Understanding Compliance Score
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Understanding Microsoft Purview Compliance Score
Managing regulatory requirements in a modern digital environment often feels like trying to hit a moving target while blindfolded. Between regional data privacy laws like GDPR and CCPA, industry-specific standards like HIPAA or PCI-DSS, and the constant evolution of cyber threats, organizations struggle to know exactly where they stand. Microsoft Purview Compliance Manager provides a centralized tool to track these efforts, but the heart of this tool is the Compliance Score.
The Compliance Score is a numerical measure of your organization's progress in implementing recommendations that reduce risks around data protection and regulatory standards. It is not just a "grade" for your IT department; it is a risk-based metric that helps bridge the gap between technical implementation and legal requirements. By understanding how this score is calculated and how to influence it, you can transform compliance from a reactive, stressful annual audit into a proactive, daily management process.
In this lesson, we will break down the mechanics of the Compliance Score, explore the relationship between improvement actions and assessments, and provide a roadmap for using this data to strengthen your organization's security posture.
What is the Compliance Score?
At its simplest, the Compliance Score is a calculation of the total points earned for completing "improvement actions" within Microsoft Purview. These actions are mapped to specific regulatory controls. When you implement a security feature—such as turning on Multi-Factor Authentication (MFA) or setting up a Data Loss Prevention (DLP) policy—the Compliance Manager recognizes this and awards points toward your total score.
However, the score is more nuanced than a simple checklist. It reflects a shared responsibility model. In a cloud environment, you are not responsible for every single security control. Microsoft manages the physical security of the data centers and the underlying infrastructure, while you manage the data, identities, and device access.
Callout: Compliance Score vs. Secure Score
It is common to confuse Compliance Score with Microsoft Secure Score. While they look similar, they serve different purposes:
- Secure Score focuses on security posture. It measures how well you have configured security features to protect against breaches and attacks.
- Compliance Score focuses on data governance and regulatory requirements. It measures how well you are meeting the specific "controls" defined by laws and standards (like ISO 27001).
Improving your Secure Score often improves your Compliance Score, but they are tracked separately because a "secure" configuration isn't always a "compliant" one in the eyes of a specific law.
The Compliance Score provides a "Data Protection Baseline." This is a set of controls that Microsoft recommends for every organization using Microsoft 365. Even if you haven't purchased specific premium regulatory templates (like for the Australian Privacy Act), you will still see a score based on this universal baseline of best practices.
How the Score is Calculated
The Compliance Score uses a weighted point system. Not all actions are created equal. An action that prevents a major data leak is worth more than an action that simply documents a process. Microsoft categorizes actions based on three main criteria:
1. Control Type (Mandatory vs. Discretionary)
- Mandatory Actions: These are configurations that cannot be bypassed or ignored if you want to meet a requirement. For example, requiring a password is a mandatory action.
- Discretionary Actions: These are actions that depend on user behavior or organizational policy. For example, a policy that tells employees not to share passwords is discretionary because it relies on the user following the rule. Mandatory actions generally carry more weight in the score.
2. Control Nature (Preventative, Detective, or Corrective)
- Preventative Controls: These stop a risk from occurring in the first place. Turning on "Block Legacy Authentication" is preventative. These have the highest point value.
- Detective Controls: These monitor the environment to identify when something has gone wrong. An alert that triggers when a large volume of data is deleted is a detective control. These have medium point value.
- Corrective Controls: These help fix a problem after it has been detected. For example, an automated process to revoke access to a compromised account. These have the lowest point value of the three.
3. Point Weighting Example
To give you a practical idea of how points are distributed, consider the following:
- Preventative + Mandatory: 27 points (e.g., MFA for administrative roles).
- Preventative + Discretionary: 9 points (e.g., User training on phishing).
- Detective + Mandatory: 3 points (e.g., Reviewing audit logs).
Note: Points are only awarded once an action is fully implemented. If an action is "In Progress" or "Failed," you receive zero points for that specific item until the status is updated to "Passed."
Components of Compliance Manager
To understand the score, you must understand the building blocks that feed into it. There are four primary components you will interact with:
Improvement Actions
These are the specific tasks you need to perform. Each action includes detailed implementation guidance, links to the relevant administrative portal (like the Entra ID portal or the Purview portal), and a section to upload evidence for auditors.
Controls
A "Control" is a high-level requirement. For example, "Access Control" is a control. One control might be satisfied by multiple improvement actions. If a regulation says you must protect sensitive data, the "Control" is "Data Protection," and the "Improvement Actions" might include "Encrypting email" and "Applying sensitivity labels."
Assessments
An assessment is a grouping of controls from a specific regulatory framework. If your company needs to comply with HIPAA, you would create a "HIPAA Assessment." This assessment pulls in all the relevant controls and improvement actions required by that law. Your Compliance Score is the aggregate of all your active assessments.
Templates
Templates are the blueprints for assessments. Microsoft provides hundreds of templates (some free, some requiring premium licenses) that contain the pre-mapped controls for various global regulations.
| Component | Purpose | Example |
|---|---|---|
| Improvement Action | The actual task to be done. | Enable MFA for all users. |
| Control | The regulatory requirement being met. | Identity and Access Management. |
| Assessment | A specific container for a regulation. | GDPR Assessment for European Division. |
| Template | The pre-built logic for a regulation. | NIST 800-53 Template. |
Practical Steps to Improve Your Score
Improving your score isn't about doing everything at once. It’s about a systematic approach to risk reduction. Follow these steps to manage your score effectively:
Step 1: Review the Data Protection Baseline
When you first open Compliance Manager, you will see a score already calculated. This is based on the Microsoft 365 Data Protection Baseline. Start here. These are universal best practices that apply to almost every organization.
Step 2: Filter by "High Impact"
In the Improvement Actions tab, use the filter tool to sort actions by their point value. Focus on the actions worth 27 points first. These are typically technical configurations that, once set, provide immediate and significant risk reduction.
Step 3: Assign Ownership
Compliance is rarely the job of one person. You can assign specific improvement actions to different people in your organization.
- Select an Improvement Action.
- Click Assign to.
- Choose a user from your directory.
- The user will receive an email notification and can update the status of the action directly.
Step 4: Upload Evidence
This is a critical step for audit readiness. Within an improvement action, there is a "Documents" tab. Here, you should upload screenshots, policy PDFs, or export logs that prove the action has been implemented. Even if the score updates automatically, having the manual evidence stored in one place saves hundreds of hours during a formal audit.
Tip: Use the "Implementation Notes" field to explain why a certain configuration was chosen. This provides context for future admins or auditors who might question the setup two years from now.
Working with Microsoft Managed Actions
One of the most encouraging parts of the Compliance Score is seeing the "Microsoft Managed Actions." Because Microsoft 365 is a Cloud Service Provider (CSP), Microsoft is responsible for a large portion of the compliance burden.
In your Compliance Manager dashboard, you will see a breakdown of points. You will notice that you already have thousands of points earned. These come from Microsoft. For example, Microsoft manages the physical security of the servers where your emails are stored. They have already completed the audits for these physical controls, and you get the "credit" for them in your score.
Callout: The Shared Responsibility Model
Think of compliance like a high-security apartment building.
- Microsoft (The Landlord): Responsible for the front gate, the security cameras in the hallway, and the structural integrity of the building.
- You (The Tenant): Responsible for locking your own front door, choosing who you give a spare key to, and ensuring you don't leave the stove on.
The Compliance Score reflects both: the points the landlord earned for the gate, and the points you earn for locking your door.
Automating Compliance Data with PowerShell
For larger organizations, checking the web portal daily isn't always efficient. You may want to export your compliance data to a custom dashboard (like Power BI) or trigger alerts when a score drops. You can use the Microsoft Graph API and PowerShell to interact with Compliance Manager data.
To use these commands, you will need the Microsoft.Graph module installed and the necessary permissions (RecordsManagement.Read.All or ComplianceManagement.Read.All).
Example: Listing All Improvement Actions
This script helps you quickly see which actions are still "To Do" without clicking through the UI.
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "ComplianceManagement.Read.All"
# Fetch all improvement actions
$Actions = Get-MgComplianceManagementTemplateImprovementAction
# Filter for actions that are not yet completed and have a high point value
$HighPriorityActions = $Actions | Where-Object { $_.Status -ne "Completed" -and $_.MaxScore -gt 20 }
# Display the results
$HighPriorityActions | Select-Object Name, MaxScore, Description | Format-Table -AutoSize
Why use code for this?
Using PowerShell allows you to integrate compliance data into your existing IT workflows. For example, you could write a script that runs every Monday morning, identifies any "High Impact" actions that have moved from "Passed" to "Failed" (due to a configuration change), and automatically creates a ticket in your helpdesk system (like Jira or ServiceNow).
Common Pitfalls and How to Avoid Them
Even with a tool as powerful as Compliance Manager, it is easy to make mistakes that lead to a false sense of security or unnecessary work.
1. "Chasing the Points"
The biggest mistake is treating the Compliance Score like a video game where the only goal is to reach 100%. Some actions might offer many points but could be detrimental to your specific business operations.
- The Fix: Always prioritize business functionality and actual risk over the numerical score. If a 27-point action breaks a critical line-of-business application, find an alternative "compensating control" and document it.
2. Ignoring Manual Actions
Compliance Manager automatically tracks many technical settings (e.g., "Is MFA on?"). However, it cannot automatically track "Manual" actions (e.g., "Do you conduct annual security awareness training?").
- The Fix: Schedule a monthly review to update manual actions. If you don't manually mark these as "Passed" and upload evidence, your score will remain lower than it actually should be.
3. Confusing "Compliant" with "Certified"
A 100% Compliance Score in Microsoft Purview does not mean you are legally certified in GDPR or HIPAA. It means you have implemented the technical and administrative controls within the Microsoft 365 environment that align with those regulations.
- The Fix: Use the score as a readiness tool. When an official auditor arrives, use the reports generated by Compliance Manager as your starting point, but remember that compliance also extends to your on-premises systems, your physical office, and your HR policies.
4. Overlooking Latency
When you change a setting in the Microsoft Entra admin center, the Compliance Score does not always update instantly. It can take anywhere from 24 to 72 hours for the "automated" signals to refresh in the Compliance Manager.
- The Fix: Don't panic if your score doesn't jump immediately after you fix a setting. Check the "Last Scanned" date on the improvement action to see when the tool last checked the status.
Best Practices for Long-Term Success
To get the most value out of your Compliance Score, adopt these industry-standard practices:
Establish a Governance Rhythm
Compliance isn't a project; it's a lifecycle. Set a recurring meeting (monthly or quarterly) involving IT, Legal, and HR. Review the current score, look at any new improvement actions Microsoft has added, and review the status of pending tasks.
Use "Continuous Assessment"
Enable the "Continuous Assessment" feature where available. This allows Microsoft Purview to constantly monitor your tenant configuration. If a Global Admin accidentally turns off a required security setting, your Compliance Score will drop, providing an early warning system that something has changed.
Leverage the "Data Protection Baseline" as Your Foundation
Before buying expensive premium templates, ensure you have reached at least 80-90% on the Data Protection Baseline. This baseline covers the "low-hanging fruit" of security—like MFA, encryption, and basic auditing—which are the foundations of almost every other regulation in the world.
Document "Out of Scope" Actions
Sometimes an improvement action doesn't apply to you. Perhaps the action is for "Mobile Device Management," but your company doesn't issue mobile phones.
- Action: Don't just leave it as "To Do." Mark the action as "Out of Scope" and write a brief explanation. This clears the action from your "pending" list and tells auditors that you haven't ignored the requirement—you've evaluated it and found it inapplicable.
Comparison: Assessment States
When managing your score, you will see various statuses for improvement actions. Understanding these is key to accurate reporting.
| Status | Meaning | Impact on Score |
|---|---|---|
| Passed | The control is implemented and verified. | Full points awarded. |
| Failed | The automated check found the setting is incorrect. | 0 points awarded. |
| In Progress | A user has started the work but hasn't finished. | 0 points awarded. |
| To Do | No work has started on this action. | 0 points awarded. |
| Out of Scope | The action does not apply to your organization. | 0 points (but doesn't count against your percentage). |
| Not Scanned | Usually applies to manual actions that require human input. | 0 points until manually updated. |
Frequently Asked Questions
Q: Does a higher Compliance Score mean I am safer from hackers? A: Generally, yes. While the score is focused on compliance, the actions required for compliance (like encryption and identity management) are the same actions required for strong security. However, no score can guarantee 100% safety.
Q: Why did my score drop suddenly without me changing anything? A: This usually happens for one of two reasons:
- Microsoft updated the regulatory template to include new, more stringent requirements.
- An automated check detected that a configuration in your tenant was changed (e.g., a policy was deleted).
Q: Do I need a special license to see my Compliance Score? A: Basic Compliance Manager functionality and the Data Protection Baseline are available to most Microsoft 365 commercial licenses. However, specific premium templates (like those for niche international laws) require a "Compliance Plus" or Microsoft 365 E5/G5 license.
Q: Can I create my own actions? A: Yes. If you have a custom internal policy (e.g., "All employees must sign a clean-desk policy"), you can create a custom improvement action, assign points to it, and track it alongside the Microsoft-provided actions.
Key Takeaways
- Risk-Based Prioritization: The Compliance Score is not a simple checklist; it uses a weighted system that prioritizes preventative and mandatory controls, giving you a clear roadmap of what to fix first.
- Shared Responsibility: Your total score is a combination of actions managed by Microsoft and actions managed by you. You start with a significant number of points because of Microsoft's built-in infrastructure security.
- Data Protection Baseline: This is the default starting point for all organizations. It provides a universal set of controls that align with general best practices for data security and privacy.
- Beyond Automation: While many actions are tracked automatically, manual actions (like user training and physical security) are vital. You must manually update these and provide evidence to maintain an accurate score.
- Audit Readiness: Compliance Manager is a document repository. By uploading evidence and implementation notes to each improvement action, you are essentially building your audit report in real-time.
- Continuous Monitoring: Compliance is a moving target. Regularly reviewing the score and setting up alerts for score changes helps you stay ahead of regulatory changes and configuration drift.
- Not a Legal Certification: Always remember that the Compliance Score is a management tool. It measures your implementation of controls within Microsoft 365, but official legal compliance requires a holistic view of your entire business operation.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons