Azure Government Resources aka.ms/Azure/Gov

As I have been doing more and more Hybrid Cloud Foundation engagements with government agencies or companies that work in the US Federal space, I am always looking for the quick resources for the answers I need. Therefore, like most of my posts, they are really intended to collect, collate and distill just what I may need or find to be useful. Therefore, below are some of the key resources to help me, and hopefully you, to answer questions about the capabilities of our US federal cloud services which support the higher standards and requirements of our government agencies and also the companies that support them.

Microsoft Azure Government

• Azure Government Validation - Check your eligibility for Microsoft Azure Government today!
• Why choose Azure Government?    Get a Trial
  • Azure Government Documentation
  • Datacenter Regions
    • Supported Regions aka.ms/Azure/Regions Click "Select Regions" on the left to filter for Azure Government
  • Need Support? Azure EA Support incident aka.ms/azuregovsupport
  • Give Feedback!!! Your Voice Matters.  This is a hotline to Redmond to share how we can make Azure Government better and also you can vote on other's suggestions as well. aka.ms/AzureGovFeedback
  • Department of Defense (DoD) in Azure Government
  • Azure Government supports TIC capabilities
  • Supported ExpressRoute  providers - see US Government Cloud
• Deployments to Azure Government Cloud Visual Studio Team Services (VSTS) is not available in Azure Government Clouds, so there are some special considerations when you want to deploy apps to Government Clouds because artifact storage, build, and deployment orchestration must execute outside the Government Cloud.
  • Azure QuickStart Templates for Azure Government
• Azure Government Blog - keep up to date with what is new!
• Is this all new and you want someone to contact you? We have a contact form for that.
• StackOverflow Azure-Gov tagged questions
• Azure Gov Meetup - A Local Group in Washington DC to connect

Security and Compliance

• How we Secure Azure Government
• Microsoft Azure Compliance Offerings aka.ms/AzureCompliance
• Data Protection Standards and Regulatory Compliance Reports
  • Use these reports to stay current on the latest privacy, security, and compliance-related information for Microsoft’s cloud services.
• Trust Documents
  • Information about how Microsoft cloud services protect your data, and how you can manage cloud data security and compliance for your organization.
• Azure Security Center coming to Azure Government
• Announcing new Azure Government capabilities for classified mission-critical workloads
• Find all compliance and security offerings at the Trust Center
  • aka.ms/Azure/Trust
  • Azure Blueprint  designed to facilitate the secure and compliant use of Azure for government agencies and third-party providers building on behalf of government.
    • Azure Blueprint Automation: Web Applications for FedRAMP
  • FedRAMP page.  This is the one I access the most.
  • DFARS homepage aka.ms/Azure/DFARS
• Azure Log Integration SIEM configuration steps
• Azure Security Services and Technologies
  • NOTE: this is for Azure Commercial, so for Azure Government please use these as detailed references for what is listed in Available Services in Azure Government
• Secure DevOps Kit for Azure (AzSDK)

 

Identity Considerations

• Planning Identity for Azure Government This is a very important consideration in your planning!   In Azure Commercial (public), which is entirely separate from Azure Government, it has its own Azure Active Directory (AD).  In Azure Government, likewise it has an entirely separate instance of Azure AD from the Commercial space.  This becomes very important in considering authentication to applications like Office 365, which also can be in the Commercial or government space, which we'll highlight in the section below.
• Channel 9: Identity on Azure Government - get a great overview of all of the options for Identity in Azure Government.

Choosing your identity authority

Azure Government applications can use Azure AD Government identities, but can you use Azure AD Public identities to authenticate to an application hosted in Azure Government? Yes! Since you can use either identity authority, you need to choose which to use:

• Azure AD Public – Commonly used if your organization already has an Azure AD Public tenant to support Office 365 (Public or GCC) or another application.
• Azure AD Government - Commonly used if your organization already has an Azure AD Government tenant to support Office 365 (GCC High or DoD) or are creating a new tenant in Azure AD Government.

Once decided, the special consideration is where you perform your app registration. If you choose Azure AD Public identities for your Azure Government application, you must register the application in your Azure AD Public tenant. Otherwise, if you perform the app registration in the directory the subscription trusts (Azure Government) the intended set of users cannot authenticate.

The other consideration is the identity authority URL. You need the correct URL based on your chosen authority:

• Azure AD Public = login.microsoftonline.com
  Azure AD Government = login.microsoftonline.us

Azure Government Videos

• Ignite 2017 Bring cloud innovation to your mission/services with Azure Government
• Channel 9 Channel Azure Government Videos
• Azure Government ExpressRoute
• Azure Blueprint Automation: Web Applications for FedRAMP
• Azure Government Meetup Videos
• What does it take to migrate to Azure Government?
• Microsoft Azure IaaS Architecture Best Practices for ARM - in GOV (Channel 9)

External Related Documentation

• DoD Cloud Computing Security
  • This site provides a knowledge base for cloud computing security authorization processes and security requirements for use by DoD and Non-DoD Cloud Service Providers (CSPs) as well as DoD Components, their application/system owners/operators and Information owners using Cloud Service Offerings (CSOs).
• Reference Architecture for Pivotal Cloud Foundry on Azure
• Installing Pivotal Cloud Foundry (PCF) on Azure

Office 365 Government Community Cloud (GCC)

This is where your Identity information is important to know.  Did you read that section above?  Remember the mention about two different instances of Azure AD? The public or commercial cloud has a distinct and separate instance of Azure AD from  Microsoft Government.

The part that gets tricky is that although we have two different flavors of O365 GCC i.e. government, the two versions do not use the same Azure AD as Azure Government uses. Below are the two versions as documented  here.

• The Office 365 GCC environment provides compliance with Federal requirements for cloud services, including FedRAMP Moderate, and requirements for criminal justice and federal tax information systems (CJI and FTI data types).
• The Office 365 GCC High and DoD environments deliver compliance with Department of Defense Security Requirements Guidelines, Defense Federal Acquisition Regulations Supplement (DFARS), and International Traffic in Arms Regulations (ITAR).

The point above is the Office 365 GCC uses the same Azure AD as the Commercial or public space of Azure, while Office 365 GCC High, uses the same Azure AD as Microsoft Azure Government.

More O365 GCC Resources

• Office 365 U.S. Government - overview
  • Eligibility Requirements
• Office 365 U.S. Government plans
• Advanced Office 365 capabilities now available to U.S. Government Community Cloud customers