How to Use Compliance Manager for Microsoft 365

Compliance Manager is a feature in Microsoft Purview that helps you:

• Track your organization’s posture against regulations and standards
• See a unified microsoft 365 compliance score
• Manage improvement actions and evidence
• Run and customize assessments based on templates

It’s not a silver bullet. It doesn’t magically make you compliant; rather, it provides structure, guidance, and visibility so you can prove and improve compliance.

You can access it at:

• compliance.microsoft.com

Once you’re there, you’ll land on the Microsoft Purview portal. From the left navigation, select Compliance Manager to get to the overview page. If you don’t see it, you may need your Global Administrator or Compliance Administrator to grant you access.

For many organizations, this is also the starting point for a basic m365 security assessment—you see where you stand and what Microsoft thinks you should fix first.

To be honest, a lot of people see the score and treat it like a magic grade. It isn’t. It’s simply a weighted way to show how many recommended actions you’ve addressed.

Each control (or improvement action) has a value. Controls are classified in a few different ways:

• Mandatory vs discretionary
• Mandatory: must be followed (e.g., password policies with a minimum length and complexity)
• Discretionary: rely on user behavior (e.g., reminding users to lock their screens)

• Preventative, detective, corrective
• Preventative controls: stop an incident from happening (e.g., enforcing encryption)
• Detective controls: help you spot issues, like system logs, alerts, or compliance audits
• Corrective controls: help you recover and reduce impact (e.g., an incident response or privacy breach procedure)

Each control’s impact on your score is based on:

• Its risk level
• Whether it’s mandatory vs discretionary
• Its type (preventative controls often carry more weight)

One thing that surprises people: your score is made up of Microsoft-managed actions and customer-managed actions. Microsoft-managed actions are controls Microsoft implements inside the cloud service—such as encryption at rest or default logging. Those give you a good baseline and show the value of the shared responsibility model.

Customer-managed actions are what you and your team must configure, document, and maintain. That’s where your day-to-day compliance work really lives.

1. Go to compliance.microsoft.com in your browser.
2. Sign in with an account that has appropriate permissions (Compliance Administrator, Security Administrator, Global Administrator, or a delegated role).
3. From the left navigation, select Compliance Manager.

You’ll land on the Compliance Manager overview page.

If you’ve been here before, you might already have a dashboard card pinned. Either way, your starting point is the same: a high-level overview of your microsoft 365 compliance posture.

On the overview page, you’ll see:

• Your Compliance Score front and center
• A breakdown of how much comes from Microsoft-managed vs customer-managed actions
• A prioritized list of key improvement actions with the potential score impact
• A breakdown by category, such as:
• Protect information
• Govern information
• Manage devices

Depending on your role and licensing, you may also see:

• An Assessments view that organizes the score by regulation or standard (e.g., GDPR, ISO 27001)

This is your quick snapshot for m365 security audit preparation. You can already answer high-level questions like:

• “How much of our score is due to Microsoft configuration vs our own?”
• “Which areas (devices, information protection, etc.) are lagging?”
• “What’s the top handful of actions that will move the needle fastest?”

Microsoft provides a large template library—well over 150 out-of-the-box assessment templates. These cover:

• Global standards like ISO/IEC 27001
• Regional regulations like GDPR
• Industry-focused requirements in some cases

A few key points:

• A template is just a blueprint. It contains control definitions, mappings, and recommended actions.
• An assessment is an instance of a template that you actually use to record progress, evidence, and implementation status.

To create an assessment from a template:

1. In Compliance Manager, go to Assessments.
2. Click Add assessment.
3. Browse or search the template catalog (for example, GDPR or ISO 27001).
4. Select your template.
5. Give the assessment a clear name (e.g., “GDPR 2025 Audit – EU Region”).
6. Assign it to a group to organize it.

Groups are surprisingly flexible. Organizations use them to:

• Separate assessments by audit year (e.g., 2024, 2025)
• Separate by region (EU, US, APAC)
• Separate by business unit (Finance, HR, R&D)

Once you click Create, the assessment is added, and it starts to influence both:

• Your compliance score (more assessments = more possible points and more improvement actions)
• Your work queue (you’ll see additional actions you might not have considered before)

Open your new assessment and you’ll typically see:

• An overview of the assessment, status, and total achievable score
• A Controls tab with:
• Graphs summarizing control status
• A list view of controls grouped by control family

For example, in a GDPR assessment you might see families such as:

• Organization of information security
• Mobile device policy
• Access control

From the list view:

1. Click into a specific control family (e.g., Organization of information security).
2. Then select a specific control (e.g., Mobile device policy).

Here you’ll get:

• A breakdown of specific improvement actions tied to that control
• Details of Microsoft’s actions (Microsoft-managed controls)
• Implementation notes and test notes from Microsoft that explain how they meet the requirement

This is useful for microsoft 365 audit preparation because you can show auditors both your actions and what Microsoft covers as part of the service.

To focus your effort, filter for controls that are failing or not yet implemented.

From the Groups or Assessments area:

1. Filter by test status (e.g., Failed, Not assessed).
2. Search for sensitive areas like mobile devices, external sharing, or data retention, depending on your priorities.

Example: you might see a control like “Require mobile devices to use a password” flagged as Failed with medium risk.

Click into the action and you’ll typically see:

• Where this control appears across multiple assessments
• The detailed requirements
• Clear implementation steps
• A Launch now link that takes you directly to the relevant configuration page in the Microsoft 365 admin center or Intune

This cross-linking is underrated. It essentially turns Compliance Manager into a semi-interactive m365 security assessment playbook: see what’s wrong, click straight to where you fix it.

For actions that don’t yet have automated checks, you’ll need to manually track status.

Example: Require mobile devices to wipe on multiple sign‑in failures might be unimplemented and not automatically assessed.

To update it:

1. Open the specific improvement action.
2. Click Edit status (or similar, depending on UI changes).
3. Assign the action to a colleague or owner for collaboration.
4. Set Implementation status (e.g., Implemented, Planned, Not started).

• For now, mark it as Implemented once you’ve configured it.

5. Set the implementation date.
6. When your internal auditor or control owner reviews it, they can set the Test status to Passed once they’ve validated it.
7. Click Save.

Only actions marked as Passed contribute to your compliance score, so it’s important not just to do the technical work but to close the loop in Compliance Manager.

You can also:

• Upload evidence files (screenshots, policy PDFs, exported logs)
• Add implementation details and test notes for auditors

Over time, this becomes a living m365 compliance checklist with proof attached—not just a to-do list.

You’ll notice that when you mark actions as implemented and passed, your overall score on the overview page increases. That makes it easier to demonstrate progress to leadership and auditors alike.

Sometimes you want to stick with a standard like ISO 27001 or GDPR but add a few internal or CIS-specific controls.

Compliance Manager lets you extend an existing template by importing additional controls and actions from an Excel file.

The typical process:

1. From Assessment templates, pick an existing template to extend (for example, ISO 27001).
2. Download the sample Excel file Microsoft provides.
3. Open the file; you’ll usually see:

• A Template tab with metadata (title, product, certifications, covered services)
• A Control family tab where you define control families and map actions to controls (using something like a Control Action Title column)
• An Action tab describing each new action:
• Implementation details
• Score contribution
• Category or sorting dimensions

4. Fill in your controls to reflect internal policies or extra requirements—this is a good place to align with cis benchmark microsoft 365 style controls or other baseline requirements.
5. Import the Excel file back into Compliance Manager.

If there are any formatting or mapping errors, Compliance Manager highlights them inline so you can fix them quickly. That part is honestly nicer than most people expect.

Once the import succeeds:

• Click Create template.
• Your extended template is now ready to be used to create one or more assessments.

After you’ve created or extended a template, the final step is to turn it into an actual assessment you can work with:

1. Go to Assessment templates.
2. Select your new custom template.
3. Click Create assessment.
4. Assign it to the appropriate group.
5. Confirm settings and create.

At this point:

• The assessment shows up alongside your built-in ones.
• You can update control status, attach evidence, and assign owners just like any other assessment.

This is how many teams build an internal automated m365 compliance assessment flow:

• Use Microsoft templates for core regulatory baselines.
• Extend them with mapping to frameworks like SOC 2 or ISO 27001.
• Use custom controls to bring in cis microsoft 365 foundations style hardening rules or internal security standards.

It’s not full automation on its own, but it gives structure and traceability, which is half the battle for any m365 security audit.

You’ll usually feel the need for more automation when:

• You’re preparing for multiple audits per year (SOC 2, ISO 27001, HIPAA, PCI DSS, etc.).
• You need consistent, repeatable m365 security assessments across multiple tenants or business units.
• Your team spends too much time capturing screenshots or manually verifying settings.
• You want tighter alignment to cis benchmark microsoft 365 and other security baselines.

In those scenarios, you want tools that can:

• Continuously scan Microsoft 365 configuration
• Align with CIS Microsoft 365 Foundations
• Generate audit-ready reports with evidence
• Alert you to configuration drift, not just point-in-time issues

A good example in this space is ConfigCobra, which focuses on automated cloud compliance for Microsoft 365.

It can:

• Continuously check Microsoft 365 against CIS Microsoft 365 Foundations Benchmark (129 controls).
• Support Level 1 (essential) and Level 2 (enhanced) profiles, which is handy if you’re gradually tightening security.
• Run scheduled assessments (daily, weekly, monthly) instead of only on-demand checks.
• Generate audit-ready PDF reports with evidence and remediation guidance—ideal for showing external auditors how you’re aligned to CIS.
• Detect configuration drift in real time, which is something Compliance Manager alone doesn’t fully cover.
• Map CIS controls to other frameworks (NIS2, HIPAA, PCI DSS, ISO/IEC 27001, NIST CSF), effectively helping you reuse the same technical controls for multiple certifications.

ConfigCobra also supports custom rule sets, role-based access control, and is available via Microsoft AppSource with different licensing tiers (including a free trial). When you pair something like this with Compliance Manager, you get:

• Continuous, automated checks for CIS and security baselines
• Structured, evidence-rich assessments inside Compliance Manager
• A much smoother process for how to prepare for microsoft 365 security audit cycles every year

If your goal is serious, repeatable microsoft 365 compliance automation, it’s worth looking into. You can read more at:
https://configcobra.com/compliance