key Components
- Compliance Manager: The central dashboard for managing compliance assessments. It provides: - Assessments: Templates based on regulations (e.g., GDPR, HIPAA). Each assessment contains controls and actions. - Controls: Specific requirements (e.g., 'Encrypt data at rest'). - Actions: Steps to implement a control (e.g., 'Enable Azure Storage encryption'). - Evidence: Documents, screenshots, or logs proving implementation. - Microsoft Defender for Cloud: Provides regulatory compliance dashboard for Azure and hybrid workloads. It uses built-in policies (e.g., Azure Policy initiatives) to evaluate resources against standards like CIS, NIST SP 800-53, and Azure Security Benchmark. - Microsoft Sentinel: Can ingest compliance logs from various sources and create custom workbooks for monitoring compliance KPIs.
Configuration and Verification
To set up a compliance assessment in Microsoft Purview Compliance Manager: 1. Navigate to Microsoft Purview compliance portal > Compliance Manager. 2. Select 'Assessments' > 'Add assessment'. 3. Choose a template (e.g., GDPR). 4. Assign a name and select the scope (e.g., all users or specific groups). 5. The assessment will populate with controls and actions.
To verify compliance posture:
Use the 'Compliance Score' dashboard to view overall score and trend.
Drill into specific controls to see implementation status and evidence.
Use 'Improvement actions' to identify steps to increase score.
In Microsoft Defender for Cloud:
Go to 'Regulatory compliance' blade.
Select a standard (e.g., Azure CIS 1.3.0).
View compliance status per control (Pass/Fail) and download reports.
Interaction with Related Technologies
Compliance Manager integrates with: - Microsoft 365 Defender: For security controls related to threat protection. - Microsoft Entra ID: For identity and access management controls. - Microsoft Intune: For device compliance policies. - Microsoft Purview Data Lifecycle Management: For data retention and deletion. - Microsoft Purview Information Protection: For data classification and labeling.
In an SOC, the Security Operations Analyst may use Compliance Manager to track remediation of security controls that are also compliance requirements. For example, enabling multi-factor authentication (MFA) is both a security best practice and a control in many regulations.
Specific Values, Defaults, and Timers
Compliance score update frequency: Every 24 hours.
Assessment templates: Over 300 available, including regional and industry-specific.
Control maturity levels: Not implemented, Partially implemented, Implemented, Tested.
Action types: Technical, Operational, Documentation, Legal.
Evidence retention: By default, evidence is kept for the duration of the assessment.
Common Exam Scenarios
The SC-200 exam may present a scenario where you need to:
Identify which regulatory standard applies to a given data type (e.g., GDPR for EU personal data).
Determine the compliance score based on given implementation statuses.
Recommend improvement actions to meet a specific control.
Interpret a regulatory compliance dashboard in Defender for Cloud.
Trap Patterns
Candidates often confuse Compliance Manager with Defender for Cloud's regulatory compliance dashboard. Remember: - Compliance Manager is for Microsoft 365 and broader organizational compliance (including non-Azure resources). - Defender for Cloud is for Azure and hybrid cloud infrastructure compliance.
Another trap: Assuming that a 100% compliance score means no risk. The score is based on implemented controls, but some controls may have gaps not yet assessed. Always verify control testing status.
Conclusion
Regulatory compliance assessment is a continuous process requiring integration of multiple Microsoft tools. For the SC-200 exam, focus on understanding the roles of Compliance Manager and Defender for Cloud, how scores are calculated, and how to interpret compliance reports.
Identify Applicable Regulations
First, determine which regulations apply to your organization based on geography, industry, and data types. For example, if you process EU personal data, GDPR applies. If you handle healthcare data in the US, HIPAA applies. In Microsoft Purview Compliance Manager, you select the appropriate assessment template. This step is critical because the wrong template will produce irrelevant controls and scores. The exam may present a scenario where you must choose the correct regulation for a given data type.
Create Compliance Assessment
In Compliance Manager, create a new assessment using the chosen template. Assign a name, scope (e.g., all users, specific groups), and version. The assessment will automatically populate with controls mapped to the regulation. Each control has associated improvement actions. You can also customize the assessment by adding or removing controls. Note that assessments are independent; you can have multiple assessments for the same regulation with different scopes.
Implement and Test Controls
For each control, implement the required actions. These can be technical (e.g., enable MFA), operational (e.g., conduct user training), or documentation (e.g., create a data retention policy). After implementation, test the control to verify effectiveness. Testing can be automated (e.g., via Defender for Cloud policies) or manual (e.g., upload screenshots). In Compliance Manager, mark the control as 'Tested' and attach evidence. The compliance score updates after testing.
Monitor Compliance Score
Regularly review the compliance score dashboard. The score is updated every 24 hours. Monitor trends to ensure the score is improving over time. The dashboard also shows the distribution of controls by implementation status. Use the 'Improvement actions' view to prioritize tasks that will most increase the score. In Defender for Cloud, the regulatory compliance dashboard shows pass/fail status per control and provides recommendations.
Generate and Review Reports
For audits, generate compliance reports from Compliance Manager or Defender for Cloud. Reports include evidence of control implementation, test results, and overall score. You can export reports as PDF or Excel. In Compliance Manager, use the 'Reports' tab to create scheduled reports. In Defender for Cloud, use 'Download report' for a specific standard. Ensure reports are reviewed by the compliance team and any gaps are remediated.
Scenario 1: Healthcare Organization Implementing HIPAA
A large hospital system uses Microsoft 365 and Azure to store patient records. They must comply with HIPAA. The compliance team uses Microsoft Purview Compliance Manager with the HIPAA assessment template. They configure controls for data encryption, access controls, and audit logging. The technical team enables Azure Storage encryption (SSE) and implements Azure Policy to enforce encryption. They also configure Microsoft Sentinel to ingest audit logs from EHR systems. The compliance score initially is 45%. Over six months, they implement 80% of controls, raising the score to 85%. The remaining 15% involves administrative controls like annual security training. The hospital uses Compliance Manager's evidence feature to upload training completion records. During an audit, they generate a report showing all implemented controls and test results, satisfying the auditor.
Scenario 2: Financial Services Firm Meeting SOC 2
A fintech startup needs SOC 2 Type II certification. They use Azure for infrastructure and Microsoft 365 for productivity. They create a custom assessment in Compliance Manager based on SOC 2 criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). They map controls to Azure Security Benchmark and use Microsoft Defender for Cloud to continuously assess Azure resources. For example, the 'Availability' criterion requires redundancy; they deploy Azure Availability Zones and configure auto-scaling. The compliance team sets up automated testing using Azure Policy. The startup also uses Microsoft Sentinel to monitor for security incidents that could affect compliance. The compliance score is tracked weekly. After three months of monitoring, they achieve a score of 92% and pass the audit.
Scenario 3: Multinational Corporation Complying with GDPR
A global corporation processes EU citizens' data. They use Microsoft 365 and Azure across regions. They create multiple GDPR assessments in Compliance Manager for different business units. Each assessment has controls for data subject rights (DSRs), breach notification, and data protection impact assessments (DPIAs). They integrate with Microsoft Purview Data Lifecycle Management to automate data retention and deletion. The security operations team uses Microsoft Sentinel to detect and respond to personal data breaches. They configure a playbook to automatically notify the DPO and log the incident. The compliance score is monitored regionally. A common challenge is managing cross-region data transfers; they use Microsoft's Standard Contractual Clauses (SCCs) and document them in Compliance Manager. The corporation passes annual GDPR audits with a score above 90%.
Common Pitfalls
Misconfiguring scope: If the assessment scope is too narrow, some resources may be excluded, leading to false compliance. Always verify scope includes all relevant data and users.
Relying solely on automated testing: Some controls require manual evidence (e.g., policies). Failing to provide evidence can lower the score.
Not updating assessments: Regulations change. Compliance Manager templates are updated, but you must apply updates to existing assessments.
What SC-200 Tests
The SC-200 exam objective 'Manage a security operations environment' includes 'Assess compliance posture' (subobjective 3.2). The exam tests your ability to:
Use Microsoft Purview Compliance Manager to assess compliance against regulatory standards.
Interpret compliance scores and improvement actions.
Use Microsoft Defender for Cloud's regulatory compliance dashboard for Azure resources.
Integrate compliance monitoring with Microsoft Sentinel.
Common Wrong Answers
Choosing 'Microsoft 365 Defender' for compliance assessment: While M365 Defender provides security insights, compliance assessment is done in Compliance Manager or Defender for Cloud. Candidates often confuse security with compliance.
Assuming a 100% compliance score means no risk: The score only reflects implemented and tested controls. Some risks may not be covered by the assessment template.
Selecting 'Azure Policy' as the primary compliance tool: Azure Policy enforces rules but does not provide a compliance score against regulations. It is a component of Defender for Cloud's compliance dashboard.
Ignoring manual evidence: The exam may present a scenario where a control requires manual testing. Candidates might think automated testing is always sufficient.
Specific Numbers and Terms
Compliance score range: 0–100%.
Update frequency: Every 24 hours.
Control maturity levels: Not implemented, Partially implemented, Implemented, Tested.
Assessment templates: Over 300.
Key regulations: GDPR, HIPAA, PCI DSS, SOC 2, ISO 27001, NIST SP 800-53, FedRAMP.
Terms: 'Improvement actions', 'Evidence', 'Control', 'Assessment', 'Compliance score'.
Edge Cases
Multiple regulations: A company may need to comply with both GDPR and HIPAA. The exam may ask how to handle overlapping controls. Answer: Create separate assessments for each regulation, but you can reuse evidence across assessments.
Custom assessments: For regulations not in the template library, you can create a custom assessment by manually adding controls.
Scoring nuances: Partially implemented controls contribute partial points. Tested controls get a bonus over implemented-only.
How to Eliminate Wrong Answers
Read the scenario carefully: Is it about Microsoft 365 or Azure? If Microsoft 365, think Compliance Manager. If Azure, think Defender for Cloud.
Look for keywords like 'compliance score', 'assessment template', 'improvement actions' – these point to Compliance Manager.
If the question mentions 'audit evidence' or 'control testing', consider Compliance Manager's evidence feature.
For questions about Azure resources (VMs, storage), Defender for Cloud's regulatory compliance dashboard is the tool.
Regulatory compliance assessment uses Microsoft Purview Compliance Manager for Microsoft 365 and Defender for Cloud for Azure resources.
Compliance score is calculated based on control implementation status (Not implemented, Partially, Implemented, Tested) and updated every 24 hours.
Over 300 assessment templates are available, including GDPR, HIPAA, PCI DSS, SOC 2, and ISO 27001.
Improvement actions are specific steps to increase compliance score; prioritize based on impact.
Evidence can be automated (via integration with Defender for Cloud) or manual (upload documents).
Compliance Manager supports custom assessments for regulations not in the template library.
Common exam mistake: confusing Compliance Manager with Defender for Cloud's compliance dashboard.
A 100% compliance score does not guarantee full compliance; it only assesses implemented controls.
Continuous monitoring is required; compliance is not a one-time project.
SC-200 objective 3.2 focuses on assessing compliance posture using these tools.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Purview Compliance Manager
Focuses on Microsoft 365 and broader organizational compliance.
Provides a compliance score (0–100%) based on control implementation.
Supports over 300 assessment templates (GDPR, HIPAA, etc.).
Allows manual evidence upload and testing.
Integrates with other Microsoft Purview solutions.
Microsoft Defender for Cloud Regulatory Compliance
Focuses on Azure and hybrid cloud infrastructure.
Provides pass/fail status per control against built-in standards (CIS, NIST, etc.).
Uses Azure Policy initiatives to evaluate resources.
Automated assessment for technical controls only.
Part of Microsoft Defender for Cloud (formerly Azure Security Center).
Mistake
Compliance Manager and Microsoft Defender for Cloud are the same tool.
Correct
Compliance Manager focuses on Microsoft 365 and organizational compliance, while Defender for Cloud focuses on Azure and hybrid cloud infrastructure compliance. They serve different scopes but can be integrated.
Mistake
A 100% compliance score means the organization is fully compliant.
Correct
The score reflects only the controls defined in the assessment template. It does not account for controls not yet assessed or gaps in implementation. Continuous monitoring is required.
Mistake
Regulatory compliance is a one-time project.
Correct
Compliance is continuous. Regulations change, controls degrade, and new resources are added. Regular assessments and updates are necessary.
Mistake
All compliance assessments are automated and require no manual effort.
Correct
Many controls require manual evidence, such as policy documents or training records. Automated testing covers only technical controls.
Mistake
Compliance Manager only works with built-in templates.
Correct
You can create custom assessments by manually adding controls from scratch or by modifying existing templates.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Compliance Manager is part of Microsoft Purview and focuses on Microsoft 365 and organizational compliance, including non-technical controls like policies and training. It provides a compliance score and supports manual evidence. Defender for Cloud's regulatory compliance is for Azure and hybrid cloud infrastructure, using Azure Policy to automatically assess resources against standards like CIS and NIST. It provides pass/fail status per control. For SC-200, know that Compliance Manager is for broader compliance, while Defender for Cloud is for Azure-specific infrastructure compliance.
The score is calculated based on the implementation status of each control action. Each action has a weight. Implemented and tested actions contribute full points; partially implemented contribute partial points; not implemented contribute zero. The total points achieved divided by total possible points gives the percentage. Testing adds a bonus. The score updates every 24 hours. For example, if you have 10 controls each worth 10 points, and you implement 8 fully (80 points) and test 5 (bonus), your score might be 85%.
Compliance Manager can include Azure resources if you create an assessment that includes controls related to Azure. However, the primary tool for Azure-specific compliance is Microsoft Defender for Cloud. Compliance Manager integrates with Defender for Cloud to import assessment data for Azure resources, but it is not a replacement. For SC-200, know that Defender for Cloud is the go-to for Azure infrastructure compliance.
Evidence can be technical (e.g., automated test results from Defender for Cloud), operational (e.g., logs showing MFA usage), or documentation (e.g., policies, training records). In Compliance Manager, you can upload files, link to external sources, or rely on automated signals. The type of evidence depends on the control. For example, a control requiring 'Data encryption at rest' can be evidenced by enabling Azure Storage encryption and showing a Policy compliance result.
Microsoft recommends reviewing compliance posture continuously, but at least quarterly. Compliance Manager updates scores every 24 hours, but the controls themselves may change as regulations evolve. You should also review when there are significant changes to your environment (e.g., new services, data types). For the exam, remember that compliance is continuous and not a one-time event.
Templates are updated by Microsoft when regulations change. If you don't apply the update, your assessment may become outdated and not reflect current requirements. Compliance Manager notifies you when updates are available. You can choose to apply the update to an existing assessment or create a new one. For the exam, know that you should apply updates to maintain accuracy.
Yes. In Compliance Manager, you can create a custom assessment by selecting 'Custom' as the template type and manually adding controls. This is useful for regulations not in the built-in library or for internal policies. You define the control names, descriptions, actions, and scoring. The exam may test this capability in a scenario where a specific regulation is not available.
You've just covered Regulatory Compliance Assessment — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?