AB-900, AI Governance, AI Security, Microsoft Certification

Identify compliance risks and recommendations by using Microsoft Purview Compliance Manager (AB-900 Exam Prep)

 
This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify data protection and governance risks for Microsoft 365 and Copilot
      --> Identify compliance risks and recommendations by using Microsoft Purview Compliance Manager

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

Introduction

Organizations today face increasing regulatory and compliance requirements related to data privacy, security, records management, and governance. Regulations such as GDPR, HIPAA, ISO 27001, NIST, PCI DSS, and many others require organizations to implement controls that protect sensitive information and demonstrate compliance.

Microsoft Purview Compliance Manager is a solution within Microsoft Purview that helps organizations assess, manage, and improve their compliance posture. It provides a risk-based approach to compliance by measuring how well an organization has implemented controls and by offering actionable recommendations to reduce compliance risks.

For the AB-900 exam, you should understand the purpose of Compliance Manager, how it identifies compliance risks, how compliance scores are calculated, and how organizations can use recommendations to improve their compliance posture.

What Is Microsoft Purview Compliance Manager?

Microsoft Purview Compliance Manager is a compliance management solution that helps organizations:

  • Assess compliance risks
  • Monitor compliance status
  • Track implementation of compliance controls
  • Improve regulatory compliance
  • Generate evidence for audits
  • Prioritize remediation efforts

Compliance Manager translates complex regulatory requirements into manageable improvement actions that administrators can implement within Microsoft 365.

Rather than simply reporting compliance status, Compliance Manager helps organizations actively improve compliance through continuous assessment and risk reduction.

Why Compliance Manager Is Important

Organizations must comply with numerous regulations and standards. Managing compliance manually can be difficult because:

  • Regulations frequently change
  • Multiple frameworks may apply simultaneously
  • Compliance controls span many systems
  • Evidence collection can be time-consuming
  • Auditors require documentation

Compliance Manager helps centralize compliance activities and provides visibility into compliance readiness.

Benefits include:

  • Reduced compliance risk
  • Improved governance
  • Simplified audit preparation
  • Better visibility into regulatory requirements
  • Continuous compliance monitoring
  • Prioritized remediation efforts

Understanding Compliance Risk

Compliance risk refers to the possibility that an organization fails to meet legal, regulatory, or internal policy requirements.

Examples include:

  • Improper handling of personal data
  • Missing security controls
  • Lack of retention policies
  • Inadequate access controls
  • Failure to encrypt sensitive information
  • Insufficient auditing and monitoring

Compliance Manager helps identify these risks by comparing organizational practices against compliance requirements.

Compliance Score

One of the most important concepts in Compliance Manager is the Compliance Score.

The Compliance Score is a measurement that reflects the organization’s progress toward meeting selected compliance requirements.

The score:

  • Is risk-based
  • Measures completed controls
  • Helps prioritize work
  • Changes as actions are completed

A higher score generally indicates that more compliance controls have been implemented.

However, the score does not guarantee compliance with a regulation. It serves as a management tool for tracking progress and reducing risk.

How Compliance Score Is Calculated

Compliance Manager assigns points to improvement actions.

Points are awarded when actions are completed.

Examples of actions include:

  • Enabling multifactor authentication
  • Configuring retention policies
  • Applying sensitivity labels
  • Enabling audit logging
  • Implementing access controls

Higher-risk controls typically receive more points because they contribute more significantly to risk reduction.

Assessments in Compliance Manager

An assessment measures compliance against a specific regulation, standard, or framework.

Examples include:

  • GDPR
  • ISO 27001
  • NIST
  • HIPAA
  • PCI DSS
  • Microsoft Data Protection Baseline

Each assessment contains:

  • Control objectives
  • Improvement actions
  • Testing guidance
  • Documentation requirements
  • Compliance status tracking

Organizations can use multiple assessments simultaneously.

Types of Controls

Compliance Manager evaluates different types of controls.

Microsoft-Managed Controls

These controls are implemented and managed by Microsoft.

Examples include:

  • Physical datacenter security
  • Infrastructure protections
  • Platform-level safeguards

Microsoft provides evidence showing how these controls are implemented.

Customer-Managed Controls

These controls are the responsibility of the organization.

Examples include:

  • MFA configuration
  • Retention policies
  • Access management
  • User training
  • Data classification

Administrators must implement and document these controls.

Shared Controls

Shared controls involve responsibilities divided between Microsoft and the customer.

Examples include:

  • Identity management
  • Security monitoring
  • Data protection configurations

Both parties contribute to compliance.

Improvement Actions

Improvement actions are recommendations that help organizations reduce compliance risk.

An improvement action typically includes:

  • Description of the requirement
  • Implementation guidance
  • Testing procedures
  • Documentation requirements
  • Risk impact

Examples include:

  • Enable multifactor authentication
  • Configure audit logging
  • Apply sensitivity labels
  • Restrict external sharing
  • Implement retention policies
  • Enable Data Loss Prevention policies

Completing improvement actions increases the compliance score.

Recommendations in Compliance Manager

Compliance Manager provides actionable recommendations that help organizations improve compliance.

Recommendations may involve:

Identity Security

Examples:

  • Enable MFA
  • Implement Conditional Access
  • Review privileged accounts
  • Use least-privilege access

Data Protection

Examples:

  • Configure sensitivity labels
  • Encrypt sensitive content
  • Implement DLP policies
  • Protect confidential information

Monitoring and Auditing

Examples:

  • Enable auditing
  • Review activity logs
  • Investigate suspicious behavior
  • Maintain audit records

Information Governance

Examples:

  • Create retention policies
  • Define retention labels
  • Manage records
  • Implement deletion schedules

Testing and Evidence Collection

Compliance Manager supports audit preparation through evidence collection.

Organizations can:

  • Upload documentation
  • Store screenshots
  • Attach policy documents
  • Record test results
  • Maintain audit evidence

This makes audits easier because evidence is stored alongside compliance controls.

Regulatory Templates

Compliance Manager includes built-in templates for many regulations and standards.

Examples include:

  • GDPR
  • HIPAA
  • ISO 27001
  • NIST CSF
  • SOC 2
  • PCI DSS

Templates reduce the effort required to build compliance programs from scratch.

Monitoring Compliance Over Time

Compliance is not a one-time activity.

Compliance Manager supports continuous monitoring by:

  • Tracking score changes
  • Updating assessment status
  • Identifying new risks
  • Monitoring action completion
  • Highlighting outstanding requirements

Organizations can regularly review their compliance posture and address gaps.

Compliance Manager and Microsoft 365 Copilot

As organizations adopt Microsoft 365 Copilot, governance and compliance become increasingly important.

Compliance Manager can help organizations:

  • Evaluate data protection readiness
  • Review access controls
  • Verify sensitivity label deployment
  • Assess retention policies
  • Confirm audit logging is enabled
  • Measure compliance maturity

These controls help ensure Copilot operates within established governance and compliance frameworks.

Key Exam Tips

For the AB-900 exam, remember:

  • Compliance Manager helps assess and improve compliance posture.
  • Compliance Score measures progress toward implementing controls.
  • Improvement actions provide recommendations for reducing risk.
  • Assessments measure compliance against regulations and standards.
  • Controls may be Microsoft-managed, customer-managed, or shared.
  • Compliance Manager supports evidence collection and audit readiness.
  • A higher Compliance Score indicates improved compliance posture but does not guarantee regulatory compliance.
  • Compliance Manager helps organizations identify and prioritize compliance risks.

Practice Exam Questions

Question 1

What is the primary purpose of Microsoft Purview Compliance Manager?

A. Create SharePoint sites automatically

B. Assess and improve an organization’s compliance posture

C. Replace Microsoft Defender

D. Manage Windows updates

Answer: B

Explanation: Compliance Manager helps organizations assess compliance risks, track controls, and improve compliance posture through assessments and recommendations.

Question 2

What does the Compliance Score primarily represent?

A. The number of licensed users

B. The percentage of completed support tickets

C. Progress toward implementing compliance controls

D. The amount of storage consumed

Answer: C

Explanation: Compliance Score measures the organization’s progress in implementing controls that reduce compliance risk.

Question 3

Which type of control is managed entirely by Microsoft?

A. Customer-managed control

B. Shared control

C. Administrative control

D. Microsoft-managed control

Answer: D

Explanation: Microsoft-managed controls are implemented and maintained by Microsoft, such as datacenter security and infrastructure protections.

Question 4

An administrator wants to increase the organization’s Compliance Score. What should they do?

A. Purchase more Microsoft licenses

B. Increase mailbox storage limits

C. Complete improvement actions

D. Delete old assessments

Answer: C

Explanation: Improvement actions contribute points to the Compliance Score and help reduce compliance risk.

Question 5

Which feature helps organizations prepare for audits?

A. Microsoft Forms

B. Evidence collection and documentation storage

C. Viva Engage

D. Power Automate approvals

Answer: B

Explanation: Compliance Manager allows organizations to upload documentation, screenshots, and evidence needed for audits.

Question 6

Which of the following is an example of a customer-managed control?

A. Physical datacenter security

B. Network backbone management

C. Global infrastructure redundancy

D. Configuring multifactor authentication

Answer: D

Explanation: Customers are responsible for implementing controls such as MFA, retention policies, and access controls.

Question 7

What is an assessment in Compliance Manager?

A. A financial audit report

B. A measurement of compliance against a regulation or standard

C. A SharePoint permission review

D. A Microsoft support case

Answer: B

Explanation: Assessments evaluate compliance requirements associated with regulations, standards, or frameworks.

Question 8

Which compliance framework could be evaluated using Compliance Manager?

A. HIPAA

B. DHCP

C. SMTP

D. DNS

Answer: A

Explanation: Compliance Manager includes templates and assessments for frameworks such as HIPAA, GDPR, ISO 27001, and NIST.

Question 9

What is the purpose of improvement actions?

A. To reduce compliance risk and guide remediation efforts

B. To create Teams channels automatically

C. To increase internet bandwidth

D. To manage printer deployments

Answer: A

Explanation: Improvement actions provide guidance for implementing controls that reduce compliance risk and improve compliance posture.

Question 10

Which statement about Compliance Score is correct?

A. A perfect score guarantees regulatory compliance.

B. The score measures storage utilization.

C. The score reflects progress toward implementing compliance controls but does not guarantee compliance.

D. The score only applies to Microsoft-managed controls.

Answer: C

Explanation: Compliance Score is a risk-based measurement of implemented controls and progress, but it does not guarantee compliance with any specific regulation.

Exam Summary

Microsoft Purview Compliance Manager is a risk-based compliance management solution that helps organizations assess regulatory requirements, identify compliance gaps, implement recommended controls, collect audit evidence, and continuously improve compliance posture. Understanding Compliance Score, assessments, improvement actions, and risk reduction recommendations is essential for success on the AB-900 exam and for administering Microsoft 365 and Copilot environments responsibly.

Go to the AB-900 Exam Prep Hub main page

Leave a comment