Learn about regulations in Compliance Manager
Important
The regulations that are available for your organization's use by default depend on your licensing agreement. Review licensing details.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
Regulations overview
Tip
In the new Microsoft Purview portal, the Regulations page is found on the left navigation instead of as a tab at the top.
The Regulations page in Compliance Manager displays the list of regulations and certifications for which Compliance Manager provides control-mapping templates. When you build an assessment, you choose the underlying regulation by selecting from among our set of regulatory templates, then select the services you want to assess for that regulation. Setting up Compliance Manager for multicloud support provides you with greater automation in testing and monitoring of controls.
Each regulatory template also comes in a universal version, which provides general control mapping that can broadly apply to services. Universal templates provide the most general type of implementation guidance and require manual implementation and testing by the organization. Note that US Government Community (GCC) Moderate, GCC High, and Department of Defense (DoD) customers can't currently use universal templates.
List of regulations
Visit Compliance Manager regulations list to see the list of all regulatory templates available for building assessments.
Regulation availability and licensing
The Microsoft Data Protection Baseline regulatory template is available for organizations at all subscription levels to use. The regulations designated as premium require purchase of a license to use them.
On the Regulations page in Compliance Manager, the regulations are grouped under three headings:
- Included templates: The Microsoft data protection baseline.
- Premium AI templates: To use for assessments for AI regulations.
- Premium templates: All other global, regional, and industry regulations.
When you purchase a license for a regulatory template, you can create as many assessments for that regulation as you wish. Depending on your licensing agreement, your organization might be able to use up to three more premium regulatory templates for free. When you begin creating assessments, Compliance Manager tracks how many templates are active so you can monitor your usage.
Resources
- Learn more about included regulations by subscription level.
- Go to the Compliance Manager service description.
- Understand your regulation usage through active and inactive regulation status.
Purchasing premium regulations
Licenses for premium regulatory templates can be obtained in various ways, depending on your Compliance Manager licensing agreement. Once your purchase has been finalized, the templates should become available in your tenant within 48 hours. Licenses for activated regulations are good for one year.
- Commercial and GCC Moderate: Purchase licenses in the admin center (learn more about subscriptions, licenses, and billing). Select the quantity of licenses you wish to purchase and your payment plan.
- Commercial
- GCC Moderate
- You can also acquire licenses through your participation in the Cloud Solution Provider program or volume licensing.
- GCC High and DOD accounts: Purchase through volume licensing.
Staring a premium trial
You can try out premium regulation templates by acquiring trial versions of the licenses. Trial licenses are good for up to 25 templates for 90 days. Once you obtain your trial license, the templates should become available in your tenant within 48 hours. If your organization has a commercial license for Compliance Manager, you can learn how to start your trial at About the free trial for Microsoft Purview Compliance Manager premium assessments. If your organization is under a GCC or DOD license, choose the appropriate trial link for your organization:
Active and inactive regulations
Regulations display a status as either active or inactive:
- Active indicates use in at least one assessment.
- Inactive indicates it's not being used for an assessment.
When you use a premium regulation to create an assessment, that regulation's availability status changes to Active and the purchased license is active for one year. Your purchase renews automatically unless you cancel.
Regulation licenses counter
The Regulation licenses used counter near the top of the Regulations page represents the number of regulatory templates in use out of the number you're eligible to use according to your licensing agreement and any purchased licenses. For example, if your counter shows 2/5, it means your organization has activated two regulations out of the five that are available to use. If your counter shows 5/2, it indicates that your organization exceeds its limits and needs to purchase three of the premium regulations in use.
Select View details the counter to view a detailed list of all regulations in use and their corresponding assessments.
Regulations details page
Select a regulation from the list on the Regulations page to open a regulation's details page. Regulatory templates that belong to the same regulation family are counted as one template. The regulation family is shown in the Overarching regulation column on the Assessment templates page. When you purchase a template license for a regulation and activate the template, it counts as one activated template even if you create assessments for different levels or versions of that regulation. For example, if you use a template for CMMC Level 1 and a template for CMMC Level 2, your activated templates counter increases by only one.
For more information, see Compliance Manager licensing guidance.
Grant user access to regulations
When you assign users a Compliance Manager role in the Microsoft Purview compliance portal, their role extends by default to all regulations (review the Compliance Manager role types). This access means that, depending on the user's role type, they can view or interact with any existing or future assessments created with that regulation.
You can give users a specific role that applies to certain regulations by managing user roles from a regulation's details page. When you set a user's role for a regulation, the user will be able to interact at that role level for all assessments (existing and future) created with that regulation. (You can also restrict access to individual assessments following these instructions.)
External users who need access for auditing or other purposes can also be assigned an access role for regulations. You provide access to external individual by assigning them a Microsoft Entra role. Learn more about assigning roles.
Steps for granting access
Follow the steps to grant user access to a regulation.
From the Regulations page, find the regulation you want to grant access to. Select it to open its details page.
In the upper-right corner, select Manage user access.
A Manage user access flyout pane appears. It has three tabs, one for each role of Reader, Assessor, and Contributor. Navigate to the tab for the role you want your user to hold for this regulation.
Select the + Add command for the role tab you're on: Add readers, or Add assessors or Add contributors.
Another flyout pane appears which lists all the users in your organization. You can select the checkbox next to the username you want to add, or you can enter their name in the search bar and select the user from there. You can select multiple users at once.
After making all your selections, select Add.
Note
If you assign a role to someone who already has an existing role, the new role assignment you choose will override their existing role. In this case, you'll see a confirmation box asking you to confirm the change in role.
The flyout pane closes and you arrive back at the regulation details page. Select Save. A confirmation message at the top confirms the new role assignment for that regulation.
Steps for removing access
You can remove a user's access to individual regulations by following these steps:
On the regulation's details page, select Manage user access.
On the Manage user access flyout pane, go the tab corresponding to the user's role you want to remove.
Find the user whose role you want to remove. Check the circle to the left of their name, then select the Remove command just below the role tab. To remove all users at once, select the Remove all command without checking the circle next to every user's name.
A Remove access? dialog appears, asking you to confirm the removal. Select Remove access to confirm the role removal.
Select Save on the flyout pane. The users' roles will now be removed from the assessment.
Note about multiple roles
A user can have one role that applies to a regulation, while also holding another role that applies broadly to overall Compliance Manager access.
- For example, if you've assigned a user a Compliance Manager Reader role in Microsoft Purview compliance portal Permissions, you can also assign that user a Compliance Manager Assessor role for a specific regulation. In effect, the user holds the two roles at the same time, but their ability to edit data will be limited to the assessment to which they've been assigned the Assessor role.
- Removing a regulation-based role won't remove the user's overall Compliance Manager role if they have one. If you want to change a user's overall role, you have to change it from the Permissions page in the Microsoft Purview compliance portal.
For an individual regulation, one user can only hold one assessment-based role at a time.
- For example, if a user holds a reader role for the GDPR regulation and you want to change them to a contributor role, you'll first need to remove their reader role, and then reassign them the reader role.
Note
Admins whose permissions for Compliance Manager were set in Microsoft Entra ID won't appear on the Manage user access flyout pane. This means that if a user has access to one or more regulations, and their role is Global Administrator, Compliance Administrator, Compliance Data Administrator, or Security Administrator, they won't appear on this pane. Learn more about setting Compliance Manager permissions and roles.