9.6 Scenario Selection for Trust, Privacy, and Compliance Manager

A Decision Pattern for Compliance Questions

This chapter's products all live near Microsoft Purview, so answer choices often look interchangeable. They are not. Identify the goal and the action verb, then map to the right tool.

Underline the business role for a hint, but let the verb decide. "Provide audit evidence," "manage subject rights requests," and "track improvement actions" all point to different products even though all three sound like "compliance."

One-line memory hooks

Commit these four sentences and most of the domain answers itself:

• Service Trust Portal — Microsoft's audit reports for download (SOC, ISO, PCI, FedRAMP).
• Microsoft Priva — privacy operations: detect privacy risk; fulfill subject rights requests.
• Compliance Manager — assess and score YOUR tenant with templates and improvement actions.
• Microsoft Purview portal — the unified hub hosting all of the above data/compliance solutions.

Notice the ownership boundary that separates the first two compliance items: the Service Trust Portal proves Microsoft's compliance, while Compliance Manager tracks yours. That single line resolves the most common pair of distractors on the exam.

Practice reading the role and the verb

The role in a scenario narrows the field; the verb closes it. Walk through these stems:

• "A privacy officer needs to respond to customer deletion requests" → role hints privacy, verb (respond to subject requests) confirms Priva Subject Rights Requests.
• "A compliance lead needs to show progress toward GDPR" → verb (track progress / score) confirms Compliance Manager.
• "An auditor wants Microsoft's ISO certificate" → verb (download Microsoft's certificate) confirms Service Trust Portal.
• "An administrator needs the single console for all data-compliance solutions" → verb (open the unified workspace) confirms Microsoft Purview portal.

If two options survive the verb test (for example "Microsoft Purview portal" and a named solution), pick the more specific one — the named solution almost always wins unless the question is explicitly about the workspace itself.

The Two Traps That Decide Hard Questions

Trap 1 — Service Trust Portal vs. Compliance Manager

Both involve audits and compliance, but they sit on opposite sides of the shared responsibility line:

• Service Trust Portal = evidence Microsoft produces about Microsoft's cloud (their auditors, their certificates). Read-only. It does not score you.
• Compliance Manager = a workspace that scores your tenant and tracks your improvement actions.

If the verb is obtain/download/provide Microsoft's certification or audit report → STP. If it's assess our posture / track our tasks / raise our compliance score → Compliance Manager.

Trap 2 — Compliance score vs. Microsoft Secure Score

Both are "complete recommendations to raise a number," but:

• Compliance score → Compliance Manager (Purview), regulatory/compliance posture.
• Microsoft Secure Score → Defender (Defender XDR / Defender for Cloud), security posture against threats.

The trigger word is compliance/regulatory vs. security/threat.

Quick elimination checklist

• Remove Microsoft Sentinel unless the scenario is SIEM/SOAR, analytics, incidents, hunting, or playbooks.
• Remove Microsoft Defender unless it's threat protection, posture, endpoint, app, identity, or vulnerability work.
• Remove Microsoft Entra unless it's identity, access, authentication, authorization, roles, or governance.
• Remove Azure network controls (Firewall, NSG, DDoS, Bastion, WAF) unless the goal is network traffic, not compliance.

Two worked items

1. "Before launching a regulated workload, give the auditor proof Microsoft's platform is ISO 27001 certified." → Service Trust Portal (Microsoft's certificate), not Compliance Manager.
2. "The CISO wants to raise the number that reflects how protected we are against attacks." → Microsoft Secure Score in Defender — protected against attacks is security, not the Purview compliance score.

Master these mappings and the entire Microsoft compliance-solutions domain (about a quarter of SC-900) becomes a verb-matching exercise. The next chapter drills into the specific Purview data solutions: classification, sensitivity labels, DLP, retention/records, eDiscovery, insider risk, and audit.

Rebrand and version cautions

Because SC-900 weaves in Microsoft rebrands, watch for outdated names in question stems and answer options. In this domain specifically:

And from neighboring domains that often appear as distractors: Azure AD → Microsoft Entra ID, Azure Sentinel → Microsoft Sentinel, and Microsoft 365 Defender → Microsoft Defender XDR. A correct fact wrapped in an old brand name is still correct, but a question may also use an old name as a trap to see whether you know it was renamed rather than replaced by a different product.

Finally, never let two scores blur together: compliance score lives in Compliance Manager (Purview) and measures regulatory progress, while Microsoft Secure Score lives in Defender and measures security posture. If you can recite the four memory hooks above, keep Microsoft's-vs-your-compliance straight, and separate the two scores, you have the recognition skills SC-900 rewards across this quarter of the exam.