Understanding Results
How to interpret and act on compliance assessment results
Understanding Results
After running a compliance assessment, you'll receive detailed results showing your security posture. Learn how to interpret and act on this information.
Results Overview
Summary Dashboard
The results summary provides a quick overview:
| Metric | Description |
|---|---|
| Overall Score | Percentage of passing controls |
| Total Controls | Number of controls evaluated |
| Passed | Controls meeting requirements |
| Failed | Controls not meeting requirements |
| Manual Review | Controls requiring human verification |
| Not Applicable | Controls that don't apply |
Score Interpretation
Your compliance score indicates your security posture:
| Score Range | Assessment | Action |
|---|---|---|
| 90-100% | Excellent | Maintain and monitor |
| 75-89% | Good | Address high-priority gaps |
| 60-74% | Fair | Create remediation plan |
| Below 60% | Needs Attention | Prioritize immediate fixes |
A perfect 100% score isn't always achievable or necessary. Some controls may be intentionally not implemented based on your risk assessment.
Control Statuses
Passed
Controls with Passed status meet the security requirements:
- Configuration matches expected value
- All conditions satisfied
- Evidence confirms compliance
Example: "MFA is enabled for all administrators" - Conditional Access policy exists and is enforced.
Failed
Controls with Failed status don't meet requirements:
- Configuration differs from expected value
- One or more conditions not satisfied
- Evidence shows non-compliance
Example: "Legacy authentication is blocked" - Legacy authentication protocols are still allowed.
Manual Review
Controls requiring Manual Review need human verification:
- Automated assessment isn't possible
- Policy exists but effectiveness can't be verified
- Requires review of documentation or processes
Example: "Security awareness training is conducted" - Cannot verify training completion via API.
Not Applicable
Controls marked Not Applicable don't apply to your environment:
- Feature isn't used in your tenant
- License doesn't include the capability
- Organizational exception documented
Example: "SharePoint external sharing is restricted" - SharePoint isn't deployed.
Error
Controls with Error status couldn't be evaluated:
- API call failed
- Permission denied
- Data unavailable
Example: Assessment couldn't read Conditional Access policies due to permission issues.
Control Details
Viewing Control Details
Click on any control to see:
- Description - What the control requires
- Rationale - Why it's important
- Status - Current evaluation result
- Evidence - Data collected during assessment
- Remediation - Steps to fix (if failed)
Evidence
Evidence shows the actual data evaluated:
{
"conditionalAccessPolicies": [
{
"displayName": "Require MFA for admins",
"state": "enabled",
"conditions": {
"users": {
"includeRoles": ["Global Administrator", "Security Administrator"]
}
}
}
]
}
Evidence helps you:
- Understand why a control passed or failed
- Provide audit documentation
- Verify the assessment logic
Remediation Guidance
For failed controls, guidance includes:
- Steps - Specific actions to remediate
- Console Location - Where to make changes in admin portals
- PowerShell - Commands to implement fixes
- Documentation - Links to Microsoft documentation
Always test remediation steps in a non-production environment first.
Filtering and Sorting
Filter Options
Narrow results using filters:
| Filter | Purpose |
|---|---|
| Status | Show only passed, failed, etc. |
| Severity | Critical, high, medium, low |
| Framework | Specific framework controls |
| Theme | Control category |
| Search | Find controls by keyword |
Sort Options
Order results by:
- Severity (default) - Critical first
- Status - Failed first
- Theme - Grouped by category
- Name - Alphabetical
Example: Priority View
To focus on what matters most:
- Filter to Failed status
- Filter to Critical and High severity
- Sort by Severity descending
This shows your most important gaps first.
Comparing Results
Comparison View
Compare current results with previous assessments:
- Select current assessment
- Click Compare
- Select previous assessment
- View differences
Change Indicators
| Indicator | Meaning |
|---|---|
| ↑ Improved | Control changed from fail to pass |
| ↓ Regressed | Control changed from pass to fail |
| = No Change | Status remained the same |
| New | Control wasn't in previous assessment |
Trend Analysis
View compliance trends over time:
- Score Graph - Compliance score over multiple assessments
- Control Trends - Individual control status changes
- Theme Progress - Improvement by control category
Exporting Results
Export Options
Export results in various formats:
| Format | Use Case |
|---|---|
| Executive summaries, audit documentation | |
| CSV | Data analysis, custom reporting |
| JSON | Integration with other tools |
What's Included
Exports contain:
- Assessment metadata (date, framework, scope)
- Summary statistics
- Control details with status
- Evidence (configurable)
- Remediation guidance
Taking Action
Prioritization Framework
Prioritize remediation using:
- Severity - Critical and high first
- Effort - Quick wins vs. complex changes
- Impact - Controls affecting many users
- Dependencies - Controls that enable others
Creating a Remediation Plan
- Filter to failed critical/high controls
- Review remediation steps for each
- Estimate effort and assign owners
- Set target dates for completion
- Re-run assessment after remediation
Documenting Exceptions
For controls you won't remediate:
- Go to the control details
- Click Add Exception
- Provide justification
- Set review date
- Controls with exceptions show as "Excluded"
What's Next?
- Assessment History - Track compliance over time
- Generating Reports - Create formal documentation
- Evidence Collection - Manage compliance evidence