Compliance Manager in Microsoft Purview: A Complete Guide for SC-900
Why Is Compliance Manager Important?
In today's regulatory landscape, organizations face an ever-growing number of compliance obligations — from GDPR and HIPAA to ISO 27001 and NIST frameworks. Managing these requirements manually is nearly impossible at scale. Compliance Manager in Microsoft Purview is Microsoft's answer to this challenge. It provides a centralized, automated, and actionable platform to help organizations assess, monitor, and improve their compliance posture across multiple regulations and standards. For the SC-900 exam, understanding Compliance Manager is critical because it is a core component of Microsoft's compliance solutions and frequently appears in exam questions.
What Is Compliance Manager?
Compliance Manager is a feature within the Microsoft Purview compliance portal that helps organizations manage their compliance requirements with greater ease and convenience. It provides the following key capabilities:
• Compliance Score: A risk-based score that measures your progress toward completing recommended improvement actions to reduce compliance risks. This score is expressed as a percentage and reflects how well you are meeting compliance obligations.
• Pre-built Assessments: Compliance Manager offers pre-built assessment templates that map to common regulatory standards and frameworks such as GDPR, HIPAA, ISO 27001, NIST 800-53, and many more. These templates contain the controls and improvement actions needed for each regulation.
• Improvement Actions: These are specific, recommended steps that help organizations improve their compliance posture. Each improvement action provides detailed implementation guidance, testing information, and links to relevant solutions within Microsoft 365.
• Controls: Controls are requirements from a regulation, standard, or internal policy. Compliance Manager maps both Microsoft-managed controls (actions Microsoft takes on your behalf) and customer-managed controls (actions the organization must take).
• Assessments: An assessment is a grouping of controls from a specific regulation or standard applied to a specific service or product. Each assessment tracks improvement actions and provides a score contribution.
How Does Compliance Manager Work?
Compliance Manager works through a structured workflow that combines automation with manual oversight:
1. Assessments and Templates
When you first access Compliance Manager, a default Data Protection Baseline assessment is already set up. This baseline includes controls for key data protection and general data governance regulations. You can then add additional assessments by selecting from over 300+ regulatory templates. Some templates are included with your license, while premium templates may require additional licensing.
2. Controls Mapping
Each assessment template maps controls to specific regulatory requirements. Controls are divided into two categories:
• Microsoft-managed controls: These are controls that Microsoft implements and manages as part of its cloud services. Microsoft handles the implementation, testing, and maintenance of these controls. Their status is automatically updated in Compliance Manager.
• Customer-managed controls: These are controls that your organization is responsible for implementing. You must take improvement actions to address these controls.
3. Improvement Actions
Improvement actions are the core of your compliance work. Each action includes:
• Implementation status: Whether the action is implemented, not implemented, alternative implementation, or planned.
• Test status: Whether the action has been tested and the result.
• Points value: Each action contributes a certain number of points to your overall compliance score.
• Action type: Actions can be preventive, detective, or corrective, and they can be mandatory or discretionary.
Some improvement actions are automatically tested and monitored by Compliance Manager through integration with other Microsoft Purview and Microsoft 365 solutions. For example, if you enable multi-factor authentication (MFA) through Azure AD, Compliance Manager can automatically detect this and update the relevant improvement action status.
4. Compliance Score Calculation
The compliance score is calculated based on the completion of improvement actions. Key points about the score:
• Microsoft-managed actions contribute to the score automatically.
• Customer-managed actions contribute when you implement and test them.
• Each action has a point value based on its importance — mandatory actions are worth more than discretionary actions, and preventive actions are worth more than detective or corrective actions.
• The score is NOT a guarantee of compliance but rather a measure of progress toward reducing risk.
5. Continuous Assessment
Compliance Manager continuously monitors your Microsoft 365 environment. As configurations change or new controls are implemented, the compliance score and action statuses update accordingly. Alerts and notifications help administrators stay informed about changes.
Key Features to Remember for the Exam
• Compliance Score reflects your overall compliance posture and is risk-based.
• Assessments group controls from a regulation applied to a specific scope (e.g., Microsoft 365).
• Templates are pre-built frameworks (300+) that provide the structure for assessments.
• Improvement Actions are the actionable steps to improve compliance; some are automatically monitored.
• Microsoft-managed controls vs. Customer-managed controls — understand the shared responsibility model.
• Compliance Manager is found in the Microsoft Purview compliance portal.
• The Data Protection Baseline is the default assessment available out of the box.
• Compliance Manager helps with assessment, monitoring, and improvement — but it does NOT guarantee compliance or provide legal certification.
Exam Tips: Answering Questions on Compliance Manager in Microsoft Purview
Tip 1: Know the Difference Between Compliance Score and Secure Score
The SC-900 exam may try to confuse you between Microsoft Compliance Score (part of Compliance Manager, focused on compliance and regulatory posture) and Microsoft Secure Score (part of Microsoft 365 Defender, focused on security posture). If the question mentions regulatory frameworks, standards, or compliance obligations, the answer is Compliance Manager and Compliance Score.
Tip 2: Understand Shared Responsibility
Questions may ask who is responsible for certain controls. Remember: Microsoft-managed controls are handled by Microsoft, while customer-managed controls require action from your organization. Compliance Manager tracks both.
Tip 3: Remember That Compliance Manager Does NOT Certify Compliance
A common trap question is whether Compliance Manager guarantees or certifies an organization as compliant. The answer is always NO. It provides a measure of progress and recommended actions, but compliance certification requires formal audits by authorized bodies.
Tip 4: Know What the Compliance Score Measures
The compliance score measures progress in completing improvement actions that help reduce risks around data protection and regulatory standards. It is expressed as a percentage. Mandatory and preventive actions carry higher point values.
Tip 5: Understand Improvement Action Types
Be familiar with the classification of improvement actions:
• Preventive — actions that prevent risks from occurring (highest point value)
• Detective — actions that detect when risks occur
• Corrective — actions that remediate risks after they occur
• Mandatory — required actions (higher points)
• Discretionary — recommended but optional actions (lower points)
Tip 6: Know the Default Assessment
The Data Protection Baseline assessment is automatically available in Compliance Manager. If a question asks what is available by default or out of the box, this is the answer.
Tip 7: Recognize Automatic vs. Manual Actions
Some improvement actions are automatically detected and updated by Compliance Manager based on your tenant configuration (e.g., enabling MFA, DLP policies). Others require manual implementation and testing. Questions may test whether you understand which actions can be automated.
Tip 8: Know Where Compliance Manager Lives
Compliance Manager is accessed through the Microsoft Purview compliance portal (compliance.microsoft.com). If a question asks about the portal or location, this is the correct answer. It is NOT in the Azure portal or the Microsoft 365 Defender portal.
Tip 9: Templates and Licensing
Some assessment templates are included with your Microsoft 365 license, while premium templates require additional licensing or add-ons. The exam may reference the availability of templates based on licensing tiers.
Tip 10: Read Questions Carefully for Keywords
Look for keywords like compliance posture, regulatory requirements, compliance score, improvement actions, assessments, and data protection baseline. These keywords strongly indicate that the answer involves Compliance Manager. If the question mentions threat detection, incidents, or security alerts, the answer likely involves a different tool such as Microsoft Defender or Sentinel.
Summary
Compliance Manager in Microsoft Purview is a powerful tool that helps organizations understand, track, and improve their compliance posture across multiple regulations and standards. For the SC-900 exam, focus on understanding the compliance score, the difference between Microsoft-managed and customer-managed controls, improvement action types, and the fact that Compliance Manager provides guidance — not certification. Mastering these concepts will prepare you to confidently answer any Compliance Manager question on the exam.
