Azure, Dynamics 365, Microsoft 365, and Power Platform services compliance scope
Microsoft Azure cloud environments meet demanding US government compliance requirements that produce formal authorizations, including:
- Federal Risk and Authorization Management Program (FedRAMP)
- Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) Impact Level (IL) 2, 4, 5, and 6
- Joint Special Access Program (SAP) Implementation Guide (JSIG)
Azure (also known as Azure Commercial, Azure Public, or Azure Global) maintains the following authorizations that pertain to all Azure public regions in the United States:
- FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB)
- DoD IL2 Provisional Authorization (PA) issued by the Defense Information Systems Agency (DISA)
Azure Government maintains the following authorizations that pertain to Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia (US Gov regions):
- FedRAMP High P-ATO issued by the JAB
- DoD IL2 PA issued by DISA
- DoD IL4 PA issued by DISA
- DoD IL5 PA issued by DISA
For current Azure Government regions and available services, see Products available by region.
Note
- Some Azure services deployed in Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia (US Gov regions) require extra configuration to meet DoD IL5 compute and storage isolation requirements, as explained in Isolation guidelines for Impact Level 5 workloads.
- For DoD IL5 PA compliance scope in Azure Government regions US DoD Central and US DoD East (US DoD regions), see US DoD regions IL5 audit scope.
Azure Government Secret maintains:
- DoD IL6 PA issued by DISA
- JSIG PL3 ATO (for authorization details, contact your Microsoft account representative)
Azure Government Top Secret maintains:
- ICD 503 ATO with facilities at ICD 705 (for authorization details, contact your Microsoft account representative)
- JSIG PL3 ATO (for authorization details, contact your Microsoft account representative)
This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and Power Platform cloud services in scope for FedRAMP High, DoD IL2, DoD IL4, DoD IL5, and DoD IL6 authorizations across Azure, Azure Government, and Azure Government Secret cloud environments. For other authorization details in Azure Government Secret and Azure Government Top Secret, contact your Microsoft account representative.
Azure public services by audit scope
Last updated: June 2024
Terminology used
- FedRAMP High = FedRAMP High Provisional Authorization to Operate (P-ATO) in Azure
- DoD IL2 = DoD SRG Impact Level 2 Provisional Authorization (PA) in Azure
- ✅ = service is included in audit scope and has been authorized
* FedRAMP High and DoD SRG Impact Level 2 authorization for Microsoft Entra ID applies to Microsoft Entra External ID. To learn more about Entra External ID, refer to the documentation here
** FedRAMP High authorization for Azure Databricks is applicable to limited regions in Azure. To configure Azure Databricks for FedRAMP High use, contact your Microsoft or Databricks representative.
*** FedRAMP High authorization for edge devices (such as Azure Data Box, Azure Stack Edge and Azure Stack HCI) applies only to Azure services that support on-premises, customer-managed devices. For example, FedRAMP High authorization for Azure Data Box covers datacenter infrastructure services and Data Box pod and disk service, which are the online software components supporting your Data Box hardware appliance. You are wholly responsible for the authorization package that covers the physical devices. For assistance with accelerating your onboarding and authorization of devices, contact your Microsoft account representative.
Azure Government services by audit scope
Last updated: August 2024
Terminology used
- Azure Government = Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia (US Gov regions)
- FedRAMP High = FedRAMP High Provisional Authorization to Operate (P-ATO) in Azure Government
- DoD IL2 = DoD SRG Impact Level 2 Provisional Authorization (PA) in Azure Government
- DoD IL4 = DoD SRG Impact Level 4 Provisional Authorization (PA) in Azure Government
- DoD IL5 = DoD SRG Impact Level 5 Provisional Authorization (PA) in Azure Government
- DoD IL6 = DoD SRG Impact Level 6 Provisional Authorization (PA) in Azure Government Secret
- ✅ = service is included in audit scope and has been authorized
Note
- Some services deployed in Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia (US Gov regions) require extra configuration to meet DoD IL5 compute and storage isolation requirements, as explained in Isolation guidelines for Impact Level 5 workloads.
- For DoD IL5 PA compliance scope in Azure Government regions US DoD Central and US DoD East (US DoD regions), see US DoD regions IL5 audit scope.
* Authorizations for edge devices (such as Azure Data Box, Azure Stack Edge and Azure Stack HCI) apply only to Azure services that support on-premises, customer-managed devices. You are wholly responsible for the authorization package that covers the physical devices. For assistance with accelerating your onboarding and authorization of devices, contact your Microsoft account representative.
** Azure Information Protection (AIP) is part of the Microsoft Purview Information Protection solution - it extends the labeling and classification functionality provided by Microsoft 365. Before AIP can be used for DoD workloads at a given impact level (IL), the corresponding Microsoft 365 services must be authorized at the same IL.