Microsoft Compliance Manager is one of the most misunderstood products in the M365 portfolio. The basic version is included in every commercial M365 plan — but the capabilities that enterprises actually need, particularly custom assessments and premium regulatory templates, sit behind the E5 Compliance licence or the E5 Compliance add-on. Microsoft's account teams are highly incentivised to present E5 Compliance as the only serious compliance posture. The reality is more nuanced than that.
This guide breaks down exactly what Compliance Manager includes at each licence tier, where the legitimate value uplift is, and how to evaluate whether paying for E5 Compliance is justified for your specific regulatory environment — or whether you can accomplish your compliance programme objectives on E3.
What Is Microsoft Compliance Manager
Compliance Manager, now part of the Microsoft Purview compliance portal, is a risk assessment and compliance management tool. It provides a central dashboard showing your compliance posture across Microsoft services — Exchange Online, SharePoint Online, Teams, OneDrive, Entra ID, and others — against regulatory frameworks.
The core mechanics: Compliance Manager generates a compliance score based on how well your M365 configuration aligns with a chosen regulatory framework. It lists improvement actions (configuration changes within M365) that would increase your score, and tracks your progress as you implement them. It also tracks controls that Microsoft manages on your behalf as part of its own compliance obligations.
The tool does not directly assess your on-premises infrastructure, third-party SaaS applications, or non-Microsoft cloud environments. Its scope is M365 services. That limitation is important before you present a Compliance Manager score to an auditor as evidence of your broader compliance posture — which Microsoft's sales narrative sometimes implies you can do.
Compliance Manager scores your M365 configuration against regulatory frameworks. It does not assess your on-premises systems, third-party SaaS platforms, or overall information security programme. A high Compliance Manager score does not equate to regulatory compliance — it indicates good M365 configuration alignment with a chosen framework.
Compliance Manager Licensing by Plan
The licence gate for Compliance Manager is more granular than most organisations realise. Here is what each plan tier actually delivers:
| Licence Tier | Compliance Manager Access | Pre-built Assessments | Custom Assessments | Premium Templates |
|---|---|---|---|---|
| M365 Business Basic / Standard / Premium | Included | Data Protection Baseline only | No | No |
| M365 E1 / O365 E1 | Included | Data Protection Baseline only | No | No |
| M365 E3 / O365 E3 | Included | Data Protection Baseline only | No | No |
| M365 E5 Compliance add-on or E5 | Full access | 300+ regulatory templates | Yes | Yes — 300+ templates |
| E5 Compliance standalone | Full access | 300+ regulatory templates | Yes | Yes — 300+ templates |
The critical point: the Data Protection Baseline assessment is available to all plans. This baseline maps your M365 configuration against a Microsoft-defined set of data protection best practices. It is useful for internal hygiene but covers no specific regulatory framework — not GDPR, not ISO 27001, not SOC 2, not NIST.
To assess your M365 posture against any real regulatory framework, you need E5 Compliance or the E5 Compliance add-on on top of E3. That is the licence gate that drives most E5 Compliance discussions.
The 300+ Premium Templates: What They Cover
With E5 Compliance, you get access to over 300 pre-built regulatory assessment templates. These include frameworks that matter to regulated European enterprises: GDPR, ISO 27001:2022, SOC 2 Type II, PCI DSS v4.0, NIST SP 800-53, HIPAA, DORA, NIS2, UK Cyber Essentials, FCA SYSC, and many others.
Each template contains a set of controls mapped to your M365 configuration, with automated testing where M365 can assess configuration directly, and manual evidence collection prompts for controls that require human action or documentation. The templates also include Microsoft-managed controls — things Microsoft handles in its data centres as part of its own compliance certifications.
Premium regulatory templates are provisioned at the tenant level, not per user. Your E5 Compliance licences must cover your licensed population, but you do not need to purchase a separate per-template licence. All 300+ templates are included once you have the E5 Compliance entitlement. There is a separate per-template purchase option for organisations that want access to specific templates without the full E5 Compliance suite — priced at approximately £750 per template per year.
Custom Assessments: The Feature That Justifies E5 Compliance Most Often
Custom assessments allow you to build your own regulatory frameworks within Compliance Manager. This is the feature most frequently cited by enterprises as the primary justification for E5 Compliance investment — more so than the pre-built templates.
Custom assessments let you map controls from frameworks that Microsoft has not pre-built, internal control frameworks, or composite frameworks that blend multiple regulatory requirements. A financial services firm subject to both DORA and their own internal risk framework, for example, might build a custom assessment that maps both sets of requirements against M365 controls in a single view.
The practical limitation: custom assessments are still scoped to M365 services. You can assess your M365 configuration against any control framework, but the automated evidence comes only from M365. Controls that require evidence from your HR system, physical security programme, or on-premises infrastructure remain manual.
E5 Compliance Component Analysis: Is It Worth It for Compliance Manager Alone?
E5 Compliance includes eight major components, not just Compliance Manager. Purchasing E5 Compliance solely for Compliance Manager premium access is rarely the right commercial decision. The per-template purchase option (approximately £750/template/year) is almost always cheaper if Compliance Manager is your sole use case.
| E5 Compliance Component | Standalone Price (approx.) | Justified If You Need |
|---|---|---|
| Compliance Manager Premium Templates | £750/template/year (alt.) | Specific regulatory frameworks (<3 templates: buy separately) |
| Microsoft Purview Audit Premium | ~£3.50/user/month standalone | Legal investigations, forensic log retention, intelligent insights |
| Advanced eDiscovery | ~£7/user/month standalone | Large-scale litigation, regulatory productions, legal hold management |
| Microsoft Purview DLP (full) | ~£2/user/month (E3 partial) | Endpoint DLP, Teams DLP, third-party app DLP beyond E3 |
| Information Protection (full) | ~£2/user/month (E3 partial) | Automatic labelling, double key encryption, exact data match |
| Insider Risk Management | ~£4/user/month standalone | Insider threat programme, employee investigation platform |
| Communication Compliance | ~£4/user/month standalone | FCA COBS regulated communications monitoring, HR policy enforcement |
| Information Barriers | ~£2/user/month standalone | Regulated firm information barriers (financial services) |
The financial case for E5 Compliance is strongest when you need four or more of these components. At that point, the bundle (~£10.10/user/month on top of E3) becomes cheaper than assembling the components individually. If you need only Compliance Manager premium templates plus one other component, a targeted add-on approach will typically cost 40–60% less than E5 Compliance for your full user population.
How Microsoft Uses Compliance Manager in E5 Upsell Conversations
Understanding the commercial dynamic is essential for procurement teams. Microsoft's account teams have significant incentive to move organisations from E3 to E5 — the revenue uplift is substantial, and Compliance Manager is one of the most effective hooks for compliance-conscious organisations.
The typical account team sequence: present your compliance score using only the Data Protection Baseline (which is relatively low because it is not your actual regulatory framework), reference recent regulatory enforcement actions in your sector, and position E5 Compliance as the tool that would improve your score and demonstrate compliance to your regulators. The implication is that a higher Compliance Manager score equals regulatory compliance. This is not accurate.
Compliance Manager is a configuration alignment tool for M365. Regulators — whether the ICO, FCA, or the relevant NIS2 competent authority — do not accept a Compliance Manager report as evidence of regulatory compliance. It is useful internal hygiene, a useful framework for tracking M365 configuration improvements, and can form part of a broader compliance programme. It is not a substitute for one.
Before accepting a Compliance Manager-led E5 Compliance proposal, ask your account team a direct question: "Which of the eight E5 Compliance components are you recommending we purchase, and for which of those components is there a cheaper standalone alternative?" The answer — or the reluctance to answer — will tell you a great deal about whether the recommendation is in your interest.
Compliance Manager and GDPR: What E3 Can and Cannot Do
GDPR is the most common regulatory framework European enterprises want to assess against in Compliance Manager. It is also a premium template, locked behind E5 Compliance.
On E3, you can use the Data Protection Baseline, which covers some data protection principles in a generic way. You cannot run a formal GDPR assessment. For organisations with a genuine GDPR compliance programme, the per-template purchase route (approximately £750/year) is significantly cheaper than upgrading your entire user population to E5 Compliance for GDPR assessment alone.
Per-template purchases work as follows: you purchase a specific regulatory template as an add-on to an existing M365 subscription. The template is then available to your Compliance Manager environment. This covers the assessment functionality for that specific framework. Custom assessments and certain advanced features remain exclusive to E5 Compliance. But for the majority of organisations that want to run pre-built regulatory assessments against two or three frameworks, per-template purchasing is the right economic choice.
Compliance Manager Premium vs Third-Party GRC Tools
For organisations already using a third-party Governance, Risk and Compliance (GRC) platform — Archer, ServiceNow GRC, LogicGate, OneTrust, or others — the E5 Compliance investment in Compliance Manager should be evaluated against the marginal value over the existing GRC tooling.
Compliance Manager's unique advantage is its native M365 integration: automated control testing pulls configuration data directly from Exchange Online, SharePoint, Teams, Entra ID, and other M365 services. No manual evidence collection is needed for M365 technical controls. Third-party GRC tools typically require integration connectors or manual data import to achieve the same result.
However, third-party GRC tools cover your entire technology estate — not just M365. For organisations where M365 represents only part of the regulatory control surface (common in financial services, healthcare, and critical infrastructure), a standalone GRC platform with M365 connector capability often provides better coverage than Compliance Manager at lower total cost.
| Factor | Compliance Manager (E5) | Third-Party GRC Tool |
|---|---|---|
| M365 configuration automation | Native, no integration needed | Requires connector, often manual |
| Non-M365 estate coverage | Not covered | Full estate |
| Regulatory template depth | 300+ M365-focused | Varies; typically broader |
| Workflow and remediation | Basic (improvement actions) | Mature workflow engines |
| Audit evidence management | Limited (documents, links) | Comprehensive evidence libraries |
| Cost (per user/year, 2,000 users) | ~£121.20 (E5 Compliance add-on) | £40–£200 depending on platform |
| Best fit | M365-heavy organisations with E5 already deployed | Multi-cloud, broad regulatory scope |
Compliance Manager Governance: Getting the Most From What You Have
Regardless of licence tier, Compliance Manager is frequently deployed and then under-utilised. The compliance score is set up once, account teams reference it in business reviews, and no systematic remediation programme follows. If you have E5 Compliance, the following governance framework maximises the return on that investment.
Monthly: Review the improvement actions dashboard. Filter by impact (high/medium/low) and by the owner group responsible. Assign specific improvement actions to named individuals with target completion dates. Track progress against the previous month's score.
Quarterly: Review active assessments against your regulatory calendar. Update assessment scope if M365 service changes or new regulatory guidance affects control requirements. Review Microsoft-managed control updates — Microsoft periodically updates its compliance certifications, which affects your score.
Annually: Review your active regulatory templates against your organisation's actual regulatory obligations. Add templates for frameworks where you have new or emerging regulatory exposure. Remove assessments for frameworks no longer relevant. Generate an annual compliance posture report for the CISO or Board.
Compliance Manager improvement actions should be assigned to business owners, not to IT. Many of the highest-impact actions in GDPR and ISO 27001 assessments relate to policy, training, access review, and data governance processes — not technical M365 configuration. If only IT is engaged with Compliance Manager, the score improvement will plateau quickly.
Compliance Manager and Your EA Renewal: Negotiating the E5 Compliance Component
If you are moving to E5 Compliance as part of an EA renewal, Compliance Manager is rarely the only component driving the decision. The negotiation principles that apply to E3 vs E5 decisions generally apply here: understand which of the eight E5 Compliance components you will actively use within the first twelve months, and commit only to the population that genuinely needs them.
For organisations that genuinely need E5 Compliance for three or more components, a targeted deployment (E5 Compliance for 30–40% of the user population, E3 for the remainder) can reduce the cost of E5 Compliance by 60–70% versus a tenant-wide upgrade, while still giving the compliance, legal, and information security teams access to the tools they need. This is the standard deployment model in regulated financial services and healthcare enterprises that have made this evaluation carefully.
The negotiation lever: if you are committing to E5 Compliance for a portion of your population during an EA renewal, use that commitment as leverage on the overall M365 discount structure. A step-up from E3 to E5 Compliance for 500 users in a 5,000-seat estate is a meaningful commercial signal that Microsoft's account team will respond to commercially.
For broader Microsoft security licensing strategy, the E5 Security and E5 Compliance bundles often need to be evaluated together — there is significant overlap in components and the combined E5 (Security + Compliance) is the most common upgrade path for enterprise regulated sectors. See our guide to rationalising Microsoft security licensing for the full framework.
Practical Recommendation Framework
Use this framework to evaluate whether E5 Compliance is the right investment for Compliance Manager specifically:
Step 1 — Count your regulatory frameworks. How many distinct regulatory frameworks do you need to assess your M365 configuration against? GDPR, ISO 27001, SOC 2, PCI DSS, DORA — list them. If you need fewer than three, per-template purchasing is almost certainly cheaper than E5 Compliance for your full population.
Step 2 — Count the E5 Compliance components you need. Of the eight major E5 Compliance workloads (listed in the table above), how many are you actively deploying in the next twelve months? If fewer than four, targeted add-on purchasing will likely be cheaper. If four or more, the E5 Compliance bundle becomes competitive.
Step 3 — Identify who needs it. For Compliance Manager in particular, the users who need premium access are typically: compliance officers, information security team, legal/DPO, and potentially line-of-business data owners. This population is rarely more than 10–20% of total headcount. E5 Compliance is provisioned per user — it does not need to be tenant-wide.
Step 4 — Run the numbers. At approximately £10.10/user/month for E5 Compliance as an add-on to E3, the cost for 200 compliance-facing users is roughly £24,240/year. Compare that to per-template purchases for three regulatory frameworks (~£2,250/year) plus targeted eDiscovery or Insider Risk add-ons for the users who genuinely need them. The targeted approach commonly saves 40–55% versus tenant-wide E5 Compliance.
Step 5 — Get independent verification. Your Microsoft account team and your reseller partner are not independent advisors on E5 Compliance. Both have commercial incentives to recommend the upgrade. An independent Microsoft licensing advisor has no such incentive and can run the commercial analysis objectively.
Frequently Asked Questions
Can I use Compliance Manager without E5 Compliance?
Yes. The Data Protection Baseline assessment is available to all M365 commercial plans at no additional cost. You can access the Compliance Manager portal, view your score against the baseline, and work through improvement actions. Premium regulatory templates (GDPR, ISO 27001, etc.) and custom assessments require E5 Compliance or per-template purchase.
Do all users in my tenant need E5 Compliance to use Compliance Manager premium features?
No. E5 Compliance is licensed per user, but the premium Compliance Manager features — templates, assessments, custom frameworks — are provisioned at the tenant level. You need to licence the users who are accessing and managing Compliance Manager, not every user in the tenant. Consult your Microsoft agreement and an independent advisor to confirm the minimum compliant deployment for your specific use case.
Does a high Compliance Manager score mean I am compliant with GDPR?
No. A high Compliance Manager score for the GDPR template means your M365 configuration aligns well with the technical and organisational measures Microsoft has mapped to M365 controls within the GDPR framework. It does not cover your on-premises systems, your data processing agreements, your privacy notices, your breach notification procedures, or your staff training programme. GDPR compliance requires a far broader programme than M365 configuration alone.
What is the per-template purchase option?
Microsoft offers individual regulatory assessment templates as standalone add-ons, priced at approximately £750 per template per year. This allows organisations to access specific regulatory frameworks in Compliance Manager without purchasing the full E5 Compliance suite. Custom assessments and certain advanced features remain exclusive to E5 Compliance. The per-template option is typically available via your Microsoft reseller or directly through your EA amendment.
How does Compliance Manager relate to Microsoft Purview?
Compliance Manager is now a component within the Microsoft Purview compliance portal (formerly the Microsoft 365 compliance center). Purview is the umbrella brand covering compliance, governance, risk management, and information protection. Microsoft Purview licensing covers a much broader set of capabilities than Compliance Manager alone.