Dynamics 365 Government
Applies to Dynamics 365 (online), version 9.x
Applies to Dynamics 365 (online), version 8.x
In response to the unique and evolving requirements of the United States public sector, Microsoft has created Microsoft Dynamics 365 Government that is available to qualified government entities in the United States. On October 11, 2016, Microsoft announced the next generation of intelligent business applications in the cloud under the brand Microsoft Dynamics 365. To this end, Microsoft Dynamics 365 Government entails a continuity of the protected environment that was originally branded Microsoft CRM Online Government where the protections afforded to the government community cloud under the new brand are now represented by four discrete functions: Sales, Customer Service, Field Service, and Project Service Automation. This section provides an overview of features that are specific to Microsoft Dynamics 365 Government.
About Dynamics 365 Government plans
Dynamics 365 Government plans are available to qualified government and private entities, limited to (i) United States (US) federal, state, local, tribal, and territorial government entities; (ii) private entities using Dynamics 365 Government to provide solutions to a government entity or a qualified member of the cloud community; and (iii) private entities with customer data subject to government regulations for which the use of Dynamics 365 Government is the appropriate service to meet the regulatory requirements. Access to Dynamics 365 Government plans is restricted to the offerings described below, each plan is offered as a monthly subscription and can be licensed to an unlimited number of users:
Dynamics 365 Plan 1 for Government
Dynamics 365 for Sales, for Government
Dynamics 365 for Customer Service, for Government
Dynamics 365 for Field Service, for Government
Dynamics 365 for Project Service Automation, for Government
Dynamics 365 for Case Management, for Government
Dynamics 365 for Team Members, for Government
Enhance Support for Dynamics 365 Applications and Plan 1 for Government
Pro Direct Support for Dynamics 365 Applications and Plan 1 for Government
Dynamics 365 - Additional Portal for Government
Dynamics 365 - Additional Portal Page Views for Government
Dynamics 365 - Additional Production Instance for Government
Dynamics 365 - Additional Non-Production Instance for Government
Dynamics 365 - Additional Database Storage for Government
What is “customer data” and “customer content?”
This section describes Dynamics 365 Government commitments that apply to customer content and to customer data.
Customer data, as defined in the Online Service Terms, means all data, including all text, sound, video, or image files, and software, that are provided to Microsoft by, or on behalf of, Customer through use of the Online Service. Customer content refers to a specific subset of customer data that has been directly created by users, such as content stored in databases through entries in Dynamics 365 entities (e.g. contact information). Content is generally considered confidential information, and in normal service operation, is not sent over the Internet without encryption.
For more information on the Dynamics 365 (online) protection of customer data, see the Microsoft Online Services Trust Center.
Data segregation for Government Community Cloud
When provisioned as part of Dynamics 365 Government, the Dynamics 365 (online) service is offered in accordance with the National Institute of Standards and Technology (NIST) Special Publication 800-145.
Microsoft refers to this offer as the Government Community Cloud.
In addition to the logical separation of customer content at the application layer, the Dynamics 365 Government service provides your organization with a secondary layer of physical segregation for customer content by using infrastructure that is separate from the infrastructure used for commercial Dynamics 365 (online) customers. This includes using Azure services in Azure’s Government Cloud. To learn more, see Azure Government.
Customer content located within the United States
Dynamics 365 Government services are provided from datacenters physically located in the United States. Dynamics 365 (online) customer content is stored at rest in datacenters physically located only in the US.
If your users are located within the US while using Microsoft Social Engagement or if you adopt the use of Active Directory Federation Services (AD FS) 2.0 and set up policies to help ensure your users connect to the services through single sign-on, any customer content that is temporarily cached in Microsoft Social Engagement will be located in the US.
Restricted data access by administrators
Access to Dynamics 365 Government customer content by Microsoft administrators is restricted to personnel who are US citizens. These personnel undergo background investigations in accordance with relevant government standards.
Certifications and accreditations
Dynamics 365 Government is designed to support the Federal Risk and Authorization Management Program (FedRAMP) accreditation at a Moderate Impact level. FedRAMP artifacts are available for review by federal customers who are required to comply with FedRAMP. Federal agencies can review these artifacts in support of their review to grant an Authority to Operate (ATO). It is important to note that, at the present time, the latest brand (Microsoft Dynamics 365 Government) may not show in our ATOs; however, this does not entail a degradation of the security protections afforded to the online services environment as there is application service continuity between the previous brand (Microsoft CRM Online Government) and Dynamics 365 Government, as described above. As Microsoft moves to refresh FedRAMP artifacts as part of the standard audit cycles, branding references will be updated accordingly.
Dynamics 365 Government has features designed to support customer’s CJIS Policy requirements for law enforcement agencies. Please visit the Dynamics 365 Trust Center for more detailed information related to certifications and accreditations.
Dynamics 365 Government and other Microsoft services
Dynamics 365 Government includes several features that allow users to address customer calls through Skype for Business, email editing for sales materials and, in general, integration with other Microsoft enterprise service offerings such as Office 365 for Government. Dynamics 365 Government is deployed within Microsoft datacenters in a manner consistent with a multi-tenant, public cloud deployment model; however, client applications including but not limited to the web-user client, Dynamics 365 for tablets, Dynamics 365 for phones, Dynamics 365 for Outlook, Unified Service Desk for Dynamics 365 and any third-party client application that connects to Dynamics 365 Government are not part of Dynamics 365 Government's accreditation boundary and government customers are responsible for managing them.
Dynamics 365 Government leverages the Office 365 customer administrator UI for customer administration and billing – Dynamics 365 Government maintains the actual resources, information flow, and data management, while relying on Office 365 to provide the visual styles that are presented to the customer administrator through their management console. For purposes of FedRAMP ATO inheritance, Dynamics 365 Government leverages the physical data centers managed by Microsoft’s Global Foundation Services (GFS) and Azure (including Azure for Government) ATOs for infrastructure and platform services, respectively.
Dynamics 365 Government and third-party services
Dynamics 365 (online) provides the ability to integrate third-party applications into the service. These third-party applications and services might involve storing, transmitting, and processing your organization’s customer data on third-party systems that are outside of the Dynamics 365 (online) infrastructure and therefore are not covered by the Dynamics 365 (online) compliance and data protection commitments. We recommend that you review the privacy and compliance statements provided by the third parties when assessing the appropriate use of these services for your organization.
Dynamics 365 Government and Azure Services
Azure Active Directory (AAD) is not part of the Dynamics 365 Government accreditation boundary and government customers are responsible for using AD FS to uniquely identify and authenticate their organizational users. Notwithstanding, it is important to note that AAD provides critical functionality to both Dynamics 365 Government and AD FS, whose dependencies are described in detailed in the Dynamics 365 Government SSP (Service Security Plan).
When a user of an organization employing AD FS attempts to access Dynamics 365 (online), the user is redirected to a login page hosted on the organization’s AD FS server. The user provides his credentials to his organization's AD FS server, which attempts to authenticate the credentials using the organization’s existing Active Directory infrastructure. If the credentials are authenticated, the organization’s AD FS server issues a SAML (Security Assertion Markup Language) ticket containing information about the user’s identity and group membership. The customer AD FS server signs this ticket using one half of an asymmetric key pair and it sends the ticket to AAD via encrypted TLS. AAD validates the signature using the other half of the asymmetric key pair and grants access based on the ticket. The user's identity and group membership information remain in an encrypted fashion in AAD; in other words, limited user-identifiable information is stored in AAD. Full details of the AAD security architecture and control implementation can be found in the Azure SSP. The AAD account management services are hosted on physical servers managed by the Microsoft Global Foundation Services (GFS). Network access to these servers is controlled by GFS-managed network devices using rules set by Azure. Users do not interact directly with AAD.