Analyze the Microsoft Compliance score

  • 8 minutes

The Compliance Manager dashboard displays an organization's overall compliance score. This score measures a company's progress in completing recommended improvement actions within controls. Its score can help it understand its current compliance posture. It can also help the company prioritize actions based on their potential to reduce risk.

Compliance Manager assigns a score value at three levels:

  • Improvement action score. Each action has a different effect on a company's overall score. Its effect depends on the potential risk involved with the action.
  • Control score. This score is the sum of points earned by completing improvement actions within the control. Compliance Manager applies this sum in its entirety to the company's overall compliance score when the control meets both of the following conditions:
    • Implementation Status equals Implemented or Alternative Implementation.
    • Test Result equals Passed.
  • Assessment score. This score is the sum of the control scores. Compliance Manager calculates it using action scores. It counts each Microsoft action and each improvement action managed by an organization once, regardless of how often a control references the action.

Compliance Manager calculates the overall compliance score using action scores:

  • It counts each Microsoft action once.
  • It counts each technical action the company manages once.
  • It counts each nontechnical action the company manages once per group.

This logic is designed to provide the most accurate accounting of how an organization implements and tests actions.

Note

You may notice that this design can cause your overall compliance score to differ from the average of your assessment scores. For more information, see the section later in this unit on how Compliance Manager determines score values.

Initial score based on Microsoft 365 data protection baseline

Compliance Manager gives an organization an initial score based on the Microsoft 365 Data Protection Baseline. This baseline is a set of controls that includes key regulations and standards for data protection and general data governance. This baseline draws elements primarily from:

  • NIST CSF (National Institute of Standards and Technology Cybersecurity Framework)
  • ISO (International Organization for Standardization)
  • FedRAMP (Federal Risk and Authorization Management Program)

Compliance Manager calculates a company's initial score according to the default Data Protection Baseline assessment provided to all organizations. Upon a company's first visit, Compliance Manager is already collecting signals from its Microsoft 365 solutions. An organization can see at a glance how it's performing relative to key data protection standards and regulations. It can also see suggested improvement actions to take.

Because every organization has specific needs, Compliance Manager relies on each organization to set up and manage assessments. Organizations should design these assessments to minimize and mitigate risk as comprehensively as possible.

How Compliance Manager continuously assesses controls

Compliance Manager automatically identifies settings in an organization's Microsoft 365 environment that help determine when certain configurations meet improvement action implementation requirements. Compliance Manager detects signals from other compliance solutions the company deployed, such as:

  • Data lifecycle management
  • Information protection
  • Communication compliance
  • Insider risk management

Compliance Manager also applies compliance score monitoring of complementary improvement actions.

Compliance Manager updates an organization's action status on its dashboard within 24 hours of the organization making a change. Once an organization follows a recommendation to implement a control, it typically sees the control status updated the next day.

For example, if a company turns on multifactor authentication (MFA) in the Microsoft Entra admin center, Compliance Manager detects the setting and reflects it in the control access solution details. Conversely, if a company doesn't turn on MFA, Compliance Manager flags that as a recommended action for you to take.

Action types and points

Compliance Manager tracks two types of actions:

  • Your improvement actions. Actions that your organization manages.
  • Microsoft actions. Actions that Microsoft manages.

Both types of actions have points that count toward a company's overall score when completed.

Technical and nontechnical actions

Actions are grouped by whether they're technical or nontechnical in nature. The scoring effect of each action differs by type.

  • Technical actions. These actions are implemented by interacting with the technology of a solution (for example, changing a configuration). Compliance Manager grants the points for technical actions once per action, regardless of how many groups it belongs to.
  • Nontechnical actions. Organizations manage these actions and implement them in ways other than working with the technology of a solution. There are two types of nontechnical actions: Documentation and Operational. Compliance Manager applies the points for these actions to the company's compliance score at a group level. In other words, if an action exists in multiple groups, the company receives the action's point value each time it implements it within a group.

Example of how technical and nontechnical actions are scored

Let's look at an example to see how the scoring mechanism for technical and nontechnical actions applies in a real-world scenario. In this example, let's say that Contoso has:

  • A technical action worth three points. The action exists in five groups.
  • A nontechnical action worth three points. The action exists in the same five groups.

If Contoso successfully implements the technical action, the total number of points it receives is three. Why only three points? Because Contoso only needs to implement the action once for its tenant. The implementation and test status for the technical action shows the same in all instances of that action, in every group it belongs to.

If Contoso successfully implements the nontechnical action in each of the five groups, the total number of points it receives is 15. Why 15 and not three? Because Contoso must implement the action in each group; as such, it receives the points for the action (three) each time it completes the action (in each of the five groups). The implementation and test status for the nontechnical action differs across groups. It does so because the organization implements the action separately within each of its groups.

This scoring logic is designed to provide the most accurate accounting of how an organization implements and tests actions.

How Compliance Manager determines score values

Compliance Manager assigns a score value to actions based on whether they’re mandatory or discretionary, and whether they’re preventative, detective, or corrective.

Mandatory and discretionary actions

  • Mandatory actions. An organization can't bypass these actions, either intentionally or accidentally. An example of a mandatory action is a centrally managed password policy that sets requirements for password length, complexity, and expiration. Users must follow each of these requirements to access the system.
  • Discretionary actions. These actions rely upon users to understand and adhere to a policy. For example, a policy requiring users to lock their computer when they leave is a discretionary action because it relies on the user.

Preventative, detective, and corrective actions

  • Preventative actions. These actions address specific risks. For example, protecting information at rest using encryption is a preventative action against attacks and breaches. Separation of duties is a preventative action to manage conflict of interest and guard against fraud.

  • Detective actions. These actions actively monitor systems:

    • To identify irregular conditions or behaviors that represent risk.
    • An organization can use to detect intrusions or breaches.

    Examples include system access auditing and privileged administrative actions. Regulatory compliance audits are a type of detective action used to find process issues.

  • Corrective actions. These actions try to keep the adverse effects of a security incident to a minimum, take corrective action to reduce the immediate effect, and reverse the damage if possible. Privacy incident response is a corrective action to limit damage and restore systems to an operational state after a breach.

The following table identifies how each action has an assigned value in Compliance Manager based on the risk it represents. Since each type of action (preventative, detective, and corrective) can be both mandatory and discretionary, there are six total combinations of actions that Compliance Manager can score.

Type Assigned score
Preventative mandatory 27
Preventative discretionary 9
Detective mandatory 3
Detective discretionary 1
Corrective mandatory 3
Corrective discretionary 1

Diagram showing a graphical chart of the Compliance Manager action point values.

Knowledge check

Choose the best response for the following question. Then select “Check your answers.”

Check your knowledge

1.

When a company uses Compliance Manager for the first time, what's its initial compliance score based upon?