Microsoft Entra feature availability

This following tables list Microsoft Entra feature availability in Azure Government.

Microsoft Entra ID

Service Feature Availability
Authentication, single sign-on, and MFA Cloud authentication (Pass-through authentication, password hash synchronization)
Federated authentication (Active Directory Federation Services or federation with other identity providers)
Single sign-on (SSO) unlimited
Multifactor authentication (MFA)
Passwordless (Windows Hello for Business, Microsoft Authenticator, FIDO2 security key integrations)
Certificate-based authentication
Service-level agreement
Applications access SaaS apps with modern authentication (Microsoft Entra application gallery apps, SAML, and OAUTH 2.0)
Group assignment to applications
Cloud app discovery (Microsoft Defender for Cloud Apps)
Application Proxy for on-premises, header-based, and Integrated Windows Authentication
Secure hybrid access partnerships (Kerberos, NTLM, LDAP, RDP, and SSH authentication)
Authorization and Conditional Access Role-based access control (RBAC)
Conditional Access
SharePoint limited access
Session lifetime management
Identity Protection (vulnerabilities and risky accounts) See Identity protection below.
Identity Protection (risk events investigation, SIEM connectivity) See Identity protection below.
Administration and hybrid identity User and group management
Advanced group management (Dynamic groups, naming policies, expiration, default classification)
Directory synchronization—Microsoft Entra Connect (sync and cloud sync)
Microsoft Entra Connect Health reporting
Delegated administration—built-in roles
Global password protection and management – cloud-only users
Global password protection and management – custom banned passwords, users synchronized from on-premises Active Directory
Microsoft Identity Manager user client access license (CAL)
End-user self-service Application launch portal (My Apps)
User application collections in My Apps
Self-service account management portal (My Account)
Self-service password change for cloud users
Self-service password reset/change/unlock with on-premises write-back
Self-service sign-in activity search and reporting
Self-service group management (My Groups)
Self-service entitlement management (My Access)
Identity governance Automated user provisioning to apps
Automated group provisioning to apps
HR-driven provisioning Partial. See HR-provisioning apps.
Terms of use attestation
Access certifications and reviews
Entitlement management
Privileged Identity Management (PIM), just-in-time access
Event logging and reporting Basic security and usage reports
Advanced security and usage reports
Identity Protection: vulnerabilities and risky accounts
Identity Protection: risk events investigation, SIEM connectivity
Frontline workers SMS sign-in
Shared device sign-out Enterprise state roaming for Windows 10 devices isn't available.
Delegated user management portal (My Staff)

Identity protection

Risk Detection Availability
Leaked credentials (MACE)
Microsoft Entra threat intelligence
Anonymous IP address
Atypical travel
Anomalous Token
Token Issuer Anomaly
Malware linked IP address
Suspicious browser
Unfamiliar sign-in properties
Admin confirmed user compromised
Malicious IP address
Suspicious inbox manipulation rules
Password spray
Impossible travel
New country
Activity from anonymous IP address
Suspicious inbox forwarding
Additional risk detected

HR provisioning apps

HR-provisioning app Availability
Workday to Microsoft Entra user provisioning
Workday Writeback
SuccessFactors to Microsoft Entra user provisioning
SuccessFactors to Writeback
Provisioning agent configuration and registration with Gov cloud tenant Works with special undocumented command-line invocation:
AADConnectProvisioningAgent.Installer.exe ENVIRONMENTNAME=AzureUSGovernment