3.3.1. Compliance Manager and Data Explorer

💡 First Principle: Compliance Manager measures your organization's compliance posture against regulatory frameworks and gives you a prioritized improvement plan. Data Explorer shows you what sensitive data exists in your tenant, where it lives, and how it's classified — so you know what needs protecting.

Compliance Manager:

• Provides a Compliance Score (0-100%) measuring how well your M365 configuration aligns with a chosen compliance framework (GDPR, HIPAA, ISO 27001, NIST, etc.)
• Lists Improvement Actions — specific configuration changes that would increase your score
• Distinguishes between actions Microsoft manages (infrastructure-level) and actions your organization manages (configuration-level)
• Tracks progress over time and allows assigning improvement actions to team members

The score is advisory — a high Compliance Manager score doesn't certify you as legally compliant with GDPR. It indicates that your M365 controls align with that framework's technical requirements.

Data Explorer (in Microsoft Purview):

• Surfaces all content in your tenant that has been identified as containing sensitive information types (credit card numbers, SSNs, PHI, etc.)
• Shows which sensitivity labels have been applied across content
• Allows filtering by location (Exchange, SharePoint, OneDrive, Teams, devices)
• Provides a baseline for understanding your sensitive data landscape before deploying DLP or Copilot

⚠️ Exam Trap: Compliance Manager is not a monitoring or enforcement tool — it doesn't watch for policy violations. For real-time monitoring of sensitive data movement, use DLP. For user activity, use Activity Explorer.

Reflection Question: A CISO wants a single number representing how well the organization's M365 configuration meets GDPR requirements. Which tool provides this, and what should the CISO understand about its limitations?