Azure, Dynamics 365, Microsoft 365, and Power Platform services compliance scope

Microsoft Azure cloud environments meet demanding US government compliance requirements that produce formal authorizations, including:

Azure (also known as Azure Commercial, Azure Public, or Azure Global) maintains the following authorizations that pertain to all Azure public regions in the United States:

  • FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB)
  • DoD IL2 Provisional Authorization (PA) issued by the Defense Information Systems Agency (DISA)

Azure Government maintains the following authorizations that pertain to Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia (US Gov regions):

For current Azure Government regions and available services, see Products available by region.

Note

  • Some Azure services deployed in Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia (US Gov regions) require extra configuration to meet DoD IL5 compute and storage isolation requirements, as explained in Isolation guidelines for Impact Level 5 workloads.
  • For DoD IL5 PA compliance scope in Azure Government regions US DoD Central and US DoD East (US DoD regions), see US DoD regions IL5 audit scope.

Azure Government Secret maintains:

  • DoD IL6 PA issued by DISA
  • JSIG PL3 ATO (for authorization details, contact your Microsoft account representative)

Azure Government Top Secret maintains:

  • ICD 503 ATO with facilities at ICD 705 (for authorization details, contact your Microsoft account representative)
  • JSIG PL3 ATO (for authorization details, contact your Microsoft account representative)

This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and Power Platform cloud services in scope for FedRAMP High, DoD IL2, DoD IL4, DoD IL5, and DoD IL6 authorizations across Azure, Azure Government, and Azure Government Secret cloud environments. For other authorization details in Azure Government Secret and Azure Government Top Secret, contact your Microsoft account representative.

Azure public services by audit scope

Last updated: January 2024

Terminology used

  • FedRAMP High = FedRAMP High Provisional Authorization to Operate (P-ATO) in Azure
  • DoD IL2 = DoD SRG Impact Level 2 Provisional Authorization (PA) in Azure
  • ✅ = service is included in audit scope and has been authorized
Service FedRAMP High DoD IL2
Advisor
AI Builder
Analysis Services
API Management
App Configuration
App Service
Application Gateway
Automation
Microsoft Entra ID (Free)
Microsoft Entra ID (P1 + P2)
Azure Active Directory B2C
Microsoft Entra Domain Services
Microsoft Entra provisioning service
Microsoft Entra multifactor authentication
Azure API for FHIR
Service FedRAMP High DoD IL2
Azure Arc-enabled servers
Azure Arc-enabled Kubernetes
Azure Cache for Redis
Azure Cosmos DB
Azure Container Apps
Azure Database for MariaDB
Azure Database for MySQL
Azure Database for PostgreSQL
Azure Databricks **
Azure Fluid Relay
Azure for Education
Azure Information Protection
Azure Kubernetes Service (AKS)
Azure Managed Grafana
Azure Marketplace portal
Azure Maps
Azure Monitor (incl. Application Insights, Log Analytics, and Application Change Analysis)
Azure NetApp Files
Service FedRAMP High DoD IL2
Azure OpenAI
Azure Policy
Azure Policy's guest configuration
Azure Red Hat OpenShift
Azure Resource Manager
Azure Service Manager (RDFE)
Azure Sign-up portal
Azure Sphere
Azure Spring Apps
Azure Stack Edge (formerly Data Box Edge) *
Azure Stack HCI
Azure Static WebApps
Azure Video Indexer
Azure Virtual Desktop (formerly Windows Virtual Desktop)
Azure VMware Solution
Azure Web PubSub
Backup
Bastion
Service FedRAMP High DoD IL2
Batch
Blueprints
Bot Service
Cloud Services
Cloud Shell
Azure AI Health Bot
Azure AI Search (formerly Azure Cognitive Search)
Azure AI services: Anomaly Detector
Azure AI services: Computer Vision
Azure AI services: Content Moderator
Azure AI services: Containers
Azure AI services: Custom Vision
Azure AI services: Face
Azure AI Language Understanding (LUIS)
(part of Azure AI Language)
Azure AI services: Personalizer
Azure AI services: QnA Maker
(part of Azure AI Language)
Service FedRAMP High DoD IL2
Azure AI services: Speech
Azure AI services: Text Analytics
(part of Azure AI Language)
Azure AI services: Translator
Container Instances
Container Registry
Content Delivery Network (CDN)
Cost Management and Billing
Customer Lockbox
Data Box *
Data Explorer
Data Factory
Data Share
Database Migration Service
Dataverse (incl. Azure Synapse Link for Dataverse)
DDoS Protection
Service FedRAMP High DoD IL2
Dedicated HSM
DevTest Labs
DNS
Omnichannel for Customer Service (Formerly Dynamics 365 Chat and Omnichannel Engagement Hub)
Dynamics 365 Commerce
Dynamics 365 Customer Service
Dynamics 365 Field Service
Dynamics 365 Finance
Dynamics 365 Fraud Protection
Dynamics 365 Guides
Dynamics 365 Sales
Dynamics 365 Sales Professional
Dynamics 365 Supply Chain Management
Event Grid
Event Hubs
ExpressRoute
Service FedRAMP High DoD IL2
File Sync
Firewall
Firewall Manager
Azure AI Document Intelligence
Front Door
Functions
HDInsight
HPC Cache
Immersive Reader
Import/Export
Internet Analyzer
IoT Hub
Key Vault
Service FedRAMP High DoD IL2
Lab Services
Lighthouse
Load Balancer
Logic Apps
Machine Learning
Managed Applications
Media Services
Metrics Advisor
Microsoft Azure Attestation
Microsoft Azure portal
Microsoft Defender for Cloud (formerly Azure Security Center)
Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security)
Microsoft Defender for Endpoint (formerly Microsoft Defender Advanced Threat Protection)
Microsoft Defender for Identity (formerly Azure Advanced Threat Protection)
Service FedRAMP High DoD IL2
Microsoft Defender for IoT (formerly Azure Security for IoT)
Microsoft Defender Vulnerability Management
Microsoft Graph
Microsoft Intune
Microsoft Purview (incl. Data Map, Data Estate Insights, and governance portal)
Microsoft Sentinel (formerly Azure Sentinel)
Microsoft Stream
Microsoft Threat Experts
Migrate
Network Watcher (incl. Traffic Analytics)
Notification Hubs
Open Datasets
Peering Service
Planned Maintenance for VMs
Power Apps
Power Pages
Service FedRAMP High DoD IL2
Power Automate (formerly Microsoft Flow)
Power BI
Power BI Embedded
Power Data Integrator for Dataverse (formerly Dynamics 365 Integrator App)
Power Virtual Agents
Private Link
Public IP
Resource Graph
Resource Mover
Route Server
Scheduler (replaced by Logic Apps)
Service Bus
Service Fabric
Service Health
SignalR Service
Service FedRAMP High DoD IL2
Site Recovery
SQL Database
SQL Managed Instance
SQL Server Stretch Database
Storage: Archive
Storage: Blobs (incl. Azure Data Lake Storage Gen2)
Storage: Disks (incl. managed disks)
Storage: Files
Storage: Queues
Storage: Tables
StorSimple
Stream Analytics
Synapse Analytics
Time Series Insights
Service FedRAMP High DoD IL2
Traffic Manager
Virtual Machine Scale Sets
Virtual Machines (incl. Reserved VM Instances)
Virtual Network
Virtual Network NAT
Virtual WAN
VM Image Builder
VPN Gateway
Web Application Firewall
Windows 10 IoT Core Services

* FedRAMP High authorization for edge devices (such as Azure Data Box and Azure Stack Edge) applies only to Azure services that support on-premises, customer-managed devices. For example, FedRAMP High authorization for Azure Data Box covers datacenter infrastructure services and Data Box pod and disk service, which are the online software components supporting your Data Box hardware appliance. You are wholly responsible for the authorization package that covers the physical devices. For assistance with accelerating your onboarding and authorization of devices, contact your Microsoft account representative.

** FedRAMP High authorization for Azure Databricks is applicable to limited regions in Azure. To configure Azure Databricks for FedRAMP High use, contact your Microsoft or Databricks representative.

Azure Government services by audit scope

Last updated: November 2023

Terminology used

  • Azure Government = Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia (US Gov regions)
  • FedRAMP High = FedRAMP High Provisional Authorization to Operate (P-ATO) in Azure Government
  • DoD IL2 = DoD SRG Impact Level 2 Provisional Authorization (PA) in Azure Government
  • DoD IL4 = DoD SRG Impact Level 4 Provisional Authorization (PA) in Azure Government
  • DoD IL5 = DoD SRG Impact Level 5 Provisional Authorization (PA) in Azure Government
  • DoD IL6 = DoD SRG Impact Level 6 Provisional Authorization (PA) in Azure Government Secret
  • ✅ = service is included in audit scope and has been authorized

Note

  • Some services deployed in Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia (US Gov regions) require extra configuration to meet DoD IL5 compute and storage isolation requirements, as explained in Isolation guidelines for Impact Level 5 workloads.
  • For DoD IL5 PA compliance scope in Azure Government regions US DoD Central and US DoD East (US DoD regions), see US DoD regions IL5 audit scope.
Service FedRAMP High DoD IL2 DoD IL4 DoD IL5 DoD IL6
Advisor
AI Builder
Analysis Services
API Management
App Configuration
App Service
Application Gateway
Automation
Microsoft Entra ID (Free)
Microsoft Entra ID (P1 + P2)
Microsoft Entra Domain Services
Microsoft Entra multifactor authentication
Azure API for FHIR
Azure Arc-enabled Kubernetes
Azure Arc-enabled servers
Service FedRAMP High DoD IL2 DoD IL4 DoD IL5 DoD IL6
Azure Cache for Redis
Azure Cosmos DB
Azure CXP Nomination Portal
Azure Database for MariaDB
Azure Database for MySQL
Azure Database for PostgreSQL
Azure Databricks
Azure Information Protection **
Azure Kubernetes Service (AKS)
Azure Maps
Azure Monitor (incl. Application Insights and Log Analytics)
Azure NetApp Files
Azure Policy
Azure Policy's guest configuration
Azure Red Hat OpenShift
Service FedRAMP High DoD IL2 DoD IL4 DoD IL5 DoD IL6
Azure Resource Manager
Azure Service Manager (RDFE)
Azure Sign-up portal
Azure Stack
Azure Stack Edge (formerly Data Box Edge) *
Azure Stack HCI
Azure Video Indexer
Azure Virtual Desktop (formerly Windows Virtual Desktop)
Azure VMware Solution
Backup
Bastion
Batch
Blueprints
Bot Service
Cloud Services
Cloud Shell
Service FedRAMP High DoD IL2 DoD IL4 DoD IL5 DoD IL6
Cognitive Search (formerly Azure Search)
Azure AI services: Computer Vision
Azure AI services: Content Moderator
Azure AI containers
Azure AI services: Custom Vision
Azure AI services: Face
Azure AI services: LUIS
(part of Azure AI Language)
Azure AI services: Personalizer
Azure AI services: QnA Maker
(part of Azure AI Language)
Azure AI Speech
Azure AI services: Text Analytics
(part of Azure AI Language)
Azure AI services: Translator
Container Instances
Container Registry
Content Delivery Network (CDN)
Service FedRAMP High DoD IL2 DoD IL4 DoD IL5 DoD IL6
Cost Management and Billing
Customer Lockbox
Data Box *
Data Explorer
Data Factory
Data Share
Database Migration Service
Dataverse (formerly Common Data Service)
DDoS Protection
Dedicated HSM
DevTest Labs
DNS
Dynamics 365 Chat (Omnichannel Engagement Hub)
Dynamics 365 Customer Insights
Dynamics 365 Customer Service
Service FedRAMP High DoD IL2 DoD IL4 DoD IL5 DoD IL6
Dynamics 365 Customer Voice (formerly Forms Pro)
Dynamics 365 Field Service
Dynamics 365 Finance
Dynamics 365 Project Service Automation
Dynamics 365 Sales
Dynamics 365 Supply Chain Management
Event Grid
Event Hubs
ExpressRoute
File Sync
Firewall
Firewall Manager
Azure AI Document Intelligence
Front Door
Functions
Service FedRAMP High DoD IL2 DoD IL4 DoD IL5 DoD IL6
HDInsight
HPC Cache
Import/Export
IoT Hub
Key Vault
Lab Services
Lighthouse
Load Balancer
Logic Apps
Machine Learning
Managed Applications
Media Services
Microsoft Azure portal
Service FedRAMP High DoD IL2 DoD IL4 DoD IL5 DoD IL6
Microsoft Azure Government portal
Microsoft Defender for Cloud (formerly Azure Security Center)
Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security)
Microsoft Defender for Endpoint (formerly Microsoft Defender Advanced Threat Protection)
Microsoft Defender for Identity (formerly Azure Advanced Threat Protection)
Microsoft Defender for IoT (formerly Azure Security for IoT)
Microsoft Defender Vulnerability Management
Microsoft Graph
Microsoft Intune
Microsoft Purview (incl. Data Map, Data Estate Insights, and governance portal)
Microsoft Sentinel (formerly Azure Sentinel)
Microsoft Stream
Migrate
Network Watcher (incl. Traffic Analytics)
Notification Hubs
Peering Service
Planned Maintenance for VMs
Service FedRAMP High DoD IL2 DoD IL4 DoD IL5 DoD IL6
Power Apps
Power Pages
Power Automate (formerly Microsoft Flow)
Power BI
Power BI Embedded
Power Data Integrator for Dataverse (formerly Dynamics 365 Integrator App)
Power Virtual Agents
Private Link
Public IP
Resource Graph
Resource Mover
Route Server
Scheduler (replaced by Logic Apps)
Service Bus
Service Fabric
Service FedRAMP High DoD IL2 DoD IL4 DoD IL5 DoD IL6
Service Health
SignalR Service
Site Recovery
SQL Database
SQL Managed Instance
SQL Server Stretch Database
Storage: Archive
Storage: Blobs (incl. Azure Data Lake Storage Gen2)
Storage: Disks (incl. managed disks)
Storage: Files
Storage: Queues
Storage: Tables
StorSimple
Stream Analytics
Synapse Analytics
Service FedRAMP High DoD IL2 DoD IL4 DoD IL5 DoD IL6
Synapse Link for Dataverse
Traffic Manager
Virtual Machine Scale Sets
Virtual Machines (incl. Reserved VM Instances)
Virtual Network
Virtual Network NAT
Virtual WAN
VM Image Builder
VPN Gateway
Web Application Firewall

* Authorizations for edge devices (such as Azure Data Box and Azure Stack Edge) apply only to Azure services that support on-premises, customer-managed devices. You are wholly responsible for the authorization package that covers the physical devices. For assistance with accelerating your onboarding and authorization of devices, contact your Microsoft account representative.

** Azure Information Protection (AIP) is part of the Microsoft Purview Information Protection solution - it extends the labeling and classification functionality provided by Microsoft 365. Before AIP can be used for DoD workloads at a given impact level (IL), the corresponding Microsoft 365 services must be authorized at the same IL.

Next steps