Prepare to use Microsoft Cloud for Sovereignty

  • Article

Microsoft is committed to providing you with the necessary tools and resources to help you achieve your sovereignty goals and protect your data in the public cloud. Microsoft Cloud for Sovereignty solutions lets you deploy, configure, and use the capabilities you need. You don't need a separate Cloud for Industry license to use these solutions.

To learn more about data sovereignty and how Cloud for Sovereignty can meet your organization’s needs, follow these links:

You can also explore the Microsoft Cloud for Sovereignty documentation library. It has a lot information to help you understand your organization’s needs in the context of digital sovereignty, deploying secure and compliant landing zones and policy initiatives.

To start your Cloud for Sovereignty journey, we recommend that you:

  • Gather information you need about compliance and regulations that apply to your organization to plan your configuration.

  • Use the information about guardrails, controls, and application examples to deploy infrastructure.

  • Use the transparency and audit features to monitor your environment.

With Microsoft Cloud for Sovereignty, you can reduce complexity, increase consistency and reliability, and build trust in your cloud environment.

Sovereignty in Azure

To deploy Cloud for Sovereignty solutions successfully, you should have a basic understanding of Azure fundamentals. Here are some key areas and helpful resources to get started:

When you’re ready, access the necessary components, scripts, and documentation in the SLZ GitHub repository to deploy your first Sovereign Landing Zone.

Sovereignty in Dataverse and Power Platform

We also provide guidance on using Dynamics 365 Services' existing features to meet sovereignty requirements. You can configure your Dataverse and Power Platform implementations to support your sovereignty objectives and safeguard your users and customers. These capabilities are all included in your Dynamics 365 licenses. You don't need a separate license to enable these solutions.

To learn more about key concepts surrounding sovereignty and your Dataverse/Power Platform environment, see Introduction to data sovereignty and Identify sovereign data.

To deploy Cloud for Sovereignty solutions in Dataverse or Power Platform environments, we recommend that you need to understand the security, privacy and sovereignty features available to support sovereign requirements for data residency and access control.

Security controls

Security is the foundation of sovereignty. For an overview of the security controls that can help you protect your data and prevent unauthorized access to Dataverse, see Protect your data with Dynamics 365 security controls - Dynamics 365 | Microsoft Learn.

To ensure a successful deployment of Cloud for Sovereignty solutions in Dataverse or Power Platform environments, we recommend that you go through the following resources to understand the security, privacy and sovereignty features available to support sovereign requirements for data residency and access control.

Datacenter security describes how your data is physically protected from external and internal threats in the Azure regional data centers.

Following the secure-by-design guidelines and controls and using best practices to secure and govern your Microsoft Power Platform environments will help you to start your sovereignty journey from a secure baseline.

For more guidance in setting up your Dataverse and Power Platform environments to be both secure and sovereign, review these resources:

To get a detailed overview of data locations and availability controls across all Dynamics 365 and Power Platform services, see Dynamics 365 and Power Platform CY22-Q4-Trust documentation.pdf

To get more specific insights on secure implementation of Microsoft Dynamics, see Updated Scalable Security Modeling white paper

Sovereignty controls

Besides security, correct configuration of sovereign controls can help you to establish your sovereignty baseline.

Data residency and multi-geo deployments

When you sign up for Power Platform services, you choose a country/region that maps to the most suitable Azure geography where a Power Platform deployment exists. Data residency ensures that customer data is stored in the tenant's assigned Azure geography (or home geo).

If you're a global organization, multi-geo deployments lets you store data in specific regions to comply with local regulations. In multi-geo deployments, metadata remains in the home geo, while metadata and actual data resides in the remote geo. Microsoft can replicate data to other regions for data resiliency.

Access controls

Power Platform provides multiple access controls to respect regional sovereignty regulations and user privacy. Data Handling and Encryption controls ensure that customer data in Dataverse remains in its original source (for example, Dataverse or SharePoint).

Power Platform apps use Azure Storage and Azure SQL Database for data persistence. Data used in mobile apps is encrypted and stored in SQL Express. Azure SQL Database fully encrypts customer data using Transparent Data Encryption (TDE) technology. All persisted data is encrypted by default using Microsoft-managed keys, and many Power Platform products let customers manage their own encryption keys (customer-managed keys) in Microsoft Azure Key Vault.

Identity Management

In addition, Identity Management, Role-Based Security, and Fine-Grained Permission controls enable Dataverse and Power Platform customers to combine business units, role-based security, row-based security, and column-based security.

These capabilities allow precise control over user access to information to help comply with sovereignty control requirements.