Fix Microsoft Compliance Assurance Errors & Setup Issues
Why This Is Happening
I've seen this exact scenario play out dozens of times across enterprise IT teams: your organization is moving workloads to Microsoft Azure or Microsoft 365, someone from legal or the auditing team asks for a compliance assurance report, and suddenly everyone is staring blankly at the screen inside the Microsoft Purview compliance portal wondering why the compliance score shows 0%, why assessment templates won't load, or why they can't download SOC 2 audit reports from the Service Trust Portal. The frustration is real , and the error messages Microsoft surfaces don't exactly point you toward a solution.
Microsoft compliance assurance problems fall into a few distinct buckets. First, there are access and permissions failures, most common when an admin sets up Microsoft Purview Compliance Manager without assigning the right Azure Active Directory roles. Second, there are framework assessment configuration gaps, where organizations try to run a cloud risk assessment against something like NIST SP 800-53 or ISO 27001 but haven't properly mapped their internal controls or selected the right assessment template. Third, and this one trips up IT pros who are new to the Microsoft cloud model, is a fundamental misunderstanding of the shared responsibility model.
That last point matters a lot. When your organization moves from on-premises infrastructure to the cloud, the division of security responsibility shifts. In a traditional on-premises environment, your team owns every layer of the stack, from physical hardware up through the operating system, applications, and data. In a cloud model, Microsoft takes on physical datacenter security, network infrastructure, and hypervisor-level controls. But your team remains responsible for identity and access management, device security, data classification, and application configuration. Compliance assurance problems often appear when organizations assume Microsoft handles more than it actually does, or inversely, when teams don't know which controls Microsoft has already implemented on their behalf.
The other root cause I see constantly is organizations skipping the framework-mapping step. Microsoft builds its compliance tooling around well-established industry frameworks like ISO 27001, the CIS Benchmark, and NIST SP 800-53. If your internal risk assessment model doesn't map to one of these frameworks, the Compliance Manager tool won't know how to calculate your score or surface the right improvement actions. You end up with a dashboard that looks complete but is actually measuring the wrong things.
None of this is your fault. Microsoft compliance assurance spans multiple portals, the Microsoft Purview compliance portal, the Service Trust Portal, Microsoft Defender for Cloud, and sometimes the Azure portal itself, and the documentation doesn't always make it obvious which one you need for which task. Browse all Microsoft fix guides →
What follows is the exact troubleshooting sequence I use when helping enterprise teams get their Microsoft compliance assurance setup working correctly from end to end.
The Quick Fix, Try This First
If your Microsoft Purview Compliance Manager dashboard is showing blank assessments, a stuck compliance score, or template errors, the fastest fix in the majority of cases is a role assignment correction. Here's exactly what to do.
Open the Microsoft 365 admin center at admin.microsoft.com. In the left rail, go to Roles > Role assignments. Search for "Compliance Manager." You'll see four distinct roles:
- Compliance Manager Administrator, full read/write access, can create and manage assessments
- Compliance Manager Assessor, can update implementation status and test actions, cannot create assessments
- Compliance Manager Contributor, can manage improvement actions assigned to them
- Compliance Manager Reader, read-only, useful for auditors
The single most common mistake is assigning Global Administrator and assuming it covers Compliance Manager. It does not automatically grant the Compliance Manager Administrator role, these are separate role assignments. Select Compliance Manager Administrator, click Assign admins, and add the affected user. Changes propagate within 5–15 minutes. Once the role is active, sign out of the Purview portal at compliance.microsoft.com completely, clear your browser cache (Ctrl+Shift+Delete → All time → Cached images and files), and sign back in.
If your organization uses Microsoft Entra ID (formerly Azure Active Directory) Privileged Identity Management (PIM), the Compliance Manager Administrator role may require just-in-time activation. Navigate to Microsoft Entra admin center > Identity Governance > Privileged Identity Management > My roles and activate the role before accessing Compliance Manager. PIM-gated roles expire after the configured window, typically 1–8 hours, so if your dashboard was working and suddenly went blank mid-session, a PIM expiration is very likely the culprit.
compliance.microsoft.com/compliancemanager rather than navigating through the portal menu.
Before touching any assessment configuration, confirm that role assignments are actually in effect, not just assigned on paper. Open Microsoft Entra admin center (entra.microsoft.com), navigate to Users, select the affected user, and click Assigned roles. Look specifically for the Compliance Manager roles listed there. A Global Administrator role will be visible but does not substitute for Compliance Manager-specific roles inside Purview.
If this is an enterprise tenant using groups-based role assignment, also check Groups on the user's profile and confirm that the compliance role-bearing group actually has the assignment activated in PIM, group-based PIM assignments are a separate activation from individual role PIM assignments, and teams often miss this distinction.
For tenants that have never activated Compliance Manager, there's one more prerequisite: your Microsoft 365 license tier must include access to the tool. Compliance Manager is included in Microsoft 365 E3, E5, F3, Business Premium, and all Azure Government plans. If you're on E1 or an A-series education license, you'll have read-only access to pre-built assessments only. To check your license, go to Microsoft 365 admin center > Billing > Your products and confirm your active plan.
Once roles are confirmed, navigate to compliance.microsoft.com > Compliance Manager. If the dashboard loads correctly and shows your compliance score, you're ready to move to assessment setup. If you still see a loading spinner after 60 seconds, clear the browser cache and try Microsoft Edge's InPrivate mode, Purview portal has documented compatibility issues with certain Chrome extensions, particularly enterprise SSO extensions that intercept OAuth redirects.
Success indicator: The Compliance Manager overview page loads and displays a numeric compliance score (even if it's 0%) and at least the default "Data Protection Baseline" assessment.
This is where most cloud risk assessment workflows stall out. Microsoft Purview Compliance Manager provides assessment templates mapped to specific compliance frameworks, but you have to explicitly create an assessment from a template. The tool doesn't auto-populate assessments based on your license or industry. Inside Compliance Manager, click Assessments in the left nav, then click Add assessment.
You'll be prompted to choose a regulation. For most organizations doing a general cloud risk assessment, start with one of these three:
- NIST SP 800-53 Rev 5, the gold standard for U.S. federal contractors and any org that wants a comprehensive control set
- ISO/IEC 27001:2022, widely accepted globally; ideal if you're working with EU customers or pursuing certification
- Microsoft Data Protection Baseline, a Microsoft-authored assessment that maps directly to their built-in cloud controls; the fastest path to seeing Microsoft Actions populated
After selecting the regulation, choose Microsoft 365 (or Azure, or whichever Microsoft cloud service is in scope) as your product group. Name the assessment clearly, something like "NIST 800-53 Rev5, Azure Production 2026" so auditors can immediately identify the scope. Click Create assessment.
The assessment will take 2–5 minutes to generate, during which time it pulls in both Microsoft Actions (controls Microsoft has already implemented on your behalf) and Improvement Actions (controls your team needs to configure or attest to). If the assessment shows "Error generating" after 10 minutes, this is a known issue that occurs when the tenant's compliance data pipeline hasn't been initialized. The fix: navigate to Settings > Data connectors inside the Purview portal and confirm that the Microsoft 365 connector status shows "Active."
Success indicator: Your new assessment appears in the Assessments list with a progress bar showing the ratio of completed vs. total controls, and you can click into it to see both the Microsoft Actions and Improvement Actions tabs populated.
One of the most powerful, and most underused, features of Microsoft's compliance assurance ecosystem is the evidence Microsoft pre-populates on your behalf. When you open an assessment and click the Microsoft Actions tab, you'll see controls that Microsoft is responsible for as your cloud service provider. These are not just checkboxes, each one links to implementation details and, critically, to external audit reports that prove those controls are real.
To access the actual audit reports, you need the Service Trust Portal at servicetrust.microsoft.com. This is a separate portal from Purview, and it requires authentication with a Microsoft cloud services account (your organizational Microsoft 365 or Azure account). Anonymous access is not supported. If you see a sign-in loop where you authenticate but keep being redirected to the sign-in page, this is almost always a conditional access policy issue, your tenant's CA policy may be blocking access to servicetrust.microsoft.com as an "unmanaged" application.
To fix the Service Trust Portal sign-in loop, have your Azure AD admin navigate to Microsoft Entra admin center > Security > Conditional Access > Policies and check whether any policy includes "All cloud apps" with conditions that would block browser sessions from unmanaged devices or non-compliant devices. You may need to add servicetrust.microsoft.com to an exclusion list, or ensure the user's device meets compliance requirements in Microsoft Intune.
Once inside the Service Trust Portal, navigate to Audit Reports. You'll find SOC 1 Type II, SOC 2 Type II, ISO 27001 certificates, penetration test results, and FedRAMP authorization packages for Microsoft's cloud services. Download the SOC 2 Type II report specifically, auditors almost always want this one. The document is a PDF typically 200–400 pages long and covers Microsoft's controls across security, availability, processing integrity, confidentiality, and privacy.
Success indicator: You can download at least one audit report PDF from the Service Trust Portal and confirm the report date is within the last 12 months (Microsoft renews these annually).
Your Microsoft compliance assurance score won't move on its own, the Improvement Actions tab is where your team's actual work happens. These are controls that fall under your side of the shared responsibility model: things like enabling multi-factor authentication, configuring data loss prevention policies, setting retention labels, and enabling audit logging.
Inside your assessment, click Improvement Actions. You'll see a list with columns for: action name, points available, category (Identity, Data, Device, Apps, Infrastructure), action type (Technical, Operational, Documentation), and current status. Sort by Points descending to find the highest-impact actions first. This is where teams consistently waste time, they start working alphabetically through the list instead of targeting the actions worth 27 points before the ones worth 3 points.
For each Improvement Action, click into it to see the detailed implementation guidance. The action page shows: a description of what needs to be done, step-by-step implementation instructions linked to specific Microsoft 365 settings, testing guidance, and space to upload evidence documents. Click Assign to route the action to the team member responsible for that control area.
Some Improvement Actions are automatically detected, meaning Compliance Manager can read your tenant configuration and mark them complete without manual attestation. For example, the action "Enable MFA for all users" will auto-detect whether Conditional Access policy CA001 (or equivalent) is enforced. Others require manual evidence upload: for an action like "Conduct annual security training," you'll need to upload a CSV export from your training platform or a signed attestation letter.
To update an action's status, click into it, then click Edit status. Set the Implementation Status to "Implemented," the Test Status to "Passed," and upload any supporting evidence. Compliance Manager recalculates your score in near real-time, typically within 2–3 minutes of saving an action update.
Success indicator: After completing your first batch of Improvement Actions, your compliance score visibly increases on the Compliance Manager overview page and the assessment progress bar advances.
If your organization already has an internal risk and controls framework, whether that's a custom policy library, a GRC platform like ServiceNow or Archer, or even a well-maintained Excel workbook, you don't need to start from scratch inside Compliance Manager. Instead, you map your existing controls to the framework template.
Inside any Improvement Action, there's a section called Related controls that shows how that action maps across multiple regulatory frameworks simultaneously. This is genuinely one of the best features Microsoft built into Compliance Manager: a single Improvement Action can satisfy controls across NIST 800-53, ISO 27001, and your internal framework all at once. When you mark it complete, the credit propagates to every mapped framework assessment. No double-entering the same work.
For organizations that want to create a custom assessment template based on an internal control framework that isn't in Microsoft's template library, navigate to Compliance Manager > Assessment templates > Create new template. You'll download an Excel workbook with a specific schema, populate it with your control IDs, control descriptions, and control family mappings, then upload the workbook back. The template processor is strict about the schema, column headers must match exactly. If your upload fails with error code TEMPLATE_PARSE_ERROR, the most common cause is Excel auto-formatting your control IDs as numbers (e.g., converting "800-53-AC-2" to a date value). Fix this by formatting those columns as Text in Excel before uploading.
When your compliance work reaches a point where you need to share results with auditors or leadership, use the Export function inside each assessment. Go to the assessment overview page, click Export to Excel, the export includes all control statuses, your evidence uploads, Microsoft Actions with audit report references, and improvement action assignments. This is the artifact your external auditor will actually review, so make sure every action has a status set and that uploaded evidence files are named clearly.
Success indicator: Your exported Excel assessment report shows a clear breakdown of Microsoft-managed controls vs. customer-managed controls, with evidence documentation attached to every completed improvement action.
Advanced Troubleshooting
Enterprise and Domain-Joined Scenarios
In large enterprise environments where Microsoft 365 is federated with an on-premises Active Directory through Azure AD Connect, Microsoft compliance assurance issues frequently originate at the identity layer rather than inside Compliance Manager itself. I've worked with organizations where compliance scores were completely miscalculated because the tenant had two overlapping UPN domains and user objects were being evaluated against the wrong domain's Conditional Access policies.
Check the unified audit log for compliance-related events using PowerShell. Connect to Exchange Online Management Shell and run:
Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -RecordType ComplianceManager -ResultSize 500 | Select-Object CreationDate, UserIds, Operations, AuditData | Export-Csv C:\ComplianceLogs.csv -NoTypeInformationOpen the resulting CSV and filter the Operations column for "AssessmentUpdated," "ControlStatusChanged," and "ImprovementActionUpdated." If you see operations being logged under an unexpected UPN (e.g., a service account rather than the actual admin), that's a signal that an automation or sync process is touching compliance data, which can cause the score to fluctuate unexpectedly between sessions.
Group Policy Conflicts Affecting Compliance Tool Access
On domain-joined workstations, Group Policy Objects sometimes block access to specific Microsoft web portals at the browser or network level. If compliance.microsoft.com or servicetrust.microsoft.com loads a blank white page or returns HTTP 403, run this from an elevated command prompt to check if a GPO is applying proxy or content filtering rules:
gpresult /H C:\GPReport.html /F
start C:\GPReport.htmlIn the HTML report, look under Computer Configuration > Administrative Templates > Windows Components > Internet Explorer (even if you're using Edge, IE-zone-based policies still apply to Chromium Edge in most enterprise configs) for any URL restrictions or proxy bypass lists that might exclude *.microsoft.com subdomains. The Service Trust Portal specifically runs on a subdomain that is sometimes missed in allow-lists.
Compliance Score Discrepancy After Tenant Migration
If your organization recently migrated from one Microsoft 365 tenant to another (common after M&A activity), Compliance Manager assessments do not migrate automatically. The tool's data is tenant-bound. You'll need to recreate assessments in the new tenant and re-upload all evidence. However, the Microsoft Actions portion will immediately reflect the new tenant's posture, only the customer-side Improvement Actions need to be re-attested. Microsoft Support can help with bulk evidence re-import in enterprise migration scenarios.
Escalate to Microsoft Support if: your compliance score has been stuck at the same value for more than 48 hours despite completing Improvement Actions; if assessment templates fail to generate after three attempts with the data connector confirmed active; or if your organization is a U.S. government customer and you need access to GCC High or DoD-specific audit reports that are not visible in the standard Service Trust Portal. Open a support ticket categorized under Compliance > Microsoft Purview > Compliance Manager and include your tenant ID (from Microsoft Entra admin center > Overview) in the ticket body, this cuts first-response time significantly.
Prevention & Best Practices
Getting Microsoft compliance assurance working correctly is one thing. Keeping it working, and keeping your score accurate, is an ongoing operational discipline. Here's what separates organizations that pass their cloud risk assessments cleanly from those that scramble every time an auditor asks for evidence.
Establish a quarterly Compliance Manager review cadence. Set a recurring calendar block every 90 days where your compliance or IT security team reviews Improvement Actions that have drifted from "Implemented" to "Not implemented", this happens when configurations change and Compliance Manager's auto-detection picks up the regression. Catching these before an audit is infinitely better than explaining a score drop to your auditors on the day of review.
Don't wait for auditors to ask for Service Trust Portal reports. The SOC 2 Type II, ISO 27001 certificates, and penetration test summaries that Microsoft publishes are updated annually. Build a process where someone on your team downloads the latest versions of all relevant reports each January and stores them in your organization's GRC system or SharePoint. This way you're never scrambling to download a 300-page PDF the night before an audit.
Map every Improvement Action to a specific owner. The single biggest cause of compliance score stagnation is unassigned actions. When no one owns an action, no one completes it. Use the Assign feature in Compliance Manager to route every action to a named individual, not a team alias. Set completion due dates. If you use Microsoft Planner or Microsoft To Do, Compliance Manager can create tasks directly, enable this integration under Compliance Manager Settings > User management.
Align your internal framework mapping before starting assessments. Spending 2–3 hours mapping your internal control identifiers to the NIST 800-53 or ISO 27001 control families before you create your first assessment will save you 20+ hours of rework later. Microsoft provides downloadable mapping spreadsheets from the Compliance Manager template library, use these as your starting point rather than building a mapping from scratch.
- Enable the Microsoft Secure Score integration in Compliance Manager, your Secure Score improvements automatically credit relevant Improvement Actions without any manual attestation
- Use the Compliance Manager mobile-friendly view when collecting evidence signatures from remote team members who need to attest to operational controls
- Subscribe to the Microsoft Service Trust Portal RSS feed or set up alert emails from the portal, you'll be notified automatically when updated SOC, ISO, or penetration test reports are published
- For multi-cloud environments that include non-Microsoft services, create a custom assessment template that maps your shared vendor risk framework so that Microsoft and third-party controls appear side-by-side in a single compliance view
Frequently Asked Questions
Why is my Microsoft Purview compliance score stuck at 0% even though I've completed several improvement actions?
The most common cause is that the Microsoft 365 data connector inside Purview isn't active, so Compliance Manager can't read your tenant configuration to auto-detect completed controls. Go to compliance.microsoft.com > Settings > Data connectors and check the status of the Microsoft 365 connector. If it shows "Error" or "Inactive," click it and select Reconnect. For manually attested Improvement Actions, make sure you've set both the Implementation Status AND the Test Status to a completed value, setting only one of the two fields does not release the points toward your score.
How do I download SOC 2 audit reports from Microsoft to give to my auditor?
You need to access the Service Trust Portal at servicetrust.microsoft.com using your organizational Microsoft 365 account, personal Microsoft accounts won't work. Once signed in, navigate to Audit Reports > SOC Reports. You'll see SOC 1 Type I/II and SOC 2 Type II reports listed for Microsoft's major cloud services (Azure, Microsoft 365, Dynamics 365). Click the report you need, accept the non-disclosure agreement (you'll only need to do this once per session), and the PDF downloads directly. The SOC 2 Type II is almost always what external auditors want, it covers a 12-month period and is renewed annually, typically published in November for the prior fiscal year period.
What's the difference between Microsoft Actions and Improvement Actions in Compliance Manager, and do I need to do anything about Microsoft Actions?
Microsoft Actions are controls that Microsoft has already implemented as part of operating the cloud infrastructure, things like physical datacenter security, hypervisor isolation, and disk-level encryption at rest. You don't need to do anything to complete these; Microsoft maintains them and the associated audit evidence. Your compliance score automatically receives credit for Microsoft Actions based on Microsoft's latest audit results. Improvement Actions are the controls on your side of the shared responsibility model, enabling MFA, configuring data retention policies, training your users. These require your team to implement and attest. The split is roughly 50/50 in most assessments, meaning Microsoft's portion handles about half your potential compliance score before you do a single thing.
Can I use Compliance Manager if my organization is on Microsoft 365 Business Basic or E1, do I need to upgrade?
With Microsoft 365 Business Basic or E1, you get read-only access to the default Data Protection Baseline assessment only, you can view it but can't create custom assessments or access premium regulatory templates like NIST SP 800-53 or ISO 27001. To create your own assessments and access the full template library, you need Microsoft 365 E3 at minimum. The E5 tier adds premium templates for highly regulated industries like HIPAA and FedRAMP. Microsoft 365 Business Premium (the SMB tier above Business Basic) does include full Compliance Manager access, which surprises a lot of people, it's not just an enterprise feature.
My organization uses both Azure and Microsoft 365. Do I need a separate compliance assessment for each, or can they be combined?
You'll need separate assessments for each product group, Compliance Manager treats Azure and Microsoft 365 as distinct scopes because the underlying control sets and Microsoft Actions differ significantly between them. That said, the Improvement Actions that apply to your organization (things like identity governance, data classification, and incident response procedures) often overlap. Compliance Manager is smart enough to credit the same completed Improvement Action across multiple assessments when the underlying control maps to both. So completing "Enable MFA for privileged accounts" once will advance your score in both your Azure assessment and your Microsoft 365 assessment simultaneously, if that control appears in both.
What is Zero Standing Access (ZSA) and does it affect how I should configure my compliance controls?
Zero Standing Access is Microsoft's internal operational security practice where Microsoft engineers do not hold persistent elevated permissions to customer environments or production systems. Access is granted on a just-in-time, just-enough basis with explicit approval workflows and full audit logging, and it expires automatically. From your compliance assurance perspective, this is relevant because it's how Microsoft addresses "privileged access management" controls in frameworks like NIST 800-53 AC-2 and AC-6. When you see Microsoft Actions in Compliance Manager related to privileged access controls, ZSA is the implementation mechanism behind them. For your side of the house, Microsoft recommends mirroring this model using Microsoft Entra Privileged Identity Management (PIM) for your own admin accounts, which itself generates credit for several high-value Improvement Actions in your compliance assessments.