# Compliance Manager

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/compliance-manager

## Quick definition

A Compliance Manager helps companies keep track of rules they have to follow, like data privacy laws or security standards. It checks if they are meeting those requirements and suggests fixes if they are not. Think of it like a checklist that automatically scores your compliance and guides you to improve.

## Simple meaning

Imagine you are running a small restaurant. There are many rules you have to follow: health department regulations about food storage temperature, fire safety codes for the kitchen, labor laws about how many hours your staff can work, and maybe specific rules from the city about outdoor seating. Keeping track of all these rules on paper is hard. You might forget something, or a rule might change and you don't realize it. A Compliance Manager is like having a smart checklist and an inspector combined into one digital tool. It knows all the rules that apply to your type of business, it checks your restaurant against those rules, and it tells you exactly what you need to fix to pass an official inspection.

In the world of Information Technology, companies handle huge amounts of sensitive data, like credit card numbers, medical records, or personal email addresses. There are strict laws about how this data must be protected, such as the General Data Protection Regulation (GDPR) in Europe or the Health Insurance Portability and Accountability Act (HIPAA) in the United States. There are also industry standards like the Payment Card Industry Data Security Standard (PCI DSS) for companies that process credit cards. A Compliance Manager in IT is a software platform that centralizes all of these requirements. It provides a clear dashboard showing which controls you have implemented and which ones are missing or failing. It helps you plan actions, assign tasks to your team, track progress, and generate reports for auditors.

For example, one common requirement is "encrypt data at rest," meaning that data stored on a hard drive should be scrambled so that nobody can read it if they steal the drive. The Compliance Manager will ask if you have encryption turned on for your databases and file storage. If you answer "yes" and provide evidence, the tool marks that control as compliant. If you answer "no," it flags it as a gap and may even give you step-by-step instructions on how to enable encryption. This way, the Compliance Manager acts as a guide, not just a report card. It turns a complex web of legal and technical rules into a manageable list of actions that your IT team can work through one by one.

## Technical definition

A Compliance Manager is a cloud-based or on-premises service that provides automated compliance assessments, policy management, remediation guidance, and audit-readiness reporting across multiple regulatory frameworks and industry standards. It operates as a central control plane that maps technical and organizational controls to specific requirements from frameworks such as SOC 2, ISO 27001, NIST 800-53, FedRAMP, GDPR, HIPAA, PCI DSS, and others. The system typically integrates with an organization's IT infrastructure and cloud environments to collect evidence, monitor configurations, and detect non-compliant states in real time.

At its core, a Compliance Manager uses a control framework library that contains pre-built mappings between common security controls and hundreds of regulatory requirements. For instance, Microsoft Purview Compliance Manager offers over 600 control actions mapped to more than 80 global standards. Each control action is assigned a score based on its risk reduction value. The total score is calculated as a percentage of the maximum possible points, giving a quick compliance posture metric. The scoring model weights controls differently: mandatory controls (like incident response) score higher than recommended controls (like security awareness training) because the risk of non-compliance is greater.

Technically, a Compliance Manager works through several key components. First, the assessment engine ingests data from integrated sources such as cloud security posture management (CSPM) tools, vulnerability scanners, identity and access management (IAM) systems, and configuration management databases (CMDB). For example, in Microsoft Azure, Defender for Cloud assessments feed into Compliance Manager so that a misconfigured storage account appears automatically as a compliance gap. Second, the control library stores the mappings and allows administrators to add custom controls for organization-specific policies. Third, the evidence collection module automatically gathers logs, configuration snapshots, and attestation documents from connected systems. It can also provide a mechanism for manual upload of third-party audit reports. Fourth, the remediation engine generates actionable tasks, often integrated with ticketing systems like ServiceNow or Jira, to assign work to the responsible team. Finally, the reporting module produces auditor-ready reports in standardized formats such as SOC 2 Type II report templates, ISO 27001 Statement of Applicability, or NIST 800-53A assessment plans.

From a protocol and standards perspective, Compliance Manager services often rely on REST APIs to pull data from cloud providers. They use OAuth 2.0 for authentication and authorization, and they export data in JSON or XML for integration with Security Information and Event Management (SIEM) systems. The assessments are typically point-in-time snapshots that can be scheduled to run daily, weekly, or on demand. Many Compliance Managers also support continuous monitoring, where a change in infrastructure (like opening a security group port) immediately triggers a reassessment of the affected controls.

Real IT implementation involves several roles. The compliance officer defines the desired frameworks and sets the risk thresholds. The IT security team configures the integrations and monitors the scores. The operations team executes the remediation tasks. The internal audit team uses the reports for pre-audit readiness checks. Often, a Compliance Manager is part of a larger compliance and governance suite. For example, AWS Audit Manager works alongside AWS Config and AWS Security Hub to provide a unified view. Similarly, Google Cloud's Assured Workloads integrates with Security Command Center for compliance automation.

A critical technical detail is that Compliance Managers do not automatically make a system compliant. They only assess and guide. The actual remediation, patching, reconfiguring, implementing multi-factor authentication, must be done by the organization. Also, the tool's accuracy depends on the quality of the data it ingests. If an organization has incomplete or incorrect mapping of resources (e.g., a database marked as encrypting data when it is not), the Compliance Manager will produce a false sense of security. Therefore, periodic manual validation of a sample of controls is still necessary.

## Real-life example

Think about preparing your home for a visit from your homeowner's insurance inspector. The insurance company has a list of requirements to keep your coverage active. You must have smoke detectors on every floor, a fire extinguisher in the kitchen, deadbolt locks on all exterior doors, no loose electrical wiring, and a secure railing on the stairs. That list is the compliance framework. Now imagine you have a smart home app that connects to your smoke detectors, door locks, and even your electrical panel. This app checks every device and gives you a score out of 100. If your smoke detector on the second floor has a low battery, the app flags it and gives you a step-by-step guide: "Buy a 9V battery from the store, replace the battery in the second floor smoke detector, then test the alarm." It also sends you a notification. That app is your Compliance Manager.

In this analogy, the inspector's requirements are the compliance standards (GDPR, HIPAA, etc.). Your smart home devices are your IT systems, servers, networks, applications, databases. The app's ability to check battery levels and lock statuses represents the automated data collection from your cloud infrastructure. The app's checklist is the control library. The score it gives you is your compliance score. The action items it creates are remediation tasks. And the report it can print for the inspector is the auditor-ready report.

Now, let's add complexity. Your home also uses a different smart lock brand that the app doesn't natively support. You have to manually check that lock and mark it as compliant in the app. That is like a custom control for a legacy system that doesn't integrate with the Compliance Manager. Also, the inspector might require a certificate from your HVAC technician verifying that your furnace is clean. You have to upload that PDF into the app as evidence. That is like uploading a penetration test report or a third-party audit letter. When the actual inspection day comes, you print the compliance report from the app and hand it to the inspector. The inspector trusts the report because the app is from a well-known company and automatically collects data. That is exactly how an external auditor relies on a Compliance Manager's report during a SOC 2 or ISO 27001 audit.

The key point is that the app does not fix the low battery for you, you have to do it. Similarly, a Compliance Manager does not patch your server or enable encryption for you. It tells you what is wrong and how to fix it, but your IT team must do the work. The app also never lies, if you ignore a problem, your score stays low. In the same way, a Compliance Manager gives an honest assessment, which is valuable for internal risk management but also for demonstrating due diligence to regulators.

## Why it matters

In a modern IT environment, organizations are subject to an ever-growing number of regulations and security frameworks. A single company may need to comply with GDPR if it handles EU citizen data, HIPAA if it processes health information, PCI DSS if it accepts credit cards, and SOC 2 if it provides services to other businesses. Manually tracking compliance across all these frameworks is not only time-consuming but error-prone. A Compliance Manager automates the monitoring, assessment, and reporting process, freeing up IT and security teams to focus on actual remediation rather than paperwork.

the consequences of non-compliance can be severe. Regulatory fines for GDPR violations can reach up to 4% of annual global revenue or 20 million euros, whichever is higher. HIPAA penalties range from $100 to $50,000 per violation. Beyond fines, a compliance failure can lead to loss of customer trust, legal liability, and even exclusion from certain markets. A Compliance Manager helps mitigate these risks by providing a continuous view of the compliance posture. It enables organizations to detect issues early, document remediation efforts, and produce evidence for auditors, which can reduce the length and cost of an audit.

as more organizations migrate to the cloud, shared responsibility models become critical. Cloud providers like AWS, Azure, and Google Cloud provide security of the cloud, but customers are responsible for security in the cloud. A Compliance Manager helps customers manage their part of that shared responsibility. It shows exactly which controls are the customer's responsibility and whether those controls are properly implemented. This clarity is essential for passing audits and maintaining security certifications.

From a career perspective, understanding Compliance Manager tools is important for IT professionals working in security, governance, risk, and compliance (GRC) roles. Many certifications now include compliance objectives. The ability to configure and interpret a Compliance Manager dashboard is a practical skill that employers value. In short, a Compliance Manager is not just a nice-to-have tool; it is a core part of an organization's governance strategy and a key factor in maintaining regulatory compliance.

## Why it matters in exams

Compliance Manager appears in several major certification exams, especially those from Microsoft, CompTIA, and AWS. In the Microsoft ecosystem, the SC-900 (Microsoft Security, Compliance, and Identity Fundamentals) exam includes Microsoft Purview Compliance Manager as a core topic. Candidates are expected to know its purpose, how it scores controls, and how it helps organizations meet regulatory requirements. Similarly, the MS-900 (Microsoft 365 Fundamentals) and MS-102 (Microsoft 365 Administrator) exams may cover Compliance Manager as part of the broader compliance and governance capabilities within Microsoft 365. For the AZ-104 (Microsoft Azure Administrator) and Azure Fundamentals (AZ-900) exams, knowledge of Azure Policy and Azure Blueprints, which are related compliance tools, is tested, though Compliance Manager itself is more specific to the Microsoft 365 side. The SC-900 exam in particular has questions that ask about the difference between Compliance Manager, Compliance Center, and Service Trust Portal.

For CompTIA Security+ (SY0-601), the exam includes objectives under domain 3 (Implementation) regarding data privacy and security controls. While Compliance Manager is not a named tool in the objectives, understanding the concept of automated compliance verification is beneficial for scenario-based questions. CompTIA CySA+ (CS0-002) also covers compliance scanning and reporting, where Compliance Manager tools are relevant.

In the AWS ecosystem, the AWS Certified Solutions Architect – Associate (SAA-C03) exam includes AWS Audit Manager, which is an AWS service similar to a Compliance Manager. Candidates should understand how Audit Manager helps with continuous compliance monitoring and evidence collection. The AWS Security Hub also plays a role in compliance checks against standards like CIS Benchmarks and PCI DSS.

For the ISC2 CISSP exam, compliance and regulatory oversight is a major domain (Domain 1: Security and Risk Management). Understanding automated compliance tools, including Compliance Manager systems, is essential for answering questions about auditing, reporting, and continuous compliance. The CISSP exam focuses on the management and governance aspects rather than specific vendor tools, so a conceptual understanding of how such systems work is expected.

Exam questions often present a scenario where an organization must demonstrate compliance with a specific standard, and the candidate must choose the best tool or approach. For instance, a question might describe a company that needs to produce an audit report for ISO 27001 and ask which Microsoft tool to use. The correct answer is Microsoft Purview Compliance Manager. Another question might ask about the scoring system: "What does a control score of 100 mean?" Answer: The control is fully implemented and tested. Understanding these nuances is key to scoring well.

## How it appears in exam questions

Questions about Compliance Manager typically fall into three categories: tool identification, feature understanding, and scenario application.

Tool identification questions are straightforward. They ask: "Which Microsoft service helps you manage compliance across regulatory frameworks?" The answer is Microsoft Purview Compliance Manager. Similarly, for AWS, the equivalent is AWS Audit Manager. These questions are common in foundational exams like SC-900 or Azure Fundamentals. A variant might list several compliance-related terms (Compliance Manager, Compliance Center, Service Trust Portal, Azure Policy) and ask the candidate to pick the one that provides a compliance score and actionable recommendations.

Feature understanding questions go deeper. For example: "What does the Compliance Manager score represent?" The correct answer is a percentage of implemented controls relative to the total possible points for a chosen framework. Another question might be: "How often does Compliance Manager automatically evaluate controls if continuous monitoring is enabled?" The answer is near real-time, triggered by changes in the environment. Another common feature question: "What is a 'control action' in Compliance Manager?" Answer: A specific technical or organizational action that must be taken to satisfy a compliance requirement. Some exams test the difference between Microsoft Compliance Manager and Azure Policy: Compliance Manager is for regulatory compliance assessments, while Azure Policy enforces compliance rules on Azure resources.

Scenario application questions are more complex and appear in higher-level exams like MS-102 or AZ-104. They might describe a company with multiple offices that needs to ensure all employees use multi-factor authentication for regulatory reasons. The question asks which tool can monitor and report on MFA adoption across the organization and generate a compliance report for auditors. The answer is Compliance Manager (with appropriate licensing). Another scenario: A healthcare organization needs to map their controls to HIPAA. The question asks which Compliance Manager feature allows them to see which controls are mapped to HIPAA. Answer: The control library or the assessment template.

Some questions present a situation where the compliance score is lower than expected, and the candidate must infer the reason. For example, the score might be 60% after initial setup. Possible reasons include: not all controls have been assessed, some controls are not implemented, the selected framework has a high number of requirements, or continuous monitoring is not enabled so the data is stale. The exam expects the candidate to understand the factors that influence the score.

Finally, there are integration questions. For instance: "Which Microsoft 365 security feature can feed data into Compliance Manager to automatically detect misconfigurations?" The answer is Microsoft Defender for Cloud Apps or Microsoft Endpoint Manager. Understanding these integrations helps in exams that test end-to-end security architectures.

## Example scenario

A small online retail company, "Gadget World," processes credit card payments and stores customer names, addresses, and purchase histories. They want to get PCI DSS compliant to avoid fines and keep their payment processor happy. The IT manager, Sarah, decides to use Microsoft Purview Compliance Manager to help.

Sarah opens Compliance Manager and sees a list of available assessment templates. She selects the PCI DSS v3.2.1 template. The tool automatically creates an assessment with hundreds of control actions grouped into categories like "Protect Cardholder Data" and "Maintain an Information Security Policy." For each control action, Compliance Manager provides a description, the implementation status (Not started, Implemented, Tested, etc.), and a maximum score.

One control action is "Encrypt all cardholder data stored in databases." Sarah knows that their customer database currently does not have encryption enabled. She marks the control as "Not implemented" and attaches a note: "Database encryption to be enabled by Q4." Compliance Manager calculates the score impact: because encryption is a high-priority control, the overall score drops significantly.

Another control action is "Implement file integrity monitoring on systems that store cardholder data." Sarah's team has already deployed a file integrity monitoring tool on their web servers. She marks this as "Tested" and uploads a screenshot of the tool's alert log as evidence. Compliance Manager assigns the full points for that control.

Sarah also notices that Compliance Manager offers a remediation task feature. For the missing encryption, she generates a task assigned to the database administrator with a due date. The task includes a link to Microsoft documentation on enabling Transparent Data Encryption (TDE) in SQL Server.

After two months, Sarah's team has implemented most controls. Compliance Manager now shows a score of 85%. Sarah generates a PDF report titled "PCI DSS Compliance Assessment" which includes a summary score, a list of failed controls with remediation plans, and the evidence documents. She sends this report to the company's auditor, who uses it as a starting point for the official audit. The auditor still performs independent testing but greatly reduces the time spent because Compliance Manager has already done the mapping and evidence collection. Gadget World successfully passes the audit. Sarah learns that compliance is not a one-time project but an ongoing process, and she schedules monthly reassessments in Compliance Manager to keep the score high.

## Core Concepts of Microsoft Compliance Manager

Microsoft Compliance Manager is a comprehensive compliance management solution within the Microsoft 365 compliance center that helps organizations manage their compliance obligations effectively. The tool provides a centralized dashboard for assessing compliance posture across multiple regulations, standards, and frameworks. It covers key areas such as data protection, data governance, risk management, and regulatory compliance. The system is built on a framework of assessments, controls, and actions that guide organizations from initial compliance evaluation to continuous improvement. Each assessment is mapped to a specific regulation or standard, such as GDPR, HIPAA, ISO 27001, or SOC 2. Within each assessment, there are a series of controls that represent specific requirements from the regulation. For each control, Compliance Manager provides recommended actions to implement the required security and compliance measures. These actions can be technical, which involve configuring Microsoft 365 settings, or operational, which involve documenting procedures and policies. The tool uses a scoring model based on these actions to provide a compliance score. The score is a percentage that represents how many actions have been completed versus the total required actions. For example, if a control has five required actions and three are completed, that contributes 60% to the compliance score for that control. The overall score is aggregated across all assessments. Importantly, the tool also tracks actions taken by the organization and provides evidence of compliance. This evidence can be in the form of configuration details, audit logs, or user attestations. Compliance Manager also integrates with Microsoft 365 compliance features such as data classification, sensitivity labels, and audit logs, making it a central hub for managing compliance in the Microsoft 365 ecosystem. The tool supports role-based access control, allowing compliance officers, auditors, and security administrators to have appropriate levels of access. Compliance Manager provides templates for common regulations and allows organizations to create custom assessments for specific internal policies. The system is continuously updated to reflect changes in regulations and new Microsoft 365 capabilities. Understanding these core concepts is critical for the AZ-104, MS-102, SC-900, and other related exams, as compliance management is a key part of the Microsoft security and compliance ecosystem.

## Scoring and Assessment Management in Compliance Manager

The scoring and assessment management subsystem in Microsoft Compliance Manager is fundamental to how organizations measure and improve their compliance posture. The compliance score is calculated based on the completion of actions within each assessment. Each action has a point value associated with it, and the total score is the percentage of points earned out of the total possible points. For example, if an assessment has 100 possible points and the organization has earned 75, the compliance score is 75%. Points are weighted based on the risk reduction each action provides. Actions that reduce risk significantly, such as enabling multi-factor authentication, are weighted more heavily than lower-risk actions like configuring a retention policy. The tool provides a point value for each action, which is visible in the assessment details. Microsoft provides default point values, but organizations can adjust them to align with their own risk appetite. Once actions are completed, compliance manager allows the administrator to mark the action as completed and optionally attach evidence files, such as documentation or screenshots. Notes can also be added for auditor review. The tool then recalculates the score automatically. Assessment management involves creating, updating, and deleting assessments. Compliance Manager provides pre-built assessment templates for major regulations. For example, the GDPR template includes controls from the GDPR regulation. The administrator can also create custom assessments from scratch or by cloning an existing template. Each assessment is assigned a scope and can be associated with specific Microsoft 365 subscriptions, groups, or geographies. For example, an organization might create a GDPR assessment that applies only to users in the European Union. The assessment also includes the ability to assign actions to responsible individuals, with due dates and status tracking. This helps with accountability and project management. The tool provides a detailed view of all actions, categorized by status: Planned, In Progress, Completed, or Non-applicable. Failed actions are also flagged. Compliance Manager supports the concept of improvement actions, which are actions that can be automated through Microsoft 365 security features. For example, an action to enable Azure AD MFA can be directly connected to the Microsoft Entra configuration, allowing automated validation. The tool can generate automated reports that can be exported to Word or PDF for compliance reporting and audit purposes. Understanding the scoring mechanisms and assessment management is crucial for exam scenarios, particularly in MS-102 and AZ-104 where administrators must demonstrate how to configure and maintain compliance assessments for organizational requirements.

## Actions and Automation in Compliance Manager

Actions and automation in Microsoft Compliance Manager are the building blocks that translate regulatory requirements into measurable technical and operational tasks. Compliance Manager categorizes actions into two main types: improvement actions and standard actions. Improvement actions are those that can be automated directly from within the Compliance Manager interface, leveraging Microsoft 365 capabilities. These actions can be executed by a simple click to apply the required configuration. For example, if a control requires that conditional access policies be enforced, Compliance Manager can list the specific conditional access policy that must be enabled. The administrator can then click an Execute or Enable button to apply the configuration directly from the compliance manager interface, with no need to navigate to the Azure AD tenant. This automation is powered by the Microsoft 365 security and compliance APIs. Standard actions, on the other hand, are operational or non-automated actions. These might include documenting a compliance policy, conducting a user training session, or performing an external audit. The administrator must manually mark these actions as completed and provide evidence. Compliance Manager provides an evidence management feature to upload files, screenshots, or log files to prove that the action was completed. The tool also allows tracking of which users are assigned to each action, with status updates and due date reminders. This is often managed via a Project Plan-like interface within the compliance center. The automation extends to continuous compliance monitoring. Once an improvement action is executed, Compliance Manager can continuously validate that the configuration remains in place. For example, if a conditional access policy is later disabled by an administrator, Compliance Manager will detect the change and mark the action as Not Met, prompting a reassessment. This continuous validation is a key differentiator for maintaining compliance over time rather than just at a point in time. Compliance Manager also integrates with Microsoft 365 compliance scoring, which provides a dynamic dashboard that shows drift in compliance posture over time. For exam preparation, it is important to understand the difference between improvement actions that are automatable and standard actions that require manual effort. Microsoft 365 certification exams, such as MS-102, MD-102, and SC-900, often include questions that test the candidate's ability to identify which actions can be automated and which require manual intervention. Common scenarios involve an administrator being asked to configure a control that can be automated using Compliance Manager, requiring them to select the appropriate action from a list. Knowing how to use the improvement actions feature to simplify compliance management is critical for passing these exams.

## How Compliance Manager Cost and Licensing Works

Understanding the cost and licensing model for Microsoft Compliance Manager is essential for architects and administrators planning a compliance strategy within the Microsoft 365 ecosystem. Compliance Manager is not a standalone product; it is included as part of various Microsoft 365 and Microsoft 365 licensing plans. The level of functionality available depends on the subscription tier. For example, Compliance Manager is available in Microsoft 365 E3, E5, F1, F5, and Business Premium licenses. However, the full set of features, especially improvement actions and automated controls, is generally limited to higher-tier licenses like E5 or F5. Lower-tier licenses may have limited access to certain regulatory templates or fewer assessment slots. Specifically, the basic version of Compliance Manager allows users to view the compliance score and perform manual assessments, but the ability to create unlimited assessments and use automated improvement actions requires an E5 or equivalent license. Additional add-ons, such as Microsoft Purview Compliance Manager for specific regulatory modules, may incur extra costs. For example, if an organization needs to comply with a niche regulation not covered by the default templates, they might need to purchase a third-party template or use a custom assessment, which does not add extra licensing cost but requires manual effort to map controls. There is also the concept of compliance manager templates: Microsoft provides a library of prebuilt templates for common regulations. These templates are included with the license, but organizations may need to purchase additional templates from partners or create custom ones. For government customers, Compliance Manager is available with GCC, GCC High, and DoD environments, but the licensing structure is similar, though pricing may differ. In terms of operational costs, Compliance Manager does not have a per-user or per-assessment fee beyond the licensing cost. However, organizations should be aware of the potential need for additional Microsoft 365 services that are integrated with Compliance Manager, such as Microsoft Entra ID P1 or P2 licenses for conditional access policies, or Microsoft 365 auditing and data classification features, which may require additional licensing. For example, if an improvement action requires enabling audit logging for a specific user, the organization must have the appropriate audit license. For exam relevance, the SC-900 and MS-102 exams often have questions about which features of Compliance Manager are available at different licensing tiers. Candidates are expected to know that E3 licenses provide basic Compliance Manager functionality, while E5 licenses provide the full feature set, including automation and advanced analytics. The AZ-104 exam may also include cost implications for compliance solutions in Azure, where compliance manager is one component of a broader compliance strategy. A common exam scenario involves a company choosing between E3 and E5 licenses and needing to ensure compliance with regulations, and the candidate must recommend the correct license to meet the compliance requirements. Familiarity with these licensing details is crucial for exam success.

## Common mistakes

- **Mistake:** Thinking that a 100% Compliance Manager score means you are fully secure and will pass any audit.
  - Why it is wrong: The score only reflects implementation of controls mapped to the selected framework. It does not account for all security threats, and auditors may find gaps not covered by the template.
  - Fix: Treat the score as a guide, not a guarantee. Always supplement with independent security reviews and penetration testing.
- **Mistake:** Assuming that enabling the Compliance Manager tool automatically makes you compliant.
  - Why it is wrong: Compliance Manager only assesses and recommends actions. You must actually implement the controls and provide evidence of implementation and testing.
  - Fix: Use Compliance Manager to identify gaps, then assign tasks and track progress until each control is marked as 'Tested' with valid evidence.
- **Mistake:** Ignoring the need to update assessments when regulatory frameworks change.
  - Why it is wrong: Frameworks like PCI DSS and GDPR are updated periodically. An assessment based on an outdated version may not cover new requirements, leading to non-compliance.
  - Fix: Regularly check for new assessment templates in Compliance Manager and create a new assessment based on the latest framework version.
- **Mistake:** Only using Compliance Manager for a single framework and ignoring overlapping requirements.
  - Why it is wrong: Many controls are common across frameworks (e.g., access control). Managing them separately leads to duplication of effort and potential inconsistencies.
  - Fix: Use a control library that maps one control to multiple framework requirements. Compliance Manager allows you to group controls and reuse them across assessments.
- **Mistake:** Failing to involve relevant stakeholders beyond IT, such as legal and HR teams.
  - Why it is wrong: Compliance involves policies, training, and organizational measures. IT cannot implement all controls alone (e.g., privacy policies and employee background checks).
  - Fix: Assign responsibility for each control to the appropriate team. Use Compliance Manager's task assignment feature to track ownership across departments.
- **Mistake:** Believing that manual evidence uploads are sufficient and automated data collection is not necessary.
  - Why it is wrong: Manual evidence can be outdated, incomplete, or falsified. Automated collection provides near real-time accuracy and reduces human error.
  - Fix: Enable integrations with Defender for Cloud, Azure Policy, or other security tools to automate evidence collection wherever possible.
- **Mistake:** Setting unrealistic compliance deadlines without understanding the effort required for remediation.
  - Why it is wrong: When the initial score is low, the number of tasks can be overwhelming. Attempting to fix everything at once leads to burnout and errors.
  - Fix: Prioritize high-risk controls first. Use Compliance Manager's scoring to identify the most impactful actions and plan remediation in phases.

## Exam trap

{"trap":"On the SC-900 exam, a question asks: \"Which tool should you use to assess your organization's compliance posture against regulatory standards?\" The options include Microsoft Compliance Center, Service Trust Portal, Microsoft Purview Compliance Manager, and Azure Policy. Many learners pick Azure Policy because they studied it for Azure exams. The trap is that Azure Policy is for enforcing rules on Azure resources, not for managing overall compliance posture across an organization.","why_learners_choose_it":"Learners confuse Azure Policy's compliance dashboard (which shows policy compliance) with Compliance Manager's broader regulatory assessment. They see the word 'compliance' in Azure Policy and assume it is the correct answer.","how_to_avoid_it":"Remember that Azure Policy is Azure-specific and deals with resource configurations. Microsoft Purview Compliance Manager is the organization-wide tool that handles multiple frameworks, scorecards, and audit-ready reports. Associate 'Compliance Manager' with 'score' and 'regulatory frameworks' and 'audit reports'."}

## Commonly confused with

- **Compliance Manager vs Azure Policy:** Azure Policy is a service that creates, assigns, and manages policies to enforce rules on Azure resources. Compliance Manager, on the other hand, assesses an organization's overall compliance posture against regulatory frameworks, including non-Azure systems. Azure Policy can feed data into Compliance Manager, but they are separate tools. (Example: If you want to ensure all Azure virtual machines use managed disks, you use Azure Policy. If you want to check if your organization meets GDPR requirements, you use Compliance Manager.)
- **Compliance Manager vs Microsoft 365 Compliance Center:** The Compliance Center is a broader portal that includes multiple services like data classification, insider risk management, and compliance manager. Compliance Manager is a specific feature within the Compliance Center that focuses on assessments and scoring. Learners often confuse the portal with the tool. (Example: The Compliance Center is like a mall; Compliance Manager is one specific store inside it that sells compliance assessments.)
- **Compliance Manager vs Service Trust Portal:** The Service Trust Portal provides third-party audit reports, compliance certifications, and whitepapers about Microsoft's own security practices. Compliance Manager helps you assess your own organization's compliance. One is about trusting Microsoft, the other is about your own posture. (Example: If you need to see Microsoft's SOC 2 report, go to Service Trust Portal. If you need to generate your own SOC 2 readiness report, use Compliance Manager.)
- **Compliance Manager vs AWS Audit Manager:** AWS Audit Manager is Amazon's equivalent of Microsoft Compliance Manager. It automates evidence collection and assessment for AWS environments. The difference is the cloud provider and integrations. Knowledge of both is useful for multi-cloud or vendor-specific exams. (Example: If your company uses AWS, you would use Audit Manager to prepare for a SOC 2 audit. If your company uses Microsoft 365, you would use Compliance Manager.)
- **Compliance Manager vs Security Information and Event Management (SIEM) tools:** SIEM tools like Azure Sentinel or Splunk focus on real-time threat detection and incident response. Compliance Manager focuses on compliance assessment and reporting. While SIEM logs can be used as evidence in Compliance Manager, their primary purpose is different. (Example: A SIEM alerts you to a potential data breach. Compliance Manager helps you prove that you had controls in place to prevent it.)

## Step-by-step breakdown

1. **Select a regulatory framework** — The first step is to choose which compliance standard you need to assess. Options include GDPR, HIPAA, PCI DSS, ISO 27001, NIST 800-53, and many others. Compliance Manager provides pre-built assessment templates for each framework, which include a set of controls mapped to specific requirements.
2. **Create an assessment** — Using the selected template, you create a new assessment within Compliance Manager. You give it a name (e.g., 'GDPR Readiness 2025'), specify the scope (which systems or departments are included), and assign a score measurement period. The assessment then retrieves the list of controls from the template.
3. **Implement or map controls** — For each control, you determine whether your organization has already implemented it. If yes, you provide evidence (a document, a screenshot, a configuration export, or an automated integration). If not, you mark it as unimplemented and record a planned implementation date. This is where the actual work happens.
4. **Score calculation** — As you implement controls and mark them as 'Tested,' Compliance Manager assigns points based on the control's weight. The total score is the sum of points earned divided by the maximum possible points, expressed as a percentage. The score updates dynamically as you add or remove evidence.
5. **Review and remediate gaps** — The assessment dashboard highlights controls with low scores or missing evidence. You can generate remediation tasks and assign them to team members. These tasks include descriptions, links to documentation, and due dates. Tracking these tasks ensures that gaps are addressed in a timely manner.
6. **Enable continuous monitoring** — If your infrastructure is integrated with Compliance Manager (e.g., through Defender for Cloud or Azure Policy), you can enable continuous monitoring. This automates evidence collection and reassessment every time a configuration changes, keeping your compliance score up to date without manual effort.
7. **Generate audit report** — When the assessment is complete or at a point where you need to prove compliance, you generate an audit-ready report. The report includes a summary score, a list of controls with their status, attached evidence, and any open remediation tasks. This report can be shared with internal auditors or external regulators.
8. **Review and reassess periodically** — Compliance is not a one-time activity. Frameworks are updated, your environment changes, and new risks emerge. Schedule recurring assessments (quarterly, annually) to revisit controls, update evidence, and ensure continuous alignment with regulatory requirements.

## Practical mini-lesson

Let's talk about what happens in a real company when implementing a Compliance Manager. The first practical step is identifying which regulatory frameworks apply to your business. If you are a SaaS company hosting customer data in the US and the EU, you likely need SOC 2 and GDPR alignment. If you handle healthcare data, HIPAA is required. If you sell to the US government, FedRAMP may be needed. A Compliance Manager helps you manage multiple frameworks simultaneously, but you must select the right assessment templates.

Once you have selected a framework, you must decide who will be responsible for each control. In practice, compliance is a cross-functional effort. The IT team handles technical controls like encryption, patching, and access management. The legal team handles privacy policies and data processing agreements. HR handles employee background checks and training. The Compliance Manager tool allows you to assign each control to a specific person or group, which helps distribute the workload.

One common challenge is evidence collection. For example, a control might require that 'access to production databases is logged and logs are retained for at least one year.' To satisfy this, you need to provide a screenshot or a query output showing that logging is enabled and retention is set to 365 days. If you have hundreds of databases, uploading manual evidence for each one is impractical. The practical solution is to use automated evidence collection via scripts or API integrations. Microsoft Purview Compliance Manager, for instance, can pull data from Defender for Cloud, which already checks database logging settings. Enabling this integration is a high-leverage activity.

Another practical issue is maintaining the compliance score over time. When you first implement Compliance Manager, the score might be low (e.g., 20-30%). This can be discouraging, but it is expected because many controls are not yet addressed. The key is to prioritize high-impact controls that give the highest score per effort. For example, implementing multi-factor authentication is a single action that can satisfy multiple controls across different frameworks and significantly boost your score.

What can go wrong? The most common problem is 'score fraud', marking a control as implemented without sufficient evidence. During an audit, the independent auditor will test a sample of controls. If they find that the evidence is missing or incorrect, the auditor may question the entire assessment and require a full re-audit, which is expensive and time-consuming. Therefore, always attach real evidence, not just a checkbox.

Professionals should also know that Compliance Manager is not a replacement for a dedicated GRC platform for very large enterprises. It is excellent for small to medium organizations that use Microsoft 365, but large enterprises with complex hybrid environments may need tools like ServiceNow GRC or RSA Archer. However, for the job market, knowing how to configure Microsoft Purview Compliance Manager is a valuable skill because many organizations already have Microsoft 365 licenses that include it.

Finally, keep in mind that the tool is only as good as the data feeding it. If you do not integrate your on-premises systems, the assessment will be incomplete. Plan to cover all environments, cloud, on-premises, and hybrid, either through integrations or manual evidence uploads.

## Commands

```
Connect-SPOService -Url https://contoso-admin.sharepoint.com
```
This PowerShell command connects to SharePoint Online administration to manage compliance-related settings for SharePoint, which can be referenced in Compliance Manager assessments targeting document retention or sharing controls.

*Exam note: MS-102 and SC-900 exams test the understanding of which PowerShell module connects to which Microsoft 365 service for compliance tasks. This command is often part of automated compliance actions.*

```
Set-MIPNetworkConfig -RegistrationEnabled $false
```
This Disables Microsoft Information Protection for a network to meet specific GDPR or data egress control requirements. In Compliance Manager, this action corresponds to a control that restricts external sharing of sensitive content.

*Exam note: Appears in MD-102 and MS-102 exams as a configuration step for data loss prevention controls aligned with Compliance Manager improvement actions.*

```
Update-MgUser -UserId 'user@contoso.com' -StrongAuthenticationRequirements @(@{RelyingParty='*'; State='enabled';})
```
This Microsoft Graph command enables multi-factor authentication for a user, which is a common improvement action in Compliance Manager assessments for identity controls under NIST, GDPR, and HIPAA.

*Exam note: Crucial for SC-900 and MS-102 exams where automatic enforcement of MFA via PowerShell or Graph is tested as a compliance automation method.*

```
Set-AzureADIdentityProtectionAction -Name 'MFA registration policy' -State 'Enabled' -ActionGroup 'AllUsers'
```
Configures Azure AD Identity Protection policy for MFA registration, directly mapping to an improvement action in Compliance Manager for user reauthentication controls.

*Exam note: Tested in AZ-104 and MS-102 exams to demonstrate how Identity Protection integrates with Compliance Manager to automate compliance controls.*

```
New-ComplianceManagerRoleGroup -Name 'ComplianceManagers' -Roles @('ComplianceManager') -Members @('complianceadmin@contoso.com')
```
Creates a role group for Compliance Manager in Exchange Online PowerShell, granting specific users the permission to manage compliance assessments.

*Exam note: Important for MS-102 and SC-900 exams where Role Based Access Control for Compliance Manager is tested. Candidates must know the correct role name.*

```
Get-ComplianceManagerAssessment -AssessmentId 'GDPR-2025' | Select-Object -Property Score, ActionsCompleted, ActionsTotal
```
Retrieves assessment details including score and action completion status from Compliance Manager using Exchange Online PowerShell.

*Exam note: Tests the ability to monitor compliance progress programmatically. Appears in MS-102 exam questions on PowerShell for compliance automation.*

```
Set-Mailbox -Identity 'user@contoso.com' -RetentionPolicy 'GDPR-Retention'
```
Assigns a retention policy to a mailbox. This action supports retention controls in Compliance Manager assessments for data lifecycle management.

*Exam note: MD-102 and MS-900 exams cover mailbox retention policies as part of compliance controls mapped to Compliance Manager's improvement actions.*

```
Add-DataClassificationConfiguration -Name 'PII Data' -SensitiveInformationType 'EU Credit Card Number'
```
Creates a sensitive data classification configuration that can be referenced by Compliance Manager automation blocks for data protection controls.

*Exam note: Featured in SC-900 and MS-102 exams, testing how data classification actions support Compliance Manager assessments for privacy regulations like GDPR.*

## Troubleshooting clues

- **Compliance Score Not Updating After Actions Completed** — symptom: An administrator marks an improvement action as completed but the compliance score remains unchanged for several hours.. The score update relies on a background processing cycle that can take up to 24 hours. Also, actions that require automated validation may need to be executed via the compliance manager interface rather than manually marked. (Exam clue: Exam questions often present this scenario, asking the candidate to identify that the score refresh is delayed or that the action must be executed properly through the automation pane.)
- **Missing Regulatory Template for a Specific Regulation** — symptom: A compliance officer cannot find a prebuilt assessment template for a less common regulation like FedRAMP Moderate.. Microsoft provides templates only for widely adopted regulations. For FedRAMP or niche regulations, the organization must either purchase a third-party template or create a custom assessment from scratch. (Exam clue: SC-900 and MS-102 exams include questions asking the candidate to recommend creating a custom assessment when a prebuilt template does not exist.)
- **Inability to Assign Improvement Actions with Automation** — symptom: The Execute button for an improvement action is greyed out or missing in Compliance Manager.. This typically occurs because the user does not have the required permissions (e.g., Compliance Administrator role) or the action requires a higher license tier (E5) that is not enabled. (Exam clue: A common exam trick is to ask why the user cannot automate an action. Correct answers involve permissions or licensing limitations.)
- **Evidence Attachments Not Showing in Compliance Reports** — symptom: After uploading evidence files for an action, the files do not appear when generating a compliance report.. Evidence files are stored in the associated Microsoft 365 location but may not be included in the report if the report was generated before the file upload completed. Also, the user must ensure the evidence is properly linked to the specific action, not just uploaded to the assessment. (Exam clue: Exam questions test the understanding that evidence must be explicitly associated with the action, not just uploaded generically.)
- **Assessment Not Appearing Under Assessments Tab** — symptom: An administrator creates a new assessment but it does not appear in the list of assessments in Compliance Manager.. The assessment may be in a Draft state and not yet published. Compliance Manager requires the assessment to be published before it appears in the main list. Alternatively, the user may not have permission to view assessments in that specific subscription or scope. (Exam clue: MS-102 exams often ask why an assessment is not visible. The answer usually involves the Draft state or missing permissions.)
- **Automation Validation Reports Action as 'Not Met' Despite Execution** — symptom: An improvement action was executed via Compliance Manager, but continuous validation still flags it as Not Met or Failed.. The continuous validation checks for the exact configuration state. If the configuration was overridden by another policy, or if the underlying service changed, the validation will fail. For example, a conditional access policy might be disabled by a higher priority policy. (Exam clue: Exam scenarios test the concept that automation does not guarantee permanent compliance if other changes override the setting.)
- **Score Calculation Inconsistencies Between Assessments** — symptom: Two assessments for the same regulation show different compliance scores even though the same actions are completed.. The assessments may have different scopes, such as one applying to users in the EU and another to all users. Different scopes can affect the weight of actions. Also, customizations to point values can cause discrepancies. (Exam clue: Questions test that scoring differences can arise from scoping or weighting customization, not from a bug.)
- **Compliance Manager Page Loading Slowly or Not Loading** — symptom: The Compliance Manager dashboard takes too long to load or fails to load completely, especially with many assessments.. Compliance Manager performance can degrade if the tenant has a large number of assessments, especially custom ones with complex controls. Browser cache issues or connectivity to SharePoint Online (for evidence storage) can also cause delays. (Exam clue: Troubleshooting questions in MS-102 might ask the candidate to clear browser cache or review network connectivity before contacting support.)

## Memory tip

Think of Compliance Manager as your 'Regulatory GPS', it knows where you are, where you need to be (the framework requirements), and gives you turn-by-turn instructions to get there (remediation tasks).

## FAQ

**Do I need a special license to use Microsoft Purview Compliance Manager?**

Yes, a Microsoft 365 E5 or Office 365 E5 license is required for full functionality. Some basic features are available with E3, but advanced assessments and integrations require E5.

**Can Compliance Manager help me with multiple regulations at the same time?**

Absolutely. You can create separate assessments for each framework (e.g., GDPR, HIPAA, PCI DSS) within the same Compliance Manager environment. Many controls can be reused across assessments.

**Is Compliance Manager only for Microsoft 365, or does it also cover Azure?**

Compliance Manager is part of Microsoft 365 and focuses on SaaS and productivity controls. For Azure resource compliance, you use Azure Policy. However, the two can share data if you integrate Defender for Cloud with Compliance Manager.

**How often should I run a compliance assessment?**

It depends on your risk appetite, but a common practice is to run a full assessment quarterly and enable continuous monitoring for real-time updates. Before an external audit, run a final assessment to ensure everything is in order.

**Can an external auditor accept a Compliance Manager report?**

Yes, many auditors accept Compliance Manager reports as evidence of your compliance posture. However, they still perform independent testing on a sample of controls. The report helps them focus their efforts.

**What happens if I don't implement a control?**

The control remains marked as 'Not implemented,' and its score is deducted from your total. Regulatory bodies may issue fines or penalties if an audit finds missing controls. Compliance Manager tracks this so you can prioritize remediation.

**Is Compliance Manager the same as a vulnerability scanner?**

No. A vulnerability scanner (like Nessus or Qualys) finds security weaknesses in your systems. Compliance Manager checks if you have implemented required controls (like having a vulnerability scanner, patching process, etc.). They are complementary.

**Can I create custom controls in Compliance Manager?**

Yes. You can add custom controls for organization-specific policies that are not covered by standard frameworks. This is helpful for internal governance requirements.

## Summary

A Compliance Manager is a vital tool for any organization that must adhere to multiple regulatory standards, industry frameworks, or internal policies. It automates the process of assessing which controls are in place, scoring your compliance posture, providing actionable remediation guidance, and generating auditor-ready reports. For IT professionals, understanding Compliance Manager is not just about passing exams, it directly translates to practical skills that are in high demand. It bridges the gap between technical implementation and governance, making it a key component of a security and compliance career.

On certification exams, especially SC-900, MS-900, and AZ-104, questions test your ability to identify the correct tool, interpret compliance scores, and apply the concept in realistic scenarios. Common pitfalls include confusing Compliance Manager with Azure Policy or the Service Trust Portal. The best way to prepare is to get hands-on experience with the tool, understand the scoring model, and memorize which frameworks are available for assessment.

Remember, Compliance Manager is not a magic bullet. It cannot make you compliant without effort. But it gives you a clear map, a compass, and a way to measure progress. That alone is invaluable in a world where data privacy laws are becoming stricter and auditors are more demanding.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/compliance-manager
