Azure Active Directory feature availability

This following tables list Azure AD feature availability in Azure Government.

Azure Active Directory

Service Feature Availability
Authentication, single sign-on, and MFA Cloud authentication (Pass-through authentication, password hash synchronization)
Federated authentication (Active Directory Federation Services or federation with other identity providers)
Single sign-on (SSO) unlimited
Multifactor authentication (MFA) 1
Passwordless (Windows Hello for Business, Microsoft Authenticator, FIDO2 security key integrations)
Service-level agreement
Applications access SaaS apps with modern authentication (Azure AD application gallery apps, SAML, and OAUTH 2.0)
Group assignment to applications
Cloud app discovery (Microsoft Defender for Cloud Apps)
Application Proxy for on-premises, header-based, and Integrated Windows Authentication
Secure hybrid access partnerships (Kerberos, NTLM, LDAP, RDP, and SSH authentication)
Authorization and Conditional Access Role-based access control (RBAC)
Conditional Access
SharePoint limited access
Session lifetime management
Identity Protection (vulnerabilities and risky accounts) See Identity protection below.
Identity Protection (risk events investigation, SIEM connectivity) See Identity protection below.
Administration and hybrid identity User and group management
Advanced group management (Dynamic groups, naming policies, expiration, default classification)
Directory synchronization—Azure AD Connect (sync and cloud sync)
Azure AD Connect Health reporting
Delegated administration—built-in roles
Global password protection and management – cloud-only users
Global password protection and management – custom banned passwords, users synchronized from on-premises Active Directory
Microsoft Identity Manager user client access license (CAL)
End-user self-service Application launch portal (My Apps)
User application collections in My Apps
Self-service account management portal (My Account)
Self-service password change for cloud users
Self-service password reset/change/unlock with on-premises write-back
Self-service sign-in activity search and reporting
Self-service group management (My Groups)
Self-service entitlement management (My Access)
Identity governance Automated user provisioning to apps
Automated group provisioning to apps
HR-driven provisioning Partial. See HR-provisioning apps.
Terms of use attestation
Access certifications and reviews
Entitlement management
Privileged Identity Management (PIM), just-in-time access
Event logging and reporting Basic security and usage reports
Advanced security and usage reports
Identity Protection: vulnerabilities and risky accounts
Identity Protection: risk events investigation, SIEM connectivity
Frontline workers SMS sign-in Feature not available.
Shared device sign-out Enterprise state roaming for Windows 10 devices isn't available.
Delegated user management portal (My Staff) Feature not available.

1Microsoft Authenticator only shows GUID and not UPN for compliance reasons.

Identity protection

Risk Detection Availability
Leaked credentials (MACE)
Azure AD threat intelligence Feature not available.
Anonymous IP address
Atypical travel
Anomalous Token Feature not available.
Token Issuer Anomaly Feature not available.
Malware linked IP address
Suspicious browser
Unfamiliar sign-in properties
Admin confirmed user compromised
Malicious IP address
Suspicious inbox manipulation rules
Password spray
Impossible travel
New country
Activity from anonymous IP address
Suspicious inbox forwarding
Azure AD threat intelligence Feature not available.
Additional risk detected

HR provisioning apps

HR-provisioning app Availability
Workday to Azure AD User Provisioning
Workday Writeback
SuccessFactors to Azure AD User Provisioning
SuccessFactors to Writeback
Provisioning agent configuration and registration with Gov cloud tenant Works with special undocumented command-line invocation:
AADConnectProvisioningAgent.Installer.exe ENVIRONMENTNAME=AzureUSGovernment