The Purview Portal & Compliance Manager
Your organisation's compliance command centre — how the Purview portal, Compliance Manager, and compliance score help you track and improve your regulatory posture.
One portal to rule compliance
Think of a car’s dashboard.
Your car has one dashboard that shows your speed, fuel, engine temperature, and warning lights — all in one place. You don’t open the bonnet to check the engine every time you drive.
The Microsoft Purview portal is the dashboard for your organisation’s compliance. It shows everything — what regulations you need to meet, how far along you are, and what’s still red.
Microsoft Purview portal
The Purview portal at purview.microsoft.com brings together all compliance tools under one roof:
| Area | What It Covers |
|---|---|
| Compliance Manager | Track compliance posture across regulations with assessments and improvement actions |
| Data classification | Discover and classify sensitive data using SITs, trainable classifiers, and labels |
| Data Loss Prevention | Policies to prevent sensitive data from being shared inappropriately |
| Information protection | Sensitivity labels, encryption, rights management |
| Data lifecycle management | Retention policies and labels to keep or delete data based on rules |
| Audit & eDiscovery | Search and investigate content for legal or compliance purposes |
Exam tip: Purview compliance vs Purview governance
Microsoft Purview has two sides:
- Purview compliance — managing regulations, protecting data, preventing leaks (this is what SC-900 tests)
- Purview governance — cataloguing data estates, mapping data lineage, scanning data sources (this is NOT on SC-900)
If an exam question mentions “data catalogue” or “data lineage,” that’s the governance side. If it mentions “DLP,” “sensitivity labels,” or “Compliance Manager,” that’s the compliance side.
Compliance Manager
Compliance Manager is the tool inside the Purview portal that helps you assess, track, and improve your compliance posture. Think of it as a project management tool for regulations.
The three building blocks
| Building Block | What It Does | Example |
|---|---|---|
| Assessments | Pre-built templates that map your actions to specific regulations | A GDPR assessment shows every control you need and whether you've done it |
| Improvement actions | Recommended steps to improve compliance — each one can be assigned to a team member | Enable MFA for all users (reduces identity risk, improves GDPR and ISO 27001 scores) |
| Controls | The specific requirements from a regulation that your actions map to | GDPR Article 32: 'Implement appropriate technical measures' — mapped to encryption and access controls |
Assessments in detail
Compliance Manager comes with hundreds of pre-built assessment templates for common regulations:
- GDPR (EU General Data Protection Regulation)
- HIPAA (US Health Insurance Portability and Accountability Act)
- ISO 27001 (International information security standard)
- NIST 800-53 (US federal security framework)
- And many more — regional, industry-specific, and custom templates
Each assessment shows which controls are satisfied, which need work, and who is responsible.
Scenario: Nadia sets up a HIPAA assessment
MedGuard Health needs to demonstrate HIPAA compliance for an upcoming audit. Nadia opens Compliance Manager and adds the HIPAA assessment template.
Immediately, she sees:
- 120 improvement actions needed for HIPAA
- 40 are already marked complete (things Microsoft handles, like data centre security)
- 80 are customer-managed actions that MedGuard needs to address
Nadia assigns actions to the right people: Liam (IT Director) gets encryption and access control tasks, Dr. Torres gets data handling policy reviews. Each person sees their tasks in Compliance Manager and marks them as they complete.
Improvement actions: who does what?
Every improvement action falls into one of two ownership categories:
| Feature | Microsoft-managed | Customer-managed |
|---|---|---|
| Who does it? | Microsoft | Your organisation |
| Example | Physical data centre security, host OS patching, network encryption | Enabling MFA, configuring DLP policies, writing data handling policies |
| Can you change it? | No — these are auto-completed by Microsoft | Yes — you mark these as complete, in progress, or assign them to people |
| Impact on score | Included in your total score automatically | Only counted when you mark the action as implemented and tested |
Compliance score
The compliance score is a numeric value (0 to maximum) that measures your overall compliance posture. It works like Microsoft Secure Score, but for compliance instead of security.
How the score is calculated
Every improvement action has points. Those points are weighted by two dimensions:
1. Mandatory vs Discretionary
- Mandatory: Actions required by the regulation (higher points)
- Discretionary: Recommended best practices but not strictly required (lower points)
2. Preventive vs Detective vs Corrective
- Preventive: Actions that stop issues before they happen (highest points) — e.g., encryption
- Detective: Actions that find issues after they occur (medium points) — e.g., audit logs
- Corrective: Actions that fix issues after detection (lowest points) — e.g., incident response plans
Key exam concept: Mandatory preventive actions score the highest because they both satisfy a regulation AND stop problems before they start. The exam may ask which type of action gives the most points.
Scenario: Nadia prioritises by compliance score impact
Nadia has limited time before the audit. She opens Compliance Manager and sorts improvement actions by point value (highest first).
The top items:
- Enable encryption for data at rest — mandatory + preventive = 10 points
- Configure DLP policies for patient data — mandatory + preventive = 10 points
- Set up audit logging — mandatory + detective = 6 points
- Create an incident response plan — mandatory + corrective = 4 points
Nadia tackles encryption and DLP first — maximum compliance improvement for the effort spent.
Exam tip: Compliance score vs Secure Score
These are easy to confuse:
- Compliance score (in Compliance Manager) measures how well you meet regulatory requirements
- Secure Score (in Microsoft Defender portal) measures how well you’ve configured security settings
Both give numeric scores and recommend improvement actions. But compliance score is about regulations, and Secure Score is about security posture. An action can appear in both (like enabling MFA).
🎬 Video walkthrough
🎬 Video coming soon
Purview Portal & Compliance Manager — SC-900 Domain 4.2
Purview Portal & Compliance Manager — SC-900 Domain 4.2
~9 minFlashcards
Knowledge Check
Nadia wants to track MedGuard's progress towards HIPAA compliance. She needs a dashboard that shows which controls are met and which need work. Which tool should she use?
In Compliance Manager, which type of improvement action earns the MOST compliance score points?
Nadia notices that 40 improvement actions in MedGuard's HIPAA assessment are already marked complete, even though her team hasn't done anything yet. What explains this?