In this mobile-first and cloud-first world, Microsoft is committed to build and maintain a partnership with you to meet your security, compliance, and privacy needs. When your organization’s data was on-premises, it was 100 percent your responsibility to meet all regulatory requirements. As you move your data to a Microsoft Cloud service, such as Office 365, Azure, or Dynamics 365, we partner with you to help you achieve compliance under the shared responsibility model.


To support your organization’s compliance journey when using Microsoft Cloud services, Microsoft released Compliance Manager Preview last November. Today, we are building upon this partnership by announcing thatis now generally available as an additional value for Azure, Dynamics 365, and Office 365 Business and Enterprise subscribers in public clouds[1].



Compliance Manager empowers your organization to manage your compliance activities from one place with three key capabilities:


  • Helps you perform on-going risk assessments, now with Compliance Score

Compliance Manager is a cross-Microsoft Cloud services solution designed to help organizations meet complex compliance obligations, including the EU GDPR, ISO 27001, ISO 27018, NIST 800- 53, NIST 800- 171, and HIPAA[2].


It enables your organization to perform on-going risk assessments for what is identified as Microsoft’s responsibilities by evaluating detailed implementation and test details of our internal controls. We are committed to be transparent about how we process and protect your data so that you can trust Microsoft and leverage the technology we provide.


Compliance Manager dashboard with Score.JPGCompliance Manager dashboard with Compliance Score

We also provide you the information and tools to conduct self-assessment for your responsibilities of meeting regulatory requirements. Now with Compliance Score[3] —a new feature for Compliance Manager—you can gain visibility into your organization’s compliance stature with a risk-based score reference.


The Compliance Score is based on the operating effectiveness of internal controls managed by both Microsoft and you. Failure to implement different controls will have different levels of risk. We assign a weight to each control based on the level of risk involved when you do not implement a control or fail to pass the test of a control. From the detailed information page of each assessment, you can find an assigned risk-based score for each control item, and prioritize your tasks and make better implementation plans based on the risk involved.


  • Provides you actionable insights, now from a certification/regulation view

One of the biggest pain points we heard from organizations is finding talent with expertise in both industrial compliance and technology solutions. Most of the time, compliance personnel have in-depth knowledge of industrial regulations and standards, while IT professionals have the technology tools that help the company to protect data. Because there is lack of connections between these two areas, meeting data protection and regulatory requirements becomes a very disjointed process.


To help reduce this challenge, Compliance Manager builds the connection between the data protection capabilities and the regulatory requirements, so now you know which technology solutions you can leverage to meet certain compliance obligations.


In response to feedback from customers, this product update re-organizes the control information from the “Microsoft control framework” view (e.g. MS-control AR-0104) to a “certification controls or regulatory article” view (e.g. ISO 27001:2013: C.5.1.a). Before, one Microsoft control corresponded to one or multiple certification controls or regulatory articles, and you needed to take many actions to implement one control. In the newly updated view, you can see customer actions for each certification or regulatory control, and the specific actions recommended for each control[4].


Detailed information page with score.JPGDetailed information page of an assessment


You still have the same experience for each control, i.e., finding customer actions with step-by-step guidance to guide you through implementing internal controls and developing business processes for your organization. We will keep the preview view (MS-control view) till the end of August 2018 for you to migrate the information into the new view.


  • Simplifies your journey to manage compliance activities, now with the capability to create multiple assessments for each standard and regulation

According to the report, Cost of Compliance 2017 from Thomson Reuters, 32 percent of companies spend more than 4 hours per week creating and amending audit reports. It’s very time-consuming to collect evidence and demonstrate effective control implementation for auditing activities.


Compliance Manager enables you to assign, track, and record your compliance activities, so you can collaborate across teams and manage your documents for creating audit reports more easily.


By using group functionality, you can now create multiple assessments for any standard or regulation that is available to you in Compliance Manager by time, by teams, or by business units. For example, you can create a GDPR assessment for the 2018 group and another one for the 2019 group. Similarly, you can create an ISO 27001 assessment for your business units located in the U.S. and another one for your business units located in Europe. This functionality gives you a more robust way to manage compliance activities based on your organizational needs for performing risk assessments.


We are excited to launch Compliance Manager with these updates to make it a better experience for you. We’d like to hear your feedback on the product to keep improving functionality, adding new features, and enhancing existing ones. Sign in totoday using your Azure, Dynamics 365, or Office 365 account, and give us feedback via the Feedback button at the bottom right corner of Compliance Manager. You can also learn more about Compliance Manager in this, "Simplify your compliance journey with Service Trust Portal and Compliance Manager", and on the Compliance Manager support page.


Work with a partner who knows GDPR

Microsoft works with partners globally to address customer needs around GDPR. We have several partners today offering Microsoft-based solutions that include an overall set of controls and capabilities to help customers meet their GDPR requirements. Here’s our list of global partners we currently work with to meet the growing demand for GDPR support.


Product scope[2]

You can find the coverage of regulations and standards for each Microsoft cloud service below as of February 2018:

  • Office 365: Detailed information about Microsoft’s internal controls for and recommended customer actions for GDPR, ISO 27001, ISO 27018, NIST 800- 53, NIST 800- 171, and HIPAA
  • Azure: Detailed information about Microsoft’s internal controls for ISO 27001 and ISO 27018
  • Dynamics 365: Detailed information about Microsoft’s internal controls for NIST 800- 53; recommended customer actions for partial GDPR controls managed by organizations


[1] Note that Office 365 GCC customers can access Compliance Manager; however, users should evaluate whether to use the document upload feature of Compliance Manager, as the storage for document upload is compliant with Office 365 Tier C only. Compliance Manager is not yet available in sovereign clouds including Office 365 U.S. Government Community High (GCC High), Office 365 Department of Defense (DoD), Office 365 Operated by 21 Vianet, and Office 365 Germany.

[2] Coverage of regulations and standards in Compliance Manager varies by product. We will keep adding and updating the information in the future and our goal is to provide a similar experience of using Compliance Manager for all Microsoft Cloud services.

[3] Compliance Score is only available for Office 365 currently. Our goal is to provide Compliance Score for all Microsoft Cloud services in the near future.

[4] Compliance Manager is a dashboard that provides the Compliance Score and a summary of your data protection and compliance stature as well as recommendations to improve data protection and compliance. This is a recommendation; it is up to you to evaluate and validate the effectiveness of customer controls as per your regulatory environment. Recommendations from Compliance Manager and Compliance Score should not be interpreted as a guarantee of compliance.

Senior Member

The Office 365 NIST 800-171 assessment in missing 32 controls. The controls seem to be a mixture of Microsoft Managed Controls and Customer Managed Controls. The controls are: 3.3.4, 3.3.6, 3.4.2, 3.4.7, 3.4.8, 3.5.11, 3.6.3, 3.7.2, 3.7.3, 3.7.4, 3.8.1, 3.8.2, 3.8.4, 3.8.5, 3.8.9, 3.10.2 ,3.10.3, 3.10.4, 3.10.5, 3.12.4, 3.13.1, 3.13.6, 3.13.7, 3.13.9, 3.13.12, 3.13.13, 3.13.16, 3.14.2, 3.14.4, 3.14.5, 3.14.6, and 3.14.7.


Do you know when the remainder of these controls will be added to Compliance Manager?


By the way, I love the tool! I just want to know if, in the future, my organization can fully rely on it to be the one-stop shop for our compliance team and assessors.






Added control 3.5.11 to the list of controls that are missing in Compliance Manager. This brings the total number of missing controls to 32.

Hi @Daniel Courtney, We will update the remaining NIST 800-171 controls by the end of this month. I will notify you from this comment response once it's published.

Thank you for your support!

Senior Member

@Tina Ying (OFFICE MARKETING), sweet! Thank you for the update!

Occasional Visitor

Any more specialized modules available? ISO 13485, ISO 14971, ISO 9001, FDA 21 CFR 820?

New Contributor

Hi, do we have any indication as to when the Azure controls will be released? 

Hi @Christopher Wood, currently we only plan to add assessments for regulations or standards that Microsoft Cloud complies with, and will prioritize based on customers' feedback. We are also planning to develop feature that can help you to customize assessments. Please stay tuned for future announcements. Thank you!


Hi @Ben Curran, we are working on it, but we don't have an ETA to share yet. We will share more information here once it's available. Thank you!

Occasional Visitor

Hi, is the tool available for the on-premise version of Dynamics 365 (and other 365 products)?

Occasional Visitor

Hi Tina:

Is there any published document or information from Microsoft which explains in detail list of "supported" NIST SP 800-171 DFAR controls for O365? Like one of the member found out the 32 "missing" controls? How do I know what is "checked" for NIST 800-171 by Compliance tool. Thanks Meer

Senior Member

Hey Meer,


The way I determined the missing controls was by simply downloading the Excel file that Compliance Manager produces and then I differenced that file with another (completey comprehensive) file of the NIST 800-171 controls that I had created myself from the source publication.


As far as I know, there is no explanation from Microsoft as to why certain controls were excluded from the tool (note I only know of missing Office 365 NIST 800-171 controls, I did not check all the other tools and frameworks). Tina did said they would have the remainder of the controls up sometime soon.


I’m on mobile, please forgive any typos.

Hi @Thomas Dejagere, currently it's only available for cloud services. Thank you!

Hi @Meer Nazir@Daniel Courtney, we just updated Compliance Manager content with all NIST 800-171 controls. You can find all the missing ones in there for Office 365 now. Thank you!

Regular Visitor

Where can I find the compliance for NIST 800- 171?  I see the other assessments just not NIST 800- 171.  Also, is the customize functionality available now?  If so, can we add in any missing controls ourselves to be able to use this tool as a one-stop tracker?



Hi @Gina Hall, NIST 800-171 doesn't show on the dashboard by default, but you can add the assessment by clicking the "+Add assessment" button on the top right corner of the dashboard. Note that NIST 800-171 is only available to Office 365 for now. You can learn how to add assessment in this supporting document: Use Compliance Manager to help meet data protection and regulatory requirements when using Microsoft...

You can customize your dashboard by adding and removing assessments. We will add more features to let you import your own controls in the future. Please stay tuned for more announcements in the Tech Community blog!

New Contributor

Thanks for letting us know about the NIST 800-171 controls Tina. Can you explain to me how Microsoft are letting us know when the Trust Portal is updated, when new controls go live how is it communicated out?


Hi @Ben Curran, you can find the control updates here: https://support.office.com/en-us/article/use-compliance-manager-to-help-meet-data-protection-and-reg...


We are working on creating a more obvious and easier link to this document from Compliance Manager, and you will be able to find the link in the notification boxes on the dashboard in the near future.


Thank you!


Occasional Contributor

Be careful with relying on Message Trace within SCC. We had an issue with an email not showing on a report and Microsoft doesn't care. This was Microsoft's official response:


"As message trace in Office 365 Security & Compliance Center is a redesigned tool which focus on making Message Trace more effective and easier for both professional and part-time email admins, it is still in ‘preview’ status.


We don’t ensure this tool is as credible as Message Trace in the Exchange Admin Center (EAC)."


I think it goes without saying this response is pathetic for a system DESIGNED to reduce risk. 


Justin, I apologize about your experience. We will contact you through messages/email to learn more details about this error and investigate why your message didn’t show up as it should have.

Occasional Visitor

Hi, When will it support management of CJIS regulatory requirements?

Hi @KiranV - We don't have the timeline to share yet. However, now you can use our new features in public preview to add your own assessment in Compliance Manager. You can learn more about it here: https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Manage-compliance-from-one-pl...


Thank you!



Occasional Visitor

Hi, great info, but I get the 404 error (Not Found) on the whitepaper. Can you see what the problem is?






Richard Bruvik