9.4 Compliance Manager Assessments
Key Takeaways
- Compliance Manager (in Microsoft Purview) helps you assess and manage compliance across your tenant using templates, assessments, controls, and improvement actions.
- An assessment groups controls for a specific regulation or standard (e.g., GDPR, ISO 27001, HIPAA, NIST CSF); every tenant starts with the Microsoft 365 Data Protection Baseline assessment.
- Controls split into Microsoft-managed actions (Microsoft handles them) and your-controls / improvement actions (your responsibility) — the shared responsibility model in action.
- Pre-built assessment templates exist for hundreds of regulations; you assign owners and evidence to improvement actions to track work.
Compliance Manager Building Blocks
Compliance Manager, found in the Microsoft Purview portal, helps your organization assess and manage compliance against regulations and standards. It is the SC-900 answer whenever a scenario describes structured, ongoing compliance work measured by a compliance score. Its building blocks are:
| Element | What it is |
|---|---|
| Template | A pre-built blueprint for a regulation/standard (GDPR, ISO/IEC 27001, HIPAA, NIST CSF, SOC 2, and 300+ more). You use a template to create an assessment. |
| Assessment | A grouping of controls for a specific regulation, scoped to a product or group of products in your tenant. |
| Controls | The specific requirements in a regulation; each maps to one or more actions. |
| Improvement actions | The concrete tasks you complete to satisfy controls and raise your score. Assignable, with evidence and review workflow. |
Every tenant begins with a default Microsoft 365 Data Protection Baseline assessment. This baseline draws its controls primarily from the NIST Cybersecurity Framework (CSF) and ISO, with additional elements from FedRAMP and the EU GDPR. From the moment you open Compliance Manager it is already collecting signals from your Microsoft 365 solutions, so you see your initial standing and suggested actions without any setup.
Because every organization's obligations differ, Compliance Manager relies on you to add and manage further assessments (for instance, creating an ISO 27001 or HIPAA assessment from a template) so risk is covered as comprehensively as your regulatory environment requires.
What Compliance Manager is for
Microsoft summarizes Compliance Manager's value in four jobs you should be able to recite:
- Take inventory of your data-protection risks against a regulation.
- Manage the complexity of implementing controls through built-in, pre-mapped templates.
- Stay current with evolving regulations and certifications as Microsoft updates templates.
- Report to auditors and leadership with a clear, quantifiable compliance score and evidence.
The key SC-900 framing is that Compliance Manager turns an abstract regulation into a tracked backlog of concrete tasks. Instead of reading the GDPR text and guessing what to do, you create the GDPR assessment, get a list of mapped controls and improvement actions, and work through them with owners and evidence attached.
Shared Responsibility Inside Compliance Manager
A critical, frequently tested idea: improvement actions are split by who is responsible, mirroring the cloud shared responsibility model.
- Microsoft-managed actions — controls Microsoft implements and maintains on the platform. You don't act on these; Compliance Manager shows their status and Microsoft's testing details so you can cite them as evidence.
- Your controls (improvement actions managed by your organization) — controls you are responsible for implementing, testing, and documenting. These are the tasks you assign to owners.
This split is why Compliance Manager pairs naturally with the Service Trust Portal: the portal provides Microsoft's audit evidence, while Compliance Manager tracks the controls that fall on your side of the line.
How you work an assessment
- Create an assessment from a template for the regulation you must meet.
- Review the controls and the improvement actions beneath them.
- Assign each of your improvement actions to an owner and gather evidence (you can upload files and store implementation/test notes).
- Mark actions implemented and tested; status updates flow to the dashboard (typically within 24 hours).
- Watch the compliance score reflect your progress (covered in the next section).
Selection cues and traps
| Scenario language | Answer |
|---|---|
| "Assess our GDPR/HIPAA/ISO posture using a template and track tasks" | Compliance Manager |
| "Show Microsoft's certification evidence" | Service Trust Portal |
| "Detect privacy risks / handle subject rights requests" | Microsoft Priva |
| "Search audit logs for an investigation" | Audit (Purview) |
Common trap: Compliance Manager is not a guarantee of compliance. Microsoft is explicit that its recommendations "should not be interpreted as a guarantee of compliance" — you must still validate controls for your regulatory environment. On SC-900, choose Compliance Manager for managing and tracking compliance, never as proof that you are compliant.
Worked assessment scenario
A healthcare provider must demonstrate progress toward HIPAA/HITECH compliance. The compliance lead opens Compliance Manager, creates a HIPAA assessment from the pre-built template, and reviews the resulting controls. Some controls show Microsoft-managed actions already satisfied by the platform (with Microsoft's testing evidence attached for the auditor); others are improvement actions the organization owns — for example, configuring audit logging or restricting access to records.
The lead assigns each of those actions to an owner, attaches implementation evidence, marks them tested, and watches the compliance score climb as high-impact actions are completed.
Distinguish this from neighbors: the auditor's request for Microsoft's SOC report still goes to the Service Trust Portal; handling a patient's request to see their personal data goes to Priva Subject Rights Requests; searching who accessed a record last Tuesday goes to Audit in Purview. Compliance Manager owns the assessment, control-tracking, and scoring layer — and only that layer. Whenever a scenario names a regulation and asks to track structured tasks toward it, Compliance Manager is the answer, even when the broader "Microsoft Purview portal" also appears as an option.
Which Microsoft Purview solution uses templates, assessments, controls, and improvement actions to help you manage compliance with regulations like GDPR and ISO 27001?
In Compliance Manager, what is the difference between Microsoft-managed actions and your improvement actions?
Which assessment does every Microsoft Purview tenant receive by default in Compliance Manager?