Compliance Manager
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Understanding Microsoft Purview Compliance Manager
Navigating the world of regulatory compliance can often feel like trying to map an ocean while the currents are constantly shifting. For modern organizations, data is no longer just stored in a single filing cabinet or a lone server in the basement. It is spread across clouds, mobile devices, and collaboration platforms. At the same time, governments and industry bodies are introducing stricter rules like GDPR in Europe, CCPA in California, and HIPAA for healthcare. Keeping track of all these requirements, while simultaneously ensuring your technical configurations actually meet them, is a monumental task.
Microsoft Purview Compliance Manager is designed to be the central command center for this effort. It is a feature within the Microsoft Purview portal that helps you manage your organization’s compliance requirements with greater ease and transparency. Instead of relying on scattered spreadsheets and manual checklists, Compliance Manager provides a structured way to track progress, implement controls, and collect evidence for audits. It translates complex regulatory language into actionable steps that IT professionals and compliance officers can actually follow.
In this lesson, we will explore how Compliance Manager functions, how it calculates your compliance posture through a numerical score, and how you can use it to reduce risk across your digital estate. Whether you are preparing for a formal audit or simply trying to improve your data governance, understanding this tool is a critical step in modern IT administration.
The Core Components of Compliance Manager
To effectively use Compliance Manager, you first need to understand the building blocks that make up the platform. It isn't just a dashboard with a score; it is a relational database of regulations, technical controls, and organizational actions.
1. The Compliance Score
The most visible element of Compliance Manager is the Compliance Score. This is a mathematical expression of your organization's progress in completing actions that help reduce risks around data protection and regulatory standards. It provides a quick "at-a-glance" view of your current standing. However, it is important to remember that this score is a risk-based metric, not a guarantee of legal compliance. You could have a high score and still be out of compliance if a specific local law requires something not covered by the templates you are using.
2. Controls
In the context of Purview, a control is a requirement of a regulation, standard, or policy. For example, a regulation might state that "all sensitive data must be encrypted at rest." Compliance Manager breaks these high-level requirements into specific controls. These controls are often grouped into families, such as "Access Control" or "Data Identification."
3. Assessments
An assessment is a grouping of controls from a specific regulatory framework (like ISO 27001) applied to a specific product or service (like Microsoft 365). When you create an assessment, you are essentially saying, "I want to measure our organization's compliance against the GDPR standards specifically for our cloud environment."
4. Improvement Actions
Improvement actions are the "to-do" items for your team. These are the specific tasks recommended to meet the requirements of a control. An improvement action might be "Turn on Multi-Factor Authentication" or "Create a Data Retention Policy." Each action includes detailed implementation guidance and a place to upload evidence that the task has been completed.
5. Templates
Templates are the blueprints used to create assessments. Microsoft provides a wide variety of templates for global, industrial, and regional regulations. Some templates are included with your license, while others (premium templates) may require additional purchases depending on your subscription level.
Callout: Compliance Score vs. Secure Score
It is common to confuse the Compliance Score with the Microsoft Secure Score. While they look similar, they serve different purposes.
- Secure Score focuses on security posture. It looks at your defenses against hackers and breaches (e.g., "Are your administrative accounts protected?").
- Compliance Score focuses on regulatory and legal standing. It looks at how you manage data and whether you meet specific legal obligations (e.g., "Do you have a process for responding to Data Subject Access Requests?").
Improving your Secure Score often raises your Compliance Score, as security is a foundational element of data protection.
How the Compliance Score is Calculated
One of the most frequent questions from administrators is: "How did I get this number?" The Compliance Score is calculated based on the types of actions taken and who is responsible for them.
Mandatory vs. Discretionary Actions
Compliance Manager distinguishes between actions that are "Mandatory" and those that are "Discretionary." Mandatory actions are those that must be implemented to meet a specific standard and cannot be bypassed. Discretionary actions are those that an organization might choose to implement based on their specific risk appetite or business needs. Generally, completing mandatory actions results in a higher point increase than discretionary ones.
Technical vs. Non-Technical Actions
The score also differentiates between technical actions (those configured in software, like setting a DLP policy) and non-technical actions (those involving people and processes, like conducting employee training).
- Technical Actions: These can often be automatically monitored by Microsoft. If you turn on a setting, Compliance Manager can detect it and update your score automatically.
- Non-Technical Actions: These require manual documentation. You must mark them as complete and upload evidence (like a PDF of a signed policy) to receive the points.
Microsoft-Managed vs. Customer-Managed
Because Microsoft 365 is a shared-responsibility cloud environment, the work of compliance is split between Microsoft and your organization.
- Microsoft-Managed Actions: These are tasks that Microsoft performs as the cloud service provider. For example, Microsoft ensures physical security at their data centers. You receive points for these automatically because Microsoft has already completed them and verified them through third-party audits.
- Customer-Managed Actions: These are the tasks your organization is responsible for. This includes how you configure your tenant, who you grant access to, and how you label your data. Your score will only increase here when you take action.
Note: Even if you do nothing, your Compliance Score will never be zero. This is because Microsoft has already implemented hundreds of controls on your behalf at the infrastructure level. You start with a "baseline" score reflecting Microsoft's commitment to security and compliance.
Working with Improvement Actions
Improvement actions are where the "real work" happens. Every action in Compliance Manager follows a specific lifecycle designed to ensure accountability and auditability.
Assigning and Tracking
In a large organization, the person who manages the Compliance Manager dashboard is rarely the same person who configures the technical settings. Compliance Manager allows you to assign specific improvement actions to different users. For example, you might assign the "Enable MFA" action to an IT Administrator, while assigning the "Draft Privacy Statement" action to a Legal Officer.
The assigned user receives an email notification and can jump directly into the action to see the implementation steps. They can update the status to "In Progress," "Completed," or even "Alternative Implementation" if your organization uses a third-party tool to meet the requirement.
Evidence and Documentation
When an auditor asks how you meet a specific regulation, simply saying "we turned it on" isn't enough. You need proof. Compliance Manager provides a dedicated area within each improvement action to upload evidence. This might include:
- Screenshots of configuration settings.
- Log files.
- Policy documents.
- Records of training completion.
By keeping this evidence within Compliance Manager, you create a "single source of truth." When audit season arrives, you don't have to scramble to find files; you can simply export a report that includes all the evidence you've collected throughout the year.
Continuous Assessment
One of the most powerful features of Compliance Manager is its ability to automatically monitor certain technical controls. If you have "Continuous Assessment" turned on, the system periodically checks your Microsoft 365 tenant configurations. If a setting that was previously compliant is changed (for example, someone turns off a required alert), Compliance Manager will detect this, lower your score, and flag the action as "out of compliance." This moves organizations away from "point-in-time" compliance (checking once a year) and toward "continuous" compliance.
Step-by-Step: Creating Your First Assessment
If you are new to Microsoft Purview, the best way to learn is by doing. Follow these steps to set up a basic assessment for your organization.
Step 1: Access the Compliance Manager
Navigate to the Microsoft Purview compliance portal (usually at compliance.microsoft.com). On the left-hand navigation menu, select Compliance Manager. You will be greeted by the Overview page, which shows your current score and a breakdown of points.
Step 2: Explore the Data Protection Baseline
By default, Microsoft provides a "Data Protection Baseline" assessment. This is a great starting point because it includes a set of controls that are generally applicable to almost any organization using cloud services. Review the improvement actions listed here to get a feel for the types of tasks required.
Step 3: Create a New Assessment from a Template
If your organization needs to comply with a specific regulation, like the HIPAA (Health Insurance Portability and Accountability Act), you will need to create a specific assessment:
- Click on the Assessments tab.
- Select + Add assessment.
- Search for the template you need (e.g., "GDPR" or "ISO 27001").
- Give your assessment a name (e.g., "2024 GDPR Cloud Audit").
- Select the product (e.g., Microsoft 365).
- Review and finish.
Step 4: Review and Assign Actions
Once the assessment is created, click into it to see the specific controls and improvement actions. Filter the actions by "Status" to see what still needs work. Select an action, read the implementation guidance, and use the Assign button to send it to the appropriate team member.
Step 5: Upload Evidence and Mark as Complete
Once an action is implemented, go back to the action details. Click on the Evidence tab and upload your documentation. Finally, update the Implementation Status to "Implemented" and set the Implementation Date. You will see your Compliance Score increase shortly after.
Automating Compliance with PowerShell
While the Purview portal is the primary interface, advanced users may want to use PowerShell to audit their environment or pull data for custom reporting. While there isn't a single "Set-ComplianceScore" command (since the score is a result of many factors), you can use the Exchange Online and Microsoft Graph modules to verify the status of settings that impact your score.
For example, many compliance frameworks require that "Audit Logging" is enabled. You can check this across your tenant using the following script:
# Connect to Exchange Online to check Unified Audit Log status
Connect-ExchangeOnline -UserPrincipalName [email protected]
# Check if the Unified Audit Log is enabled
$AuditStatus = Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled
if ($AuditStatus.UnifiedAuditLogIngestionEnabled -eq $true) {
Write-Host "Unified Audit Logging is ENABLED. This supports your Compliance Score." -ForegroundColor Green
} else {
Write-Warning "Unified Audit Logging is DISABLED. This will negatively impact your Compliance Score."
# Command to enable it:
# Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
}
# Check for MFA on administrative roles (another common improvement action)
# Note: This requires the Microsoft Graph module
Connect-MgGraph -Scopes "RoleManagement.Read.Directory", "User.Read.All"
# This is a simplified logic to find users with Directory Admin roles
$Admins = Get-MgDirectoryRole -Filter "DisplayName eq 'Global Administrator'"
# Further logic would involve checking the MFA status of these specific users
Explanation of the code:
Connect-ExchangeOnline: This is necessary because many compliance settings for data governance are rooted in the Exchange backend.Get-AdminAuditLogConfig: This retrieves the configuration for the entire tenant. TheUnifiedAuditLogIngestionEnabledproperty is a critical "Improvement Action" in almost every compliance template.Connect-MgGraph: This allows us to look at identity-related compliance, such as whether administrators are properly secured, which is a major component of the "Access Control" family in Compliance Manager.
Best Practices for Managing Compliance
Using Compliance Manager effectively requires more than just clicking buttons; it requires a change in organizational culture. Here are several industry best practices to ensure success:
1. Don't Chase the 100% Score
It is tempting to try and get a perfect score, but for most organizations, this is neither practical nor necessary. Compliance is about risk management. Focus on the high-value actions that protect your most sensitive data first. A score of 80% with all "High Risk" items addressed is much better than a score of 95% where you've ignored a critical security flaw.
2. Set a Review Cadence
Compliance is not a "set it and forget it" project. Regulations change, and so does your IT environment. Schedule a monthly or quarterly review of your Compliance Manager dashboard. Check for any "Out of Compliance" flags caused by configuration drift and review any new templates Microsoft may have released.
3. Use the Roles Correctly
Compliance Manager uses Role-Based Access Control (RBAC). Do not give everyone "Compliance Manager Administrator" rights.
- Compliance Manager Reader: For executives or auditors who need to see progress but shouldn't change anything.
- Compliance Manager Contribution: For IT staff who need to upload evidence and mark actions as complete.
- Compliance Manager Assessor: For internal auditors who need to verify that the evidence provided actually meets the requirement.
4. Leverage the "Shared Responsibility" View
When talking to stakeholders, use the Compliance Manager reports to show exactly what Microsoft does for you. This helps justify the cost of cloud services by demonstrating the massive amount of compliance work that is "offloaded" to the provider, allowing your internal team to focus on business-specific risks.
5. Document "Why," Not Just "How"
When uploading evidence or adding notes to an improvement action, explain the reasoning behind your implementation. If you chose an "Alternative Implementation," document why the standard recommendation wasn't feasible. This context is invaluable when an external auditor asks questions two years later.
Common Pitfalls and How to Avoid Them
Even with a powerful tool like Compliance Manager, it is easy to run into trouble. Recognizing these pitfalls early will save you significant time and stress.
Pitfall 1: Treating it as an IT-Only Tool
Compliance is a business requirement, not just an IT task. If the IT department manages Compliance Manager in a vacuum, they may implement technical controls that break business processes, or they may miss non-technical requirements (like physical site security or legal contracts).
- Solution: Create a cross-functional compliance committee including representatives from Legal, HR, IT, and Finance to review improvement actions together.
Pitfall 2: Overlooking Manual Actions
Because Microsoft automates the tracking of many technical settings, users often forget about the "Manual" actions. These manual actions often carry significant point values because they represent fundamental process controls.
- Solution: Use the filtering tool in Compliance Manager to specifically look for "Manual" actions that are still in the "To Do" state. Set deadlines for these just as you would for technical deployments.
Pitfall 3: Ignoring Configuration Drift
You might reach a high score on Monday, but if a junior admin changes a setting on Tuesday, your score will drop. If you aren't looking at the dashboard, you won't know you are now at risk.
- Solution: Enable notifications within the Purview portal so that key stakeholders are alerted when there are significant changes to the compliance score or action status.
Pitfall 4: Relying on the Baseline Only
The "Data Protection Baseline" is a great start, but it isn't enough for specialized industries. A healthcare company relying only on the baseline will miss critical HIPAA requirements regarding patient data privacy.
- Solution: Research which specific regulations apply to your industry and geography. Invest in the appropriate premium templates if necessary to ensure you have a comprehensive view of your obligations.
Comparison: Compliance Manager vs. Traditional Methods
To understand why Compliance Manager is valuable, it helps to compare it to how organizations managed compliance in the past.
| Feature | Traditional Spreadsheets | Microsoft Purview Compliance Manager |
|---|---|---|
| Data Source | Manual entry, often out of date. | Real-time data from your Microsoft 365 tenant. |
| Evidence Storage | Scattered in email folders and file shares. | Centralized and linked to specific controls. |
| Responsibility | Hard to track who is doing what. | Built-in assignment and workflow tracking. |
| Updates | You must manually research law changes. | Microsoft updates templates as regulations evolve. |
| Visibility | Static reports that are old by the time they're read. | Dynamic dashboard with a real-time score. |
| Shared Responsibility | Hard to prove what the vendor is doing. | Clear visibility into Microsoft-managed actions. |
Frequently Asked Questions
Q: Does a high Compliance Score mean we are legally compliant? A: No. The score is a tool to help you measure risk and progress. Legal compliance is a conclusion reached by legal professionals based on a variety of factors, including many that exist outside of your Microsoft 365 environment.
Q: Are the premium templates worth the extra cost? A: For many organizations, yes. The cost of a premium template is usually much lower than the cost of hiring a consultant to manually map a regulation like the NIST Cyber Security Framework to your technical controls.
Q: Can I use Compliance Manager for non-Microsoft 365 assets? A: Yes. While the automated testing only works for Microsoft services, you can create manual assessments for on-premises servers or other cloud providers (like AWS or Google Cloud) and use Compliance Manager to track your manual implementation and evidence for those environments.
Q: How often is the Compliance Score updated? A: For automated actions, the score is typically updated within 24 to 48 hours after a configuration change is made. For manual actions, the score updates immediately after you mark the action as implemented.
Callout: The Power of "Zero Trust"
Compliance Manager is a key pillar of a Zero Trust architecture. Zero Trust relies on the principle of "Verify Explicitly." Compliance Manager provides the framework for that verification. By constantly auditing your controls and requiring evidence, you are moving away from assuming your environment is safe and moving toward a model where you can prove it is safe.
Key Takeaways
To master Compliance Manager, keep these fundamental points in mind:
- Centralized Management: Compliance Manager is the "single pane of glass" for managing regulatory requirements, moving away from fragmented spreadsheets and manual tracking.
- Risk-Based Scoring: The Compliance Score is a metric that helps you prioritize actions based on their impact on data protection and regulatory risk.
- Shared Responsibility: Your total compliance posture is a combination of actions managed by Microsoft and actions managed by your organization. Compliance Manager makes this distinction clear.
- Actionable Guidance: Each improvement action provides step-by-step instructions, reducing the "guesswork" for IT administrators who may not be experts in legal language.
- Continuous Monitoring: Leverage automated testing to detect configuration drift and ensure that your compliance posture doesn't degrade over time due to accidental changes.
- Evidence-Ready Auditing: By storing documentation and logs directly within the improvement actions, you are always prepared for an internal or external audit.
- Collaboration is Key: Use built-in workflow tools to assign tasks to the right people across IT, Legal, and HR, ensuring that compliance is an organizational effort rather than a siloed one.
By integrating Compliance Manager into your regular administrative workflows, you transform compliance from a stressful, once-a-year event into a manageable, continuous process that strengthens your organization's security and builds trust with your customers.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons