Microsoft Compliance Solutions
Two directions of trust, and the two portals that blur them
Every capability in this domain answers one of two questions, and telling them apart resolves most of what the exam asks here. Outward: can you trust Microsoft, and how does it treat the data you hand it? That is the job of Microsoft's independent audit evidence and its privacy commitments. Inward: are you meeting the duties you owe your own regulators and users? That is the work you do inside your own tenant. The classic trap hides in a shared word. The Service Trust Portal is where you download Microsoft's own audit reports (SOC, ISO, FedRAMP, and the like), while the Microsoft Purview portal is where you assess and improve your own tenant's compliance. Both are called a portal, and they face opposite directions. Two more distinctions carry through the whole domain: compliance is not security, and privacy is not security. Those ideas are defined under Security and compliance concepts, so this page builds on them rather than redefining governance, risk, and compliance.
One outward stop, then an inward lifecycle: assess, know, protect, govern, detect, discover, prove
The four subtopics read as one arc. First, Service Trust Portal and Privacy is chiefly the outward stop: you read Microsoft's audit evidence and weigh its four privacy commitments. One tool here already turns inward, Microsoft Priva, which manages the personal data you already hold about your users. The other three face inward, in order. You assess in Purview Compliance Management, where Compliance Manager rolls your improvement actions into one risk-based compliance score. You then know, protect, and govern in Information Protection and Governance: classify your data, shield it with sensitivity labels and data loss prevention, and retain or dispose of it on schedule. Finally you detect, discover, and prove in Insider Risk, eDiscovery, and Audit: spot risky behavior, preserve evidence for a legal matter, and reconstruct from the audit log who did what. One caution at the assess step: this compliance score measures progress on regulatory improvement actions, and is not secure score, which grades the security posture of Azure and multicloud resources over in Azure security management.
When two answers both fit, pick the tool built for that one job
Microsoft Purview splits this work into single-purpose solutions on purpose, and the exam rewards matching a question to the tool whose one job it names. A sensitivity label answers how sensitive is this and what protection applies; a retention label answers how long to keep it and what happens at the end; the two are independent, so one item can carry one of each, and neither should be forced to do the other's work. A legal hold preserves content for a specific matter, while a retention policy governs routine lifecycle; when both touch an item, preservation wins over deletion. And a compliance score is a prioritized measure of progress, never a certificate that you are compliant. So when two options both seem to work, the exam-correct one is usually the purpose-built tool the question's verb points to, not the general-sounding alternative.
Where each subtopic sits: outward trust, then the inward lifecycle
| Direction and stage | The question it answers | Microsoft tools | Drill into |
|---|---|---|---|
| Outward: trust Microsoft | Can I trust Microsoft's cloud, and manage the personal data I hold? | Service Trust Portal, privacy principles, Microsoft Priva | Service Trust Portal and Privacy |
| Inward: assess | How complete is my own tenant's compliance posture? | Microsoft Purview portal, Compliance Manager, compliance score | Purview Compliance Management |
| Inward: know, protect, govern | Where is my sensitive data, how do I shield it, how long do I keep it? | Classification, sensitivity labels, DLP, retention | Information Protection and Governance |
| Inward: detect, discover, prove | Who acted riskily, what is the evidence, who did what? | Insider risk management, eDiscovery, Audit | Insider Risk, eDiscovery, and Audit |