Browse all topics
All guidesGlossary

Microsoft Purview Compliance Manager

Compliance Manager scores your tenant against compliance frameworks and tracks improvements over time.

Microsoft Purview Compliance Manager is the tool that scores your Microsoft 365 tenant against named compliance frameworks (ISO 27001, NIST 800-53, GDPR, HIPAA, PCI-DSS, SOC 2, and dozens more), tracks improvements over time, and surfaces actions you can take to raise the score. Think of it as Secure Score for compliance.

How Compliance Manager works

The product breaks compliance frameworks into individual improvement actions — concrete configuration steps that map to specific control IDs in the frameworks. Each action has:

  • Score weight — how much it contributes to your compliance score.
  • Implementation guidance — what to do.
  • Microsoft action — actions Microsoft has already taken (e.g., infrastructure controls automatically met).
  • Customer action — actions you need to take in your tenant.
  • Test mode — automatic technical assessment for actions Microsoft can verify (does your tenant have MFA enforced? is DLP enabled?).
  • Manual evidence — for actions that can't be auto-verified, attach documentation evidence.

The result is a single Compliance Score for the tenant and per-assessment scores for each chosen framework.

Assessments

An assessment is a Compliance Manager evaluation against a specific framework, scoped to a specific service. Microsoft ships pre-built assessments for hundreds of frameworks — pick the ones relevant to your industry and region. Each assessment runs continuously, updating as your configuration changes.

For frameworks not in Microsoft's library, you can build custom assessments with your own control set and score weights.

What it doesn't do

  • Compliance Manager doesn't make you compliant — it tracks your status against frameworks. Compliance still depends on real-world processes (people training, business processes, contracts) that aren't visible in Microsoft 365.
  • It doesn't replace audit — auditors still verify your evidence. Compliance Manager helps prepare for audit, not replace it.
  • It can't verify everything automatically — many actions require manual evidence (your policies, your training records, your contracts).

Operational model

A typical Compliance Manager rollout:

  1. Pick relevant assessments — what frameworks does your organisation actually need to meet?
  2. Walk through actions — Microsoft actions are already met; focus on customer actions.
  3. Implement quick wins — many actions are simple tenant configuration changes (enable DKIM, enable Conditional Access policy X, etc.).
  4. Document evidence for manual actions — upload policy documents, training records, attestations.
  5. Track score over time — Compliance Manager shows trajectory; share with compliance leadership.

Integration with other Purview features

  • Sensitivity labels, DLP, retention policies contribute to compliance posture; their configuration shows in Compliance Manager.
  • eDiscovery and audit are linked to specific compliance controls.
  • Customer Lockbox is linked to controls requiring third-party access oversight.

Licensing

Basic Compliance Manager is available in Microsoft 365 E3 with a limited set of assessments. Full Compliance Manager — all frameworks, all custom assessment capabilities — requires Microsoft 365 E5, Microsoft 365 E5 Compliance, or Compliance Manager Premium.

For organisations needing to demonstrate compliance with one or more frameworks, Compliance Manager is the structured way to track progress and surface where the gaps are.