Complete Guide to Microsoft 365 Compliance Manager

Compliance Manager breaks your environment into controls—discrete requirements or safeguards mapped to a regulation, standard, or internal policy. Each control is then represented by one or more improvement actions.

Each improvement action is assigned a certain number of points that roll up into your total compliance score. Those points depend on:

• Mandatory vs. discretionary
• Mandatory controls are things that must be followed, no exceptions. Example: enforcing a password policy requiring length and complexity.
• Discretionary controls rely more on human behavior. Example: asking users to lock their screen when they leave their desk.

• Type of control
• Preventative controls: stop bad things from happening in the first place (e.g., enforcing encryption on devices).
• Detective controls: monitor and alert on issues (e.g., system and compliance audits, alerting on impossible travel).
• Corrective controls: minimize impact and restore operations after an incident (e.g., privacy incident response procedures).

Controls with higher risk impact (and that are mandatory and preventative) typically carry more weight in your score. So turning on multi-factor authentication will usually move the needle more than, say, tweaking a minor logging setting.

Importantly, the score isn’t a formal certification. It’s a risk-based, configuration-aware indicator of how closely your environment aligns to selected standards and Microsoft’s recommended practices.

One thing Compliance Manager does surprisingly well is visualizing shared responsibility in the cloud.

On the main overview page, you’ll see your compliance score broken down into:

• Customer-managed actions – things your team has to configure or document
• Microsoft-managed actions – controls that Microsoft implements and maintains on the platform side

For many organizations this is a huge relief. You can see that a “large chunk” of your baseline compliance posture is already covered by Microsoft’s built-in controls—encryption at rest, data center security, platform logging, etc.

From a m365 security assessment or m365 security audit perspective, this helps you:

• Answer the classic question: “What does Microsoft do vs. what do we do?”
• Focus your limited time on the customer actions that actually need your attention
• Provide auditors with a clearer explanation of control ownership

So when you’re preparing for a microsoft 365 security audit, don’t ignore that Microsoft‑managed slice. It’s evidence that some CIS Microsoft 365 Foundations and other baseline requirements are inherently satisfied by the platform.

On the overview page, you’ll typically see:

• Overall compliance score – your current and maximum achievable points
• Breakdown by source – Microsoft-managed vs. customer-managed
• Top improvement actions – prioritized list of actions that would most increase your score
• Category breakdown – such as:
• Protect information
• Govern information
• Manage devices
• And potentially more, depending on what’s in scope
• (Optionally) Assessment view – if you have the right role, you’ll see the score broken down by specific standards or regulations (e.g., GDPR, ISO 27001, NIST 800‑53)

Those top improvement actions are worth watching. They give you:

• The expected score increase if implemented
• Links to guidance and often directly to the relevant configuration page
• An easy way to build a remediation backlog for your security or compliance team

In my experience, this is one of the most practical parts of Compliance Manager. Instead of scrolling endlessly through every setting in Microsoft 365, you get a data‑driven “do these five things first” list.

By default, Microsoft guesses which regulations and standards might apply to you. That’s a decent starting point, but for real microsoft 365 compliance work you should:

1. Remove assessments that don’t apply – If you don’t process EU data, maybe GDPR doesn’t belong in your initial score (or at least not yet).
2. Add the assessments you actually need – ISO 27001, SOC 2, HIPAA, PCI DSS, or local privacy laws depending on your industry and region.
3. Align the tool to your real compliance scope – so your score is meaningful to your auditors and leadership.

Your compliance score’s denominator grows as you add more assessments, because you’re effectively saying, “Please measure me against more requirements.” That’s good in the long run—but it can temporarily lower your percentage score. So don’t panic if the number drops after adding assessments; it just means the measurement became more realistic.

From the Assessments area, you can click Add assessment and choose from a library of 150+ templates. These cover things like:

• GDPR
• ISO/IEC 27001
• NIST 800‑53
• HIPAA
• SOC 2–like mappings
• Various national/regional data protection laws

Each assessment template is basically a blueprint. It contains:

• The control set for that framework
• Mappings to improvement actions
• Recommended implementation guidance

Important nuance: a template on its own doesn’t collect evidence or generate a score. You must actually create an assessment from the template to:

• Begin tracking progress
• Assign ownership and due dates
• Produce a measurable compliance score

When you create an assessment from a template, you’ll:

1. Choose the template (e.g., GDPR)
2. Name the assessment – something meaningful like “GDPR 2026 Audit Cycle”
3. Assign it to a group – this is how you organize assessments internally

Groups can be:

• By audit date – “FY25 External Audit,” “Internal Q3 Review,” etc.
• By region – “EU Operations,” “US Healthcare,” “APAC Shared Services”
• By business unit – “Finance,” “HR,” “R&D”

This grouping is really handy when you’re juggling multiple audits or regulatory regimes at once.

Once the assessment is created, you’ll see:

• An overview – high‑level progress and score for that framework
• A controls tab – status of controls grouped by control family, often shown in both graph and list view

From the list, you can click into a specific control family (for example, Organization of Information Security), and then into a concrete requirement such as mobile device policy.

Inside a specific control or action, you’ll typically find:

• Description of the requirement
• Implementation guidance
• Test guidance (how an auditor might validate it)
• Microsoft’s implementation details for the corresponding Microsoft‑managed actions
• Sometimes a Launch now button that jumps you straight to the relevant configuration page in the admin center

Having Microsoft’s notes on how they meet their side of the requirement is particularly useful when you’re explaining controls to an external auditor. For many m365 security audit preparation efforts, that alone saves hours of back‑and‑forth.

Each improvement action has two life cycles:

1. Implementation status – where your operational teams indicate whether the control is:

• Not started
• Planned
• Implemented
• Alternative implementation
• (Sometimes other states depending on updates)

2. Test status – where your internal (or external) auditor marks whether the control has:

• Not been tested
• Failed testing
• Passed testing

Only actions with a passed test status count positively toward your compliance score.

For example, imagine the control Require mobile devices to use a password:

• The system might show it as failed in an automated test (medium risk) because your configuration doesn’t align yet.
• You click into the control, review the guidance, and use the Launch now link to jump to Intune or the relevant admin center.
• After configuring the policy and verifying it’s in effect, you update the implementation status to Implemented.
• Your internal auditor then goes in, performs a sample check, and updates the test status to Passed.

Once saved, you’ll see your compliance score increase to reflect that improvement. This is exactly how you slowly climb toward your target posture for microsoft 365 compliance.

When updating an action, you can:

• Assign it to a colleague – useful for delegating work to the right technical or process owner
• Set implementation dates – to align with audit periods
• Upload evidence – policies, screenshots, configuration exports, change tickets, etc.
• Add implementation notes – describing how you met the control
• Add test notes – describing how you validated it

Over time, this builds a mini repository of:

• Who did what
• When it was implemented
• How it was tested
• What artifacts prove it

That’s gold when an external auditor asks, “Can you show me evidence that mobile device wipe on multiple sign‑in failures is configured and has been validated?”

Instead of scrambling through email threads and SharePoint folders, you just open the control, point to the attached evidence, and walk them through the implementation and test notes.

This kind of workflow discipline is what turns Compliance Manager into a living m365 compliance checklist and not just another pretty dashboard.

One of the more flexible features is the ability to import controls and actions via Excel.

The basic workflow looks like this:

1. Download the sample template file from Compliance Manager.
2. Open it and you’ll see multiple tabs, typically including:

• Template – metadata like title, product, certification, services covered
• Control family – list of control families and control details, including mapping between controls and actions
• Action – definition of new actions and their attributes (implementation score, description, etc.)

3. Add your new controls and map them to actions using the control action title column.
4. Define attributes like:

• Implementation score
• Description
• Category or sorting dimensions

5. Import the Excel back into Compliance Manager.

If there are errors (and honestly, the first time there usually are), Compliance Manager provides inline highlighting to help you fix them. Once everything validates, you can create the template and then see it in the Assessment templates list.

After your custom template is successfully created, the next steps are:

1. Go to the assessment template page and locate your new or extended template.
2. Click Create assessment.
3. Name the assessment and assign it to a group, just like you would with a built‑in template.

Remember: until you actually create an assessment instance from the template, there is no status, no evidence, and no score. The template is just a definition.

Custom templates are especially useful when you want to align Compliance Manager to:

• Internal security policies
• Third‑party requirements not yet in the library
• Your own interpretation of frameworks like SOC 2 or ISO 27001

Combined with other tools, you can align these custom controls with cis benchmark microsoft 365 guidelines, ensuring your internal rules reflect modern best practices for cloud and identity security.

If your organization wants to align tightly with CIS Microsoft 365 Foundations or achieve cis certified microsoft 365 posture, you’ll usually want:

• Automated, scheduled scans of your Microsoft 365 tenant
• Coverage of all 129+ CIS Microsoft 365 Foundations Benchmark controls
• Differentiation between Level 1 (Essential) and Level 2 (Enhanced) profiles
• Detailed technical evidence for each setting
• Alerts when your configuration drifts from the benchmark

Compliance Manager alone doesn’t cover that full spectrum, especially the automated scanning piece. That’s where dedicated microsoft 365 compliance automation tools come in.

One example is ConfigCobra, which focuses specifically on automated CIS assessments for Microsoft 365. It can:

• Continuously check Microsoft 365 against the CIS benchmark Microsoft 365
• Automate assessment of all 129 CIS Microsoft 365 Foundations controls
• Support both Level 1 and Level 2 profiles
• Run scheduled assessments (daily, weekly, monthly) for continuous monitoring
• Detect configuration drift in almost real time
• Generate audit‑ready PDF reports with evidence and remediation guidance

In practice, many teams use a combination:

• ConfigCobra (or similar) for deep, automated automated m365 compliance assessment against CIS and other security benchmarks.
• Compliance Manager to map those results into broader frameworks, maintain documentation, and give leadership a simple, unified view of compliance posture.

Another challenge in real‑world compliance is mapping a technical benchmark like CIS to broader frameworks such as:

• NIS2
• HIPAA
• PCI DSS
• ISO/IEC 27001
• NIST CSF

Doing that mapping manually is tedious and error‑prone.

ConfigCobra helps here by:

• Mapping CIS controls to multiple compliance standards, so one technical change (say, tightening conditional access policies) can be shown to support multiple regulatory requirements.
• Supporting custom rule sets for specific compliance needs: SOC 2, ISO 27001, GDPR, or your internal standards.
• Enabling team collaboration with role-based access control, so security, compliance, and IT teams can all work off the same set of findings.

Combining this kind of automation with Compliance Manager means you can:

• Use automated scans as a primary input to your microsoft 365 audit preparation
• Populate Compliance Manager actions with real, timely evidence
• Treat your compliance score as a near‑real‑time reflection of your environment rather than a once‑a‑year project

If your goal is true automated compliance m365, this layered approach is usually the most sustainable way to get there.