Skip to main content
ConfigCobra logoConfigCobra
How to Use Compliance Manager for Microsoft 365

How to Use Compliance Manager for Microsoft 365

Robert Kiss

Robert Kiss

2/17/2026

General

Learn how to use Microsoft 365 Compliance Manager for m365 security audit, CIS controls and automated compliance assessments.

How to Use Compliance Manager for Microsoft 365

Learn how to use Microsoft 365 Compliance Manager for m365 security audit, CIS controls and automated compliance assessments.

Managing microsoft 365 compliance can feel overwhelming, especially when you’re juggling multiple regulations, security expectations, and audit requests. Microsoft’s Compliance Manager inside Microsoft Purview is designed to make that a lot more manageable by giving you a centralized way to track your compliance score, run assessments, and document evidence.

In this guide, we’ll walk through how to use Compliance Manager for Microsoft 365 step by step. We’ll look at how to access it, understand the compliance score, set up assessments, manage controls, and keep your m365 security audit posture in good shape. I’ll also point out where automation tools and CIS benchmark microsoft 365–focused solutions can take you beyond the basics when you’re ready.

Understand the Compliance Manager basics

Before you start changing settings, it helps to know what Compliance Manager actually does and how it thinks about risk and controls.

What Compliance Manager is (and what it isn’t)

Compliance Manager is a feature in Microsoft Purview that helps you:

  • Track your organization’s posture against regulations and standards
  • See a unified microsoft 365 compliance score
  • Manage improvement actions and evidence
  • Run and customize assessments based on templates

It’s not a silver bullet. It doesn’t magically make you compliant; rather, it provides structure, guidance, and visibility so you can prove and improve compliance.

You can access it at:

  • compliance.microsoft.com

Once you’re there, you’ll land on the Microsoft Purview portal. From the left navigation, select Compliance Manager to get to the overview page. If you don’t see it, you may need your Global Administrator or Compliance Administrator to grant you access.

For many organizations, this is also the starting point for a basic m365 security assessment—you see where you stand and what Microsoft thinks you should fix first.

How the Compliance Score actually works

To be honest, a lot of people see the score and treat it like a magic grade. It isn’t. It’s simply a weighted way to show how many recommended actions you’ve addressed.

Each control (or improvement action) has a value. Controls are classified in a few different ways:

  • Mandatory vs discretionary
  • Mandatory: must be followed (e.g., password policies with a minimum length and complexity)
  • Discretionary: rely on user behavior (e.g., reminding users to lock their screens)
  • Preventative, detective, corrective
  • Preventative controls: stop an incident from happening (e.g., enforcing encryption)
  • Detective controls: help you spot issues, like system logs, alerts, or compliance audits
  • Corrective controls: help you recover and reduce impact (e.g., an incident response or privacy breach procedure)

Each control’s impact on your score is based on:

  • Its risk level
  • Whether it’s mandatory vs discretionary
  • Its type (preventative controls often carry more weight)

One thing that surprises people: your score is made up of Microsoft-managed actions and customer-managed actions. Microsoft-managed actions are controls Microsoft implements inside the cloud service—such as encryption at rest or default logging. Those give you a good baseline and show the value of the shared responsibility model.

Customer-managed actions are what you and your team must configure, document, and maintain. That’s where your day-to-day compliance work really lives.

Access and navigate Compliance Manager

Once you understand the basics, the next step is simply learning where everything lives in the interface so you’re not hunting around every time an auditor asks a question.

Step 1: Access Compliance Manager in Microsoft Purview

1. Go to compliance.microsoft.com in your browser.
2. Sign in with an account that has appropriate permissions (Compliance Administrator, Security Administrator, Global Administrator, or a delegated role).
3. From the left navigation, select Compliance Manager.

You’ll land on the Compliance Manager overview page.

If you’ve been here before, you might already have a dashboard card pinned. Either way, your starting point is the same: a high-level overview of your microsoft 365 compliance posture.

Step 2: Read the overview dashboard

On the overview page, you’ll see:

  • Your Compliance Score front and center
  • A breakdown of how much comes from Microsoft-managed vs customer-managed actions
  • A prioritized list of key improvement actions with the potential score impact
  • A breakdown by category, such as:
  • Protect information
  • Govern information
  • Manage devices

Depending on your role and licensing, you may also see:

  • An Assessments view that organizes the score by regulation or standard (e.g., GDPR, ISO 27001)

This is your quick snapshot for m365 security audit preparation. You can already answer high-level questions like:

  • “How much of our score is due to Microsoft configuration vs our own?”
  • “Which areas (devices, information protection, etc.) are lagging?”
  • “What’s the top handful of actions that will move the needle fastest?”

Set up and customize assessments

Assessments are where Compliance Manager becomes more than a score. They help you structure your work around specific regulations, frameworks, or internal policies—very useful for a serious m365 compliance checklist.

Step 3: Use built-in assessment templates

Microsoft provides a large template library—well over 150 out-of-the-box assessment templates. These cover:

  • Global standards like ISO/IEC 27001
  • Regional regulations like GDPR
  • Industry-focused requirements in some cases

A few key points:

  • A template is just a blueprint. It contains control definitions, mappings, and recommended actions.
  • An assessment is an instance of a template that you actually use to record progress, evidence, and implementation status.

To create an assessment from a template:

1. In Compliance Manager, go to Assessments.
2. Click Add assessment.
3. Browse or search the template catalog (for example, GDPR or ISO 27001).
4. Select your template.
5. Give the assessment a clear name (e.g., “GDPR 2025 Audit – EU Region”).
6. Assign it to a group to organize it.

Groups are surprisingly flexible. Organizations use them to:

  • Separate assessments by audit year (e.g., 2024, 2025)
  • Separate by region (EU, US, APAC)
  • Separate by business unit (Finance, HR, R&D)

Once you click Create, the assessment is added, and it starts to influence both:

  • Your compliance score (more assessments = more possible points and more improvement actions)
  • Your work queue (you’ll see additional actions you might not have considered before)

Step 4: Explore assessment controls and families

Open your new assessment and you’ll typically see:

  • An overview of the assessment, status, and total achievable score
  • A Controls tab with:
  • Graphs summarizing control status
  • A list view of controls grouped by control family

For example, in a GDPR assessment you might see families such as:

  • Organization of information security
  • Mobile device policy
  • Access control

From the list view:

1. Click into a specific control family (e.g., Organization of information security).
2. Then select a specific control (e.g., Mobile device policy).

Here you’ll get:

  • A breakdown of specific improvement actions tied to that control
  • Details of Microsoft’s actions (Microsoft-managed controls)
  • Implementation notes and test notes from Microsoft that explain how they meet the requirement

This is useful for microsoft 365 audit preparation because you can show auditors both your actions and what Microsoft covers as part of the service.

Manage controls, evidence, and collaboration

Once your assessments exist, the ongoing work is all about managing control status, documenting evidence, and collaborating with owners and auditors. This is where a lot of organizations either get organized—or get stuck.

Step 5: Identify failed or high‑risk controls

To focus your effort, filter for controls that are failing or not yet implemented.

From the Groups or Assessments area:

1. Filter by test status (e.g., Failed, Not assessed).
2. Search for sensitive areas like mobile devices, external sharing, or data retention, depending on your priorities.

Example: you might see a control like “Require mobile devices to use a password” flagged as Failed with medium risk.

Click into the action and you’ll typically see:

  • Where this control appears across multiple assessments
  • The detailed requirements
  • Clear implementation steps
  • A Launch now link that takes you directly to the relevant configuration page in the Microsoft 365 admin center or Intune

This cross-linking is underrated. It essentially turns Compliance Manager into a semi-interactive m365 security assessment playbook: see what’s wrong, click straight to where you fix it.

Step 6: Update implementation and test status

For actions that don’t yet have automated checks, you’ll need to manually track status.

Example: Require mobile devices to wipe on multiple sign‑in failures might be unimplemented and not automatically assessed.

To update it:

1. Open the specific improvement action.
2. Click Edit status (or similar, depending on UI changes).
3. Assign the action to a colleague or owner for collaboration.
4. Set Implementation status (e.g., Implemented, Planned, Not started).

  • For now, mark it as Implemented once you’ve configured it.

5. Set the implementation date.
6. When your internal auditor or control owner reviews it, they can set the Test status to Passed once they’ve validated it.
7. Click Save.

Only actions marked as Passed contribute to your compliance score, so it’s important not just to do the technical work but to close the loop in Compliance Manager.

You can also:

  • Upload evidence files (screenshots, policy PDFs, exported logs)
  • Add implementation details and test notes for auditors

Over time, this becomes a living m365 compliance checklist with proof attached—not just a to-do list.

You’ll notice that when you mark actions as implemented and passed, your overall score on the overview page increases. That makes it easier to demonstrate progress to leadership and auditors alike.

Create and extend custom assessment templates

Built-in templates are great, but many organizations need to align Microsoft 365 with broader frameworks—SOC 2, ISO 27001, NIS2, HIPAA, or internal security baselines such as cis microsoft 365 foundations. That’s where custom templates help.

Step 7: Extend existing templates with new controls

Sometimes you want to stick with a standard like ISO 27001 or GDPR but add a few internal or CIS-specific controls.

Compliance Manager lets you extend an existing template by importing additional controls and actions from an Excel file.

The typical process:

1. From Assessment templates, pick an existing template to extend (for example, ISO 27001).
2. Download the sample Excel file Microsoft provides.
3. Open the file; you’ll usually see:

  • A Template tab with metadata (title, product, certifications, covered services)
  • A Control family tab where you define control families and map actions to controls (using something like a Control Action Title column)
  • An Action tab describing each new action:
  • Implementation details
  • Score contribution
  • Category or sorting dimensions

4. Fill in your controls to reflect internal policies or extra requirements—this is a good place to align with cis benchmark microsoft 365 style controls or other baseline requirements.
5. Import the Excel file back into Compliance Manager.

If there are any formatting or mapping errors, Compliance Manager highlights them inline so you can fix them quickly. That part is honestly nicer than most people expect.

Once the import succeeds:

  • Click Create template.
  • Your extended template is now ready to be used to create one or more assessments.

Step 8: Create assessments from your custom templates

After you’ve created or extended a template, the final step is to turn it into an actual assessment you can work with:

1. Go to Assessment templates.
2. Select your new custom template.
3. Click Create assessment.
4. Assign it to the appropriate group.
5. Confirm settings and create.

At this point:

  • The assessment shows up alongside your built-in ones.
  • You can update control status, attach evidence, and assign owners just like any other assessment.

This is how many teams build an internal automated m365 compliance assessment flow:

  • Use Microsoft templates for core regulatory baselines.
  • Extend them with mapping to frameworks like SOC 2 or ISO 27001.
  • Use custom controls to bring in cis microsoft 365 foundations style hardening rules or internal security standards.

It’s not full automation on its own, but it gives structure and traceability, which is half the battle for any m365 security audit.

Go beyond the basics with automation and CIS benchmarks

Compliance Manager gives you strong native capabilities, but as environments grow, manual updates and fragmented evidence can still become painful. This is where dedicated microsoft 365 compliance automation tools are worth considering, especially if you’re targeting cis certified microsoft 365 style maturity or aligning with many frameworks at once.

When to introduce automated microsoft 365 compliance

You’ll usually feel the need for more automation when:

  • You’re preparing for multiple audits per year (SOC 2, ISO 27001, HIPAA, PCI DSS, etc.).
  • You need consistent, repeatable m365 security assessments across multiple tenants or business units.
  • Your team spends too much time capturing screenshots or manually verifying settings.
  • You want tighter alignment to cis benchmark microsoft 365 and other security baselines.

In those scenarios, you want tools that can:

  • Continuously scan Microsoft 365 configuration
  • Align with CIS Microsoft 365 Foundations
  • Generate audit-ready reports with evidence
  • Alert you to configuration drift, not just point-in-time issues

Example: Automating CIS benchmark checks with ConfigCobra

A good example in this space is ConfigCobra, which focuses on automated cloud compliance for Microsoft 365.

It can:

  • Continuously check Microsoft 365 against CIS Microsoft 365 Foundations Benchmark (129 controls).
  • Support Level 1 (essential) and Level 2 (enhanced) profiles, which is handy if you’re gradually tightening security.
  • Run scheduled assessments (daily, weekly, monthly) instead of only on-demand checks.
  • Generate audit-ready PDF reports with evidence and remediation guidance—ideal for showing external auditors how you’re aligned to CIS.
  • Detect configuration drift in real time, which is something Compliance Manager alone doesn’t fully cover.
  • Map CIS controls to other frameworks (NIS2, HIPAA, PCI DSS, ISO/IEC 27001, NIST CSF), effectively helping you reuse the same technical controls for multiple certifications.

ConfigCobra also supports custom rule sets, role-based access control, and is available via Microsoft AppSource with different licensing tiers (including a free trial). When you pair something like this with Compliance Manager, you get:

  • Continuous, automated checks for CIS and security baselines
  • Structured, evidence-rich assessments inside Compliance Manager
  • A much smoother process for how to prepare for microsoft 365 security audit cycles every year

If your goal is serious, repeatable microsoft 365 compliance automation, it’s worth looking into. You can read more at:
https://configcobra.com/compliance

Using Compliance Manager for Microsoft 365 is one of the most practical ways to bring structure and visibility to your compliance work. You start with a clear compliance score, then layer in assessments, manage controls, track evidence, and—importantly—show measurable progress over time.

To recap the core steps:

  • Access Compliance Manager via the Microsoft Purview portal
  • Understand how the score is built from Microsoft-managed and customer-managed actions
  • Create assessments from templates for your key regulations and frameworks
  • Drill into control families, remediate failed actions, and keep implementation/test status up to date
  • Extend templates with your own controls to match internal policies or external baselines

From there, you can decide how far you want to go with automation. If you’re aligning to cis benchmark microsoft 365, managing multiple standards, or you just want cleaner, audit-ready evidence for your m365 security audit, pairing Compliance Manager with an automated assessment tool can make a big difference.

Solutions like ConfigCobra add continuous CIS-based scanning, drift detection, and mapped reporting that plug neatly into your existing compliance workflow, without replacing the value of Compliance Manager. If you’re ready to tighten your Microsoft 365 security and streamline audits, explore how automated microsoft 365 compliance automation tools like ConfigCobra can complement your current setup:

https://configcobra.com/compliance

Even starting with a single, focused assessment and a few top-risk controls will move you forward. The important thing is to make Compliance Manager part of your regular operational rhythm, not just something you open the week before an audit.

Start Free Trial – 1 Month Free