This chapter covers Microsoft Compliance Manager, a key tool in the Microsoft Purview compliance portal for managing regulatory compliance. Compliance Manager is a frequent topic on the SC-900 exam, appearing in roughly 10-15% of questions related to compliance solutions. Understanding its components, scoring, and actions is essential for the exam.
Jump to a section
Imagine you are renovating your house to meet strict building codes. You hire an inspector who doesn't fix anything themselves but provides a detailed list of every code requirement, checks each room, and gives a score. For each missing item (e.g., no smoke detector in the basement), the inspector notes the gap, its severity (safety hazard), and recommends specific fixes (install a particular model). The inspector also tracks who is responsible for each fix and sets deadlines. As you complete tasks, the inspector updates the score and shows progress. If the city updates the code (e.g., requiring carbon monoxide detectors), the inspector automatically adds that new requirement and recalculates your score. This is exactly how Compliance Manager works: it provides a pre-built assessment of your cloud environment against regulations (like GDPR or NIST), assigns actions to owners, tracks implementation, and updates automatically when regulations change.
What is Compliance Manager?
Compliance Manager is a feature in the Microsoft Purview compliance portal that helps organizations manage their compliance posture. It provides a dashboard of compliance scores, assessments based on regulations (e.g., GDPR, ISO 27001, NIST), and actionable recommendations. Compliance Manager automates the process of tracking compliance activities, assigning tasks, and generating reports.
Why Compliance Manager Exists
Organizations face increasing regulatory requirements and manual compliance tracking is error-prone and time-consuming. Compliance Manager centralizes compliance management, provides continuous monitoring, and integrates with Microsoft 365 services to detect non-compliant configurations. It reduces the burden on compliance officers and auditors.
How Compliance Manager Works Internally
Compliance Manager uses a scoring methodology based on Microsoft's Control Framework. Each assessment is built from controls, which are grouped into actions. Actions are tasks that must be performed to meet a control requirement. Actions are categorized as: - Technical actions – implemented in Microsoft 365 (e.g., enable MFA, configure DLP policies). - Operational actions – organizational processes (e.g., conduct security awareness training). - Legal/Compliance actions – policy documentation (e.g., define data retention policy).
Each action has a potential score. The total possible score for an assessment is the sum of all actions' scores. Your compliance score is the percentage of achieved points out of the total possible.
Key Components
Assessments: A template based on a regulation (e.g., GDPR). You can create multiple assessments (e.g., one per subscription).
Controls: Requirements from the regulation. Each control has one or more actions.
Actions: The tasks to implement. They can be assigned to individuals with a due date.
Compliance Score: A percentage between 0 and 100. It reflects the implementation status of actions.
Improvement Actions: Actions that are not yet completed. This is the primary list for tracking work.
Microsoft Actions: Actions that Microsoft implements on its behalf (e.g., data center security). These are automatically marked as completed and contribute to your score.
Scoring Details
Compliance Manager scoring is based on the following:
Each action has a weight (points) based on its importance and the control's criticality.
Actions can be in states: Not Started, In Progress, Completed, or Not Applicable.
Completed actions earn full points; In Progress earns partial (usually 50% but configurable).
Not Applicable actions are excluded from the total possible.
The score is calculated as:
Score = (Earned Points / Total Possible Points) × 100Where Earned Points = sum of points from Completed actions + partial from In Progress. Total Possible = sum of all actions that are not Not Applicable.
Default Values and Timers
Compliance Manager assessments are updated automatically when Microsoft updates the control framework (typically quarterly).
There is no timer for actions; they are manually updated.
The default refresh interval for the dashboard is 24 hours, but you can manually refresh.
Configuration and Verification
To access Compliance Manager, navigate to the Microsoft Purview compliance portal (compliance.microsoft.com) and select Compliance Manager under Solutions.
To create an assessment: 1. Go to Assessments tab. 2. Click + Add assessment. 3. Select a template (e.g., GDPR, NIST 800-53). 4. Name the assessment and select the scope (e.g., all subscriptions). 5. Assign owners.
To view improvement actions:
Under Improvement actions, you can filter by assessment, action type, or status.
Each action shows the due date, owner, and score impact.
To generate a report:
Use Reports to export a PDF or Excel report of your compliance score.
Interaction with Related Technologies
Microsoft Secure Score: Compliance Manager uses a similar scoring methodology but focuses on compliance, not security.
Microsoft Purview Information Protection: Compliance Manager can detect if DLP policies are configured and include them in assessments.
Microsoft 365 Defender: Compliance Manager can ingest signals from Defender to track security controls.
Azure Policy: For Azure resources, Compliance Manager can integrate with Azure Policy to assess compliance of infrastructure.
Step-by-Step Workflow
Identify Regulations: Determine which regulations apply to your organization (e.g., GDPR, HIPAA).
Create Assessments: For each regulation, create an assessment in Compliance Manager.
Assign Actions: For each improvement action, assign an owner and set a due date.
Implement Actions: Owners complete the required tasks (e.g., enable MFA).
Update Status: Owners mark actions as Completed or In Progress.
Monitor Score: The compliance score updates automatically.
Generate Reports: Export reports for auditors or management.
Identify Applicable Regulations
First, you determine which regulatory frameworks apply to your organization. For example, if you handle EU citizen data, GDPR is mandatory. If you are a US healthcare provider, HIPAA applies. Compliance Manager offers pre-built templates for over 300 regulations. You select the appropriate template when creating an assessment. This step is crucial because it determines the controls and actions that will be evaluated.
Create an Assessment
In the Compliance Manager dashboard, navigate to the Assessments tab and click '+ Add assessment'. You will be prompted to choose a template (e.g., ISO 27001:2013). Then you name the assessment (e.g., 'ISO 27001 - Production') and define the scope (e.g., select specific Microsoft 365 subscriptions or Azure subscriptions). You can also assign a group for organizational purposes. After creation, the assessment loads all controls and actions from the template.
Assign Improvement Actions
Once the assessment is created, go to the 'Improvement actions' tab. You will see a list of all actions that are not yet completed. For each action, you can assign an owner (a person or team) and set a due date. This step ensures accountability. The action details include the expected implementation steps and the potential score impact if completed. You can also mark actions as 'Not Applicable' if they do not apply to your environment.
Implement and Update Actions
Owners perform the required tasks. For technical actions, this might involve enabling settings in Microsoft 365, such as configuring Conditional Access policies or enabling audit logging. For operational actions, it could be creating a security awareness program. After implementation, the owner logs into Compliance Manager and updates the action status to 'Completed' or 'In Progress'. Some actions can be automatically detected by Microsoft (e.g., if you enable MFA, Compliance Manager may detect it and auto-mark the action).
Monitor Compliance Score and Generate Reports
As actions are completed, the compliance score updates. You can view the overall score on the dashboard, which shows a percentage. You can also drill down to see scores per assessment. For auditing, you can generate reports (PDF or Excel) that show the score, completed actions, and remaining gaps. These reports can be shared with auditors or regulators. The dashboard also shows trends over time.
Scenario 1: GDPR Compliance for a European SaaS Company
A SaaS company based in Germany must comply with GDPR. They use Microsoft 365 and Azure. They create a GDPR assessment in Compliance Manager. The assessment includes actions like 'Data Protection Impact Assessment (DPIA)', 'Consent Management', and 'Data Retention Policies'. The compliance officer assigns actions to the legal team (for DPIA) and the IT team (for technical controls). The initial score is 30%. Over three months, they implement actions: enable audit logging, classify data with sensitivity labels, and configure data retention. The score rises to 85%. They generate a report for the supervisory authority. The challenge is that many actions are manual (e.g., DPIA), so tracking progress requires discipline. Misconfiguration: If they mark an action as 'Completed' without actually implementing, the score is inflated and may fail an audit.
Scenario 2: ISO 27001 Certification for a Financial Services Firm
A financial firm wants to achieve ISO 27001 certification. They use Compliance Manager with the ISO 27001:2013 template. The assessment includes hundreds of controls. The IT team focuses on technical actions: implementing access controls, encryption, and vulnerability management. The compliance team handles policy documentation. The score is used as a readiness gauge. They aim for 100% before scheduling the certification audit. During the audit, the external auditor reviews the Compliance Manager report as evidence. The firm's score is 95% because some actions are still 'In Progress'. They finalize the remaining actions and achieve certification. Common issue: The firm might forget to assign owners to all actions, leading to stalled progress.
Scenario 3: Multi-Regulation Compliance for a Global Enterprise
A multinational corporation must comply with GDPR, HIPAA, and SOC 2. They create separate assessments for each regulation. Compliance Manager allows them to see a consolidated score across all assessments. The compliance officer uses the 'Compliance Score' dashboard to monitor overall posture. They assign different teams to each regulation. The challenge is that some actions overlap (e.g., access control appears in multiple assessments). Compliance Manager automatically deduplicates these actions, so completing it once counts for all assessments. However, if the organization misconfigures the scope (e.g., includes a non-HIPAA subscription in the HIPAA assessment), the score may be inaccurate. They must carefully select the scope when creating assessments.
SC-900 Exam Focus for Compliance Manager
The SC-900 exam tests your understanding of Compliance Manager under objective 4.2 Describe the compliance management capabilities in Microsoft Purview. Specifically, you need to know:
The purpose of Compliance Manager.
The components: assessments, controls, actions, improvement actions, compliance score.
The difference between Microsoft actions and improvement actions.
How the compliance score is calculated (points-based, percentage).
That Compliance Manager is accessed via the Microsoft Purview compliance portal.
Most Common Wrong Answers
'Compliance Manager is part of Microsoft 365 Defender' – Wrong. It is in the Purview compliance portal.
'Compliance Manager automatically implements actions' – Wrong. It only tracks and recommends; implementation is manual (except Microsoft actions which are auto-completed).
'The compliance score is based on number of controls completed' – Wrong. It is based on points (weighted), not count.
'Compliance Manager can only be used for Microsoft 365' – Wrong. It also covers Azure and other cloud services.
Specific Numbers and Terms
Compliance Score: Percentage 0-100.
Assessment templates: Over 300 pre-built.
Action types: Technical, Operational, Legal/Compliance.
Microsoft Actions: Automatically marked as completed.
Edge Cases
If an action is marked 'Not Applicable', it is excluded from total possible points.
The score can be manually refreshed, but the default is 24-hour refresh.
Compliance Manager does NOT replace an audit; it is a tool to prepare for audits.
How to Eliminate Wrong Answers
If the question mentions 'automatic remediation', it's likely wrong because Compliance Manager only tracks.
If the question says 'compliance score is based on number of controls', look for 'points' or 'weighted' in the correct answer.
If the question confuses Compliance Manager with Secure Score, remember Secure Score is for security, Compliance Manager is for regulatory compliance.
Compliance Manager is a tool in the Microsoft Purview compliance portal for managing regulatory compliance.
It provides a compliance score (0-100) based on weighted points from completed actions.
Components include assessments, controls, improvement actions, and Microsoft actions.
Microsoft actions are automatically marked as completed; improvement actions require manual implementation.
There are over 300 pre-built assessment templates for various regulations.
Compliance Manager does not enforce policies; it only tracks and recommends.
The score is refreshed every 24 hours by default, but manual refresh is possible.
Actions can be technical, operational, or legal/compliance.
These come up on the exam all the time. Here's how to tell them apart.
Compliance Manager
Focuses on regulatory compliance (GDPR, HIPAA, etc.).
Located in Microsoft Purview compliance portal.
Scoring based on weighted points from actions.
Includes Microsoft actions (auto-completed).
Assessments are based on regulation templates.
Microsoft Secure Score
Focuses on security posture (e.g., MFA, threat protection).
Located in Microsoft 365 Defender portal.
Scoring based on points from security recommendations.
Does not include Microsoft actions; all actions are customer-managed.
Recommendations are based on best practices, not regulations.
Mistake
Compliance Manager automatically enforces compliance policies.
Correct
Compliance Manager does not enforce policies; it only provides recommendations and tracks progress. Enforcement must be done manually or via other tools like Conditional Access.
Mistake
The compliance score is a simple percentage of completed controls.
Correct
The score is weighted based on the point value of each action. Completing a high-weight action increases the score more than a low-weight action.
Mistake
Compliance Manager only works for Microsoft 365.
Correct
Compliance Manager supports Microsoft 365, Azure, and other Microsoft cloud services. It can also include on-premises resources if you configure them.
Mistake
You can achieve a 100% compliance score easily.
Correct
A 100% score is possible only if all actions are completed and none are marked 'Not Applicable'. Some actions may be impossible to implement due to organizational constraints, so 100% is rare.
Mistake
Compliance Manager is the same as Microsoft Secure Score.
Correct
Secure Score focuses on security configurations (e.g., enabling MFA), while Compliance Manager focuses on regulatory compliance (e.g., GDPR). They use different scoring methodologies and are in different portals.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Compliance Manager is accessed through the Microsoft Purview compliance portal at compliance.microsoft.com. Once there, select 'Compliance Manager' under Solutions. You need appropriate permissions (Compliance Administrator, Compliance Data Administrator, or Security Administrator) to view or manage assessments.
Improvement actions are tasks that your organization must perform to meet a control requirement, such as enabling audit logging. Microsoft actions are tasks that Microsoft performs on its behalf, such as securing data centers. Microsoft actions are automatically marked as completed and contribute to your score. Improvement actions require manual tracking and completion.
Compliance Manager is a tool to help you prepare for an audit by identifying gaps and tracking remediation. However, it does not replace an actual audit. You still need to provide evidence to auditors. Compliance Manager can generate reports that serve as evidence of your compliance activities.
The compliance score is calculated as (Earned Points / Total Possible Points) × 100. Earned Points come from completed and in-progress actions (in-progress actions earn partial points, typically 50%). Total possible points exclude actions marked as 'Not Applicable'. Each action has a weight based on its importance.
To view Compliance Manager, you need at least the Compliance Administrator role. To create or modify assessments, you need Compliance Data Administrator or Security Administrator. The global admin role also has full access. Specific roles can be assigned in the Microsoft 365 admin center.
Compliance Manager is available in Microsoft 365 E3 and E5 plans, as well as standalone plans like Microsoft 365 Compliance E5. Some advanced features may require E5. Check your licensing to confirm access.
Yes, you can create custom assessments by using the 'Custom' template option. You can add your own controls and actions. This is useful for regulations not covered by pre-built templates or for internal policies.
You've just covered Compliance Manager — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?