9.5 Compliance Score and Improvement Actions

How the Compliance Score Is Calculated

The compliance score on the Compliance Manager dashboard is a personalized, risk-weighted measure of your progress completing improvement actions within controls. It is not the percentage of actions done — actions are weighted by how much risk they reduce. Points are awarded when you complete an action's implementation; your status updates on the dashboard within about 24 hours.

Microsoft assigns each action a value based on two dimensions:

1. Mandatory vs. discretionary — can the control be bypassed?
   • Mandatory: cannot be bypassed intentionally or accidentally (e.g., a centrally enforced password policy). Worth more.
   • Discretionary: relies on the user to comply (e.g., a policy to lock your computer when unattended). Worth less.
2. Preventative vs. detective vs. corrective — what does the control do?
   • Preventative: stops a risk from occurring (e.g., encrypting data at rest; separation of duties). Highest value.
   • Detective: monitors to find irregularities (e.g., access auditing, reviewing privileged actions).
   • Corrective: limits damage and restores systems after an incident (e.g., privacy incident response).

The exact point table (memorize)

So preventative beats detective/corrective, and mandatory beats discretionary — a preventative mandatory control (27 points) is worth 27× a discretionary detective/corrective one (1 point). Points are awarded per action per assessment: an action worth 10 points appearing in two assessments contributes 20 points overall (with an exception that technical actions scoped to the whole tenant are counted once).

Why the weighting works this way

The weighting is deliberate risk math. Preventative controls stop a problem before it happens, so they reduce risk the most and earn the most points. Detective controls only spot a problem after it starts, and corrective controls only limit damage afterward — valuable, but less risk-reducing, so they earn far fewer points. Layered on top, mandatory controls can't be bypassed, so their protection is reliable; discretionary controls depend on humans remembering to comply, so they're scored lower.

The practical takeaway for both the exam and real life: to raise your compliance score efficiently, prioritize the preventative + mandatory improvement actions worth 27 points each, not a long list of 1-point discretionary detective tasks.

Score levels

A score value is assigned at three levels, and you should know the hierarchy: each improvement action has a point value; each assessment has a score calculated from its actions; and the overall compliance score rolls those up across all assessments (counting each Microsoft action once, each technical action once, and each non-technical action once per group). Because of that counting logic, your overall score may not equal the simple average of your individual assessment scores — a detail Microsoft explicitly calls out.

Improvement Actions, Your Initial Score, and the Secure Score Trap

Improvement actions are the concrete, assignable tasks that raise your score. Each carries the point value above and includes implementation guidance, an owner, status (e.g., not implemented, implemented, tested), and evidence. For actions covering Azure resources supported by Microsoft Defender for Cloud, an action's score is the average across its subscriptions, and each subscription is scored by the status of its relevant resources (e.g., subscription A at 0% and subscription B at 50% average to a 25% action score).

Your initial score comes from the default Microsoft 365 Data Protection Baseline — Compliance Manager starts scoring you against it automatically, so you have a starting posture before configuring anything. As you complete improvement actions (and add assessments for your specific regulations), the score moves.

The single biggest scoring trap on SC-900

Do not confuse these two scores:

If the scenario says regulatory, assessment, control, GDPR/HIPAA, improvement action → compliance score. If it says security recommendations, protect against threats, harden resources, secure posture → Secure Score. They share a similar shape (complete recommendations to raise a number) but live in different families.

Other traps: the compliance score is not a guarantee of compliance and not the SC-900 exam passing score (700/1000). Treat it as a prioritization and progress signal: completing high-value preventative mandatory actions raises it fastest, which is exactly why those are scored at 27 points.

Worked scoring example

Suppose your default Data Protection Baseline lists four outstanding improvement actions: encrypt data at rest (preventative mandatory, 27), enforce a centrally managed password policy (preventative mandatory, 27), enable access auditing (detective mandatory, 3), and ask users to lock their screens (discretionary, 1). Completing the two 27-point preventative-mandatory actions adds 54 points to your tenant — far more than the 4 points the other two combine to give. This is why a security architect chasing a higher score in a hurry implements encryption and enforced policy first.

For an Azure action covered by Microsoft Defender for Cloud, remember the per-subscription averaging: if subscription A has 0 of 1 resource compliant (0%) and subscription B has 1 of 2 compliant (50%), the action scores 25% of its point value, not a flat all-or-nothing. Knowing both the point table and this averaging rule lets you answer the calculation-flavored items SC-900 sometimes includes, while the compliance-score-versus-Secure-Score distinction handles the conceptual ones. Keep "compliance = Purview/regulatory" and "Secure Score = Defender/security" locked in, and this section's questions become reliable points.