This chapter dives deep into the Microsoft Compliance Manager Score, a key component of the Microsoft Purview compliance portal. You'll learn not just what the score is, but how it's calculated, what affects it, and how to interpret it. For the SC-900 exam, this topic appears in roughly 5-10% of questions, often testing your understanding of the difference between the Compliance Score and Microsoft Secure Score, the components that contribute to the score, and the actions you can take to improve it. Mastering this topic will help you answer scenario-based questions about compliance posture management.
Jump to a section
Imagine you own an old house and want to sell it. You hire a home inspector who walks through with a 100-item checklist: foundation, roof, plumbing, electrical, etc. Each item on the checklist represents a control (like 'smoke detectors present' or 'GFCI outlets near water'). The inspector doesn't fix anything; he just checks whether each item is compliant (pass/fail/not applicable). After the inspection, you get a score: 85 out of 100 possible points. But some items are weighted more heavily (e.g., structural issues count more than cosmetic ones). The inspector also gives you improvement actions: 'Install smoke detectors in bedrooms' with a step-by-step guide. Over time, as you complete actions, your score improves. In this analogy, the inspector is Microsoft Compliance Manager, the checklist is the control set for a regulation (like GDPR or ISO 27001), each item is a control, the pass/fail is the implementation status, the improvement actions are Microsoft's recommended steps to become compliant, and the weighted score is the Compliance Score. The inspector's license (authority) comes from the regulation itself, just as Compliance Manager uses Microsoft's knowledge of regulations to create the controls. The inspector doesn't enforce compliance; he only reports on it, and you decide to act.
What is the Microsoft Compliance Manager Score?
The Microsoft Compliance Manager Score (often called the Compliance Score) is a numerical representation (0-100%) of your organization's compliance posture against a specific set of controls. It is calculated by Compliance Manager, a tool within the Microsoft Purview compliance portal. The score is not a single number but can be viewed per assessment, per regulation, or as an overall score across all assessments. The exam tests your understanding that the score is based on the implementation status of controls, not on the effectiveness of those controls.
Why does the Compliance Score exist?
Organizations face complex regulatory landscapes (GDPR, HIPAA, ISO 27001, NIST CSF, etc.). Manually tracking compliance across hundreds of controls is error-prone and time-consuming. Compliance Manager automates this by providing pre-built control sets (assessments) for many regulations. The score gives a quick, at-a-glance view of how well your organization is meeting those requirements. However, the score is a starting point for improvement, not a guarantee of compliance.
How is the Compliance Score calculated?
The score is calculated per assessment. Each control in an assessment has a potential score (weight) based on its importance. Controls are grouped into control families (e.g., Access Control, Audit and Accountability). The total possible score for an assessment is the sum of the weights of all controls. The achieved score is the sum of the weights of controls that are marked as 'Implemented' (or 'Tested' with a passing result). Controls marked as 'Not implemented' contribute 0 points. 'Partially implemented' controls contribute a fraction of their weight.
- Implementation statuses: - Not implemented: 0% of control weight. - Partially implemented: 50% of control weight (default; can be overridden). - Implemented: 100% of control weight, but only if the control has been successfully tested (i.e., 'Tested' status is also 'Passed'). - Tested: This is a sub-status under 'Implemented'. You must also set the Test Result to 'Passed' to get full credit. 'Failed' or 'N/A' may reduce the score. - Not applicable: The control is excluded from the score calculation entirely.
Weighting: Each control has a predefined weight (e.g., 10 points for a high-impact control, 2 points for a low-impact control). You cannot change the weight. The weights are determined by Microsoft based on the regulation's requirements.
- Score calculation example: - Assessment has 3 controls: A (weight 20), B (weight 10), C (weight 30). Total possible = 60. - Control A: Implemented and Tested Passed → 20 points. - Control B: Partially implemented → 50% of 10 = 5 points. - Control C: Not implemented → 0 points. - Achieved score = 20 + 5 + 0 = 25 out of 60 = 41.67%.
Overall score: The overall Compliance Score across all assessments is a weighted average of individual assessment scores, where the weight is the total possible points of each assessment. This means larger assessments (more controls) have a bigger impact on the overall score.
Key Components
Assessments: A container for a set of controls based on a specific regulation (e.g., GDPR, HIPAA). You can create multiple assessments for the same regulation (e.g., one per business unit).
Controls: Individual requirements from the regulation (e.g., 'Encrypt data at rest'). Each control has a description, implementation status, test status, and supporting evidence.
Improvement actions: Step-by-step instructions provided by Microsoft to help you implement a control. Each improvement action is linked to one or more controls. Completing an improvement action updates the control's implementation status.
Microsoft actions: Controls that Microsoft implements on behalf of the customer (e.g., 'Microsoft encrypts data at rest in Azure'). These are automatically marked as 'Implemented' and 'Tested Passed' by Microsoft. They contribute to your score without any action from you.
Customer actions: Controls that you must implement yourself (e.g., 'Configure MFA for all users').
Shared actions: Controls that are partially implemented by Microsoft and partially by the customer (e.g., 'Manage access to administrative accounts'). Both parties must complete their part.
How to view and interpret the score
In the Microsoft Purview compliance portal, navigate to Compliance Manager. You'll see a dashboard with: - Overall compliance score (0-100%). - Score breakdown by regulation (e.g., GDPR 85%, HIPAA 72%). - Top improvement actions that will have the most impact on your score. - Assessment list with individual scores.
Clicking into an assessment shows a detailed view of each control, its implementation status, and the associated improvement actions.
How to improve the score
Review improvement actions: For each control that is not fully implemented, there is an improvement action with detailed steps. These actions often involve configuring Microsoft 365 services (e.g., enabling auditing, setting retention policies).
Assign actions: You can assign improvement actions to people in your organization. They will receive notifications and can update the status.
Implement and test: After implementing the action, mark the control as 'Implemented' and then conduct testing. Update the Test Result to 'Passed' to get full credit.
Upload evidence: Attach screenshots, policy documents, or logs as evidence of implementation.
Automate with Microsoft Secure Score: Integration with Microsoft Secure Score allows some improvement actions to be automatically marked as implemented when you configure security settings in Microsoft 365.
Interaction with Microsoft Secure Score
Microsoft Secure Score measures your security posture (e.g., enabling MFA, applying security updates). It is separate from Compliance Score but there is overlap.
Some improvement actions in Compliance Manager are linked to Secure Score actions. Completing them in Secure Score may automatically update Compliance Manager.
Key difference: Secure Score focuses on security recommendations (e.g., 'Enable MFA'), while Compliance Score focuses on regulatory compliance (e.g., 'Ensure MFA is enabled per GDPR Article 32'). The same action (enable MFA) can appear in both, but the context differs.
Default values and timers
Score refresh: The score is recalculated every 24 hours, or manually by clicking 'Recalculate'.
Implementation status default: New assessments start with all controls set to 'Not implemented'.
Partial implementation default: If you mark a control as 'Partially implemented', it defaults to 50% credit. You can override the percentage in the control details.
Microsoft actions: These are automatically updated by Microsoft and cannot be changed.
Exam Trap: Score vs. Compliance
The exam loves to test that a high Compliance Score does NOT mean you are compliant. The score is a self-assessment based on your declared implementation status. It is possible to have a 100% score but still be non-compliant if your implementation is flawed or if you haven't tested properly. The score is a tool for improvement, not a certification.
Configuration and verification commands
Compliance Manager is a GUI-based tool in the Microsoft Purview portal. There are no PowerShell cmdlets to directly manipulate the score, but you can use Microsoft Graph API or PowerShell for Microsoft Purview to automate some actions (e.g., creating assessments, updating control status). Example using Microsoft Graph:
# Get list of assessments
GET https://graph.microsoft.com/v1.0/compliance/assessments
# Update control status
PATCH https://graph.microsoft.com/v1.0/compliance/assessments/{id}/controls/{id}
{
"implementationStatus": "implemented",
"testResult": "passed"
}However, the SC-900 exam does not test API usage; it focuses on the portal interface and concepts.
Access Compliance Manager
Navigate to the Microsoft Purview compliance portal (https://compliance.microsoft.com). From the left navigation pane, select 'Compliance Manager'. This opens the dashboard showing your overall compliance score, assessments, and top improvement actions. Ensure you have the required permissions: Compliance Manager Admin, Compliance Administrator, or Security Administrator roles in Azure AD.
Create a new assessment
Click 'Create assessment' to start a new assessment based on a regulation (e.g., GDPR, HIPAA, ISO 27001). You can also use a custom template. You'll name the assessment and assign it to a group (e.g., a business unit). The assessment will be populated with controls from the selected regulation. Each control has a predefined weight and associated improvement actions.
Review controls and improvement actions
Within the assessment, review each control's description and implementation status. For controls not yet implemented, click on the improvement action link to see detailed steps. Improvement actions often include configuring Microsoft 365 settings (e.g., enable audit logging, set retention labels). Some actions are 'Microsoft actions' that are automatically satisfied. Note the potential score impact for each control.
Assign and implement improvement actions
Assign improvement actions to individuals in your organization by clicking 'Assign' and selecting a person. They will receive email notifications. After implementing the steps (e.g., enabling MFA), return to Compliance Manager and update the control's implementation status to 'Implemented'. You may also attach evidence (e.g., a screenshot of the MFA configuration).
Test and verify controls
After marking a control as 'Implemented', you must test it to confirm it works as expected. Update the 'Test result' field to 'Passed' or 'Failed'. Only 'Passed' gives full credit. You can also add testing notes and evidence. If the control is not applicable to your environment, set it to 'Not applicable' to exclude it from scoring.
Monitor and recalculate score
The Compliance Score updates automatically every 24 hours. You can manually recalculate by clicking 'Recalculate' on the assessment or dashboard. Monitor the score over time to track improvement. Use the 'Score breakdown' to see which assessments are dragging down your overall score. Regularly review new assessments that Microsoft adds for new regulations.
Scenario 1: Financial Services Company Achieving GDPR Compliance
A financial services company based in the UK must comply with GDPR. They use Microsoft 365 E5 and have sensitive customer data in Exchange Online and SharePoint Online. The compliance team creates a GDPR assessment in Compliance Manager. Initially, the score is 15% because most controls are 'Not implemented'. The top improvement actions include: - 'Enable data loss prevention (DLP) policies' (weight 10) - 'Configure retention labels for personal data' (weight 8) - 'Implement MFA for all users' (weight 5)
The team assigns these actions to IT administrators. Over three months, they implement DLP, configure retention policies, and enforce MFA. The score rises to 72%. However, they discover that some controls require third-party tools (e.g., encryption key management). They document these as 'Not applicable' or 'Partially implemented'. The final score reaches 88%. The compliance officer presents this score to the board as evidence of progress, but they also hire an external auditor to validate actual compliance. This scenario highlights that the score is a management tool, not a substitute for audit.
Scenario 2: Healthcare Provider Using Shared Responsibility
A hospital uses Microsoft 365 and Azure to store patient records (HIPAA). They create a HIPAA assessment. Many controls are 'Microsoft actions' (e.g., 'Microsoft encrypts data at rest in Azure'), which are automatically marked as 'Implemented' and 'Tested Passed', giving a baseline score of 40%. The remaining 'Customer actions' include 'Conduct risk assessments', 'Manage business associate agreements', and 'Implement access reviews'. The hospital's compliance officer assigns these actions. They struggle with the 'Conduct risk assessments' action because it requires manual effort. They mark it as 'Partially implemented' for months, limiting their score to 65%. Eventually, they hire a consultant to complete the risk assessment and update the status to 'Implemented' and 'Tested Passed', boosting the score to 85%.
Scenario 3: Misconfiguration Leading to Score Inflation
A small business creates a GDPR assessment and marks all controls as 'Implemented' and 'Tested Passed' without actually implementing anything. Their score immediately jumps to 100%. This is a common mistake. The exam tests that the score is based on self-reported status, not actual compliance. An auditor would find them non-compliant. To prevent this, organizations should enforce a workflow where only designated testers can mark controls as 'Tested Passed'. Compliance Manager does not enforce this; it relies on role-based access control (RBAC) and organizational discipline.
Exam Focus for SC-900 Objective 4.2
What the Exam Tests
- Objective 4.2: Describe compliance management capabilities in Microsoft Purview. This includes Compliance Manager, Compliance Score, and assessments. - Specific sub-topics: - Identify the purpose of Compliance Manager. - Understand how the Compliance Score is calculated (weights, implementation status, test results). - Differentiate between Compliance Score and Microsoft Secure Score. - Identify the types of actions: Microsoft actions, customer actions, shared actions. - Understand the role of assessments and improvement actions.
Common Wrong Answers and Why Candidates Choose Them
'Compliance Score measures actual compliance.' Candidates see 'score' and think it's a pass/fail certification. Reality: It's a self-assessment tool; actual compliance requires independent audit.
'Compliance Score and Secure Score are the same.' Both are percentages, but Secure Score is for security posture, Compliance Score is for regulatory compliance. They overlap but are distinct.
'You can only have one assessment per regulation.' Candidates assume one assessment per regulation. Reality: You can create multiple assessments for the same regulation, e.g., one per department.
'Microsoft actions are optional.' Candidates think they can skip Microsoft actions. Reality: Microsoft actions are automatically satisfied and contribute to the score without customer effort.
Specific Numbers and Terms That Appear on the Exam
Score range: 0-100% (not 0-1000).
Refresh interval: Every 24 hours (or manual).
Partial implementation credit: 50% by default.
Control weight: Determined by Microsoft, not adjustable.
Improvement actions: Provide step-by-step guidance.
Evidence: Can be attached to controls.
Permissions needed: Compliance Manager Admin, Compliance Administrator, or Security Administrator.
Edge Cases and Exceptions
What if a control is not applicable? Set to 'Not applicable' to exclude it from scoring. This does not affect the total possible points; the control's weight is removed from the denominator.
What if you disagree with a control's weight? You cannot change it. You can only implement it or mark it as not applicable.
Can you get 100% score? Yes, but it doesn't mean you are compliant. The exam loves this distinction.
What happens when Microsoft updates a regulation template? Existing assessments may be updated with new controls. You need to review and implement new controls to maintain your score.
How to Eliminate Wrong Answers Using the Underlying Mechanism
If a question asks about 'a score that reflects regulatory compliance', the answer is Compliance Score, not Secure Score.
If a question mentions 'actions that Microsoft performs automatically', those are Microsoft actions.
If a question says 'a tool that provides step-by-step instructions to implement controls', that's improvement actions.
If a question says 'a container for controls based on a regulation', that's an assessment.
If a question implies that a high score means compliance, that answer is false.
Use the underlying mechanism: The score is a weighted sum of implemented controls. It does not validate actual implementation. Always look for the distinction between 'self-reported' and 'verified'.
Compliance Score is a weighted average of implemented controls, ranging from 0 to 100%.
The score is recalculated every 24 hours (or manually).
Controls have predefined weights set by Microsoft; you cannot change them.
Partial implementation gives 50% of the control weight by default.
Microsoft actions are automatically implemented and contribute to the score without customer effort.
A high Compliance Score does not guarantee actual compliance; it is a self-assessment tool.
Assessments are containers for controls based on a specific regulation; you can have multiple assessments per regulation.
Improvement actions provide step-by-step guidance to implement controls.
Compliance Manager is accessed via the Microsoft Purview compliance portal.
Required permissions: Compliance Manager Admin, Compliance Administrator, or Security Administrator.
These come up on the exam all the time. Here's how to tell them apart.
Compliance Score
Measures compliance with regulatory standards (GDPR, HIPAA, etc.)
Based on controls and improvement actions for regulations
Includes Microsoft actions, customer actions, and shared actions
Score range 0-100%
Used to track progress toward regulatory compliance
Microsoft Secure Score
Measures security posture against Microsoft's security recommendations
Based on security configuration actions (e.g., enable MFA, update software)
Only includes customer actions (no Microsoft actions)
Score range 0-100% (but often displayed as a percentage of max possible)
Used to improve security posture and reduce risk of breach
Mistake
Compliance Score is the same as Microsoft Secure Score.
Correct
Compliance Score measures compliance with regulatory standards (e.g., GDPR, HIPAA) using controls and improvement actions. Microsoft Secure Score measures security posture based on security configurations (e.g., enabling MFA, patching). They are separate scores with different purposes, though some improvement actions overlap.
Mistake
A 100% Compliance Score means you are fully compliant with the regulation.
Correct
The score is based on self-reported implementation status. It does not verify the effectiveness of controls. You can have a 100% score and still be non-compliant if your implementation is flawed or if you haven't tested properly. The score is a management tool, not a guarantee of compliance.
Mistake
You can only create one assessment per regulation.
Correct
You can create multiple assessments for the same regulation, for example, one per business unit, department, or region. Each assessment is independent and has its own score.
Mistake
Microsoft actions require customer action to implement.
Correct
Microsoft actions are automatically implemented by Microsoft (e.g., 'Microsoft encrypts data at rest'). They are marked as 'Implemented' and 'Tested Passed' by Microsoft without any customer effort. They contribute to the score automatically.
Mistake
The Compliance Score is updated in real-time.
Correct
The score is recalculated every 24 hours, or manually by clicking 'Recalculate'. It is not real-time. Changes to control status may take up to 24 hours to reflect in the score.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The Compliance Score is calculated per assessment as the sum of the weights of controls that are 'Implemented' and 'Tested Passed', divided by the total possible weight of all controls (excluding those marked 'Not applicable'), multiplied by 100. Each control has a predefined weight. 'Partially implemented' controls contribute 50% of their weight by default. The overall score across assessments is a weighted average of individual assessment scores.
Compliance Score measures compliance with regulatory standards (e.g., GDPR, HIPAA) using controls and improvement actions. Microsoft Secure Score measures security posture based on security configurations (e.g., enabling MFA, applying updates). While there is some overlap (e.g., enabling MFA appears in both), they serve different purposes. Compliance Score is about meeting regulatory requirements; Secure Score is about reducing security risk.
Yes, you can create multiple assessments for the same regulation. For example, you might create separate assessments for different business units, departments, or geographic regions. Each assessment is independent and has its own score. This allows you to track compliance at a granular level.
Microsoft actions are controls that Microsoft implements on behalf of the customer. For example, 'Microsoft encrypts data at rest in Azure'. These actions are automatically marked as 'Implemented' and 'Tested Passed' by Microsoft. They contribute to your Compliance Score without any action required from you. They are part of the shared responsibility model.
The Compliance Score is recalculated every 24 hours. You can also manually recalculate the score by clicking the 'Recalculate' button on the assessment or dashboard. Changes to control implementation status may take up to 24 hours to be reflected in the score.
If a control is not applicable to your organization (e.g., a control about physical security when you have no on-premises servers), you can mark it as 'Not applicable'. This excludes the control from the score calculation entirely. The total possible points are reduced by the weight of that control.
No. A 100% Compliance Score means you have marked all controls as 'Implemented' and 'Tested Passed' in Compliance Manager. However, this is a self-assessment and does not verify the actual effectiveness of your controls. True compliance requires independent auditing and validation. The score is a tool to track progress, not a certification.
You've just covered Microsoft Compliance Manager Score — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?