Enterprise Mobility + Security for US Government service description
In response to the unique and evolving requirements of the United States public sector, Microsoft has created Enterprise Mobility + Security (EMS) plans for our United States government community customers. This document provides an overview of features that are specific to these EMS plans.
How to use this service description
The EMS for US Government Service Description is designed to serve as an overview of our applicable offerings and will cover: (1) which services and features are included in different offerings, (2) how the US Government offerings differ from our commercial offerings, and (3) our current compliance authorizations.
US Government offers are available to (1) US federal, state, local, and tribal government entities, and (2) other entities that handle data that is subject to government regulations and requirements and where use of services is appropriate to meet these requirements, subject to validation of eligibility. Validation of eligibility by Microsoft will include confirmation of handling government-regulated or controlled data. EMS plans for GCC, GCC High, and Department of Defense (DoD) customers are monthly subscriptions and are licensed on a per user basis. Entities with questions about eligibility should consult their account team.
EMS offers for US Government and Microsoft 365 interoperability
|EMS US Government Offerings||Location of Hosted Services||Interoperable Microsoft 365 Government Community Cloud (GCC) Offer(s)|
|EMS for GCCAvailable in both E3 and E5*||Azure Commercial Cloud||Microsoft 365 GCC|
|EMS for GCC HighAvailable in E3 and E5*||Azure Government Cloud||Microsoft 365 GCC HighMicrosoft 365 DoD|
|EMS for DoDAvailable in both E3 and E5*||Azure Government Cloud||Microsoft 365 DoD|
*E5 offerings are limited to Azure AD Premium 2 and Azure Information Protection P2 at this time (in addition to Microsoft Intune) for GCC and DoD customers. Microsoft Defender for Cloud Apps is not currently included in the offering for Microsoft 365 GCC customers. However, GCC customers can choose to add-on commercial offerings of Microsoft Defender for Cloud Apps with the purchase of an EMS E5 license.
EMS for US GCC customers
Azure Active Directory P1/P2, Microsoft Intune, and Azure Information Protection P1/P2 are hosted in the Azure commercial environment and are interoperable with the Microsoft 365 GCC platform. These services are certified FedRAMP-High.
GCC customers can choose to add-on commercial offering of Microsoft Defender for Cloud Apps with the purchase of an EMS E5 SKU. Microsoft Defender for Cloud Apps is a commercial offering covered by the Azure Commercial FedRAMP High Authorization to Operate (ATO), but may not meet other GCC compliance attributes, such as CJIS background screening, IRS 1075, and access to customer content by US government screened personnel. A list of compliance offerings for Microsoft products and services can be found on the Microsoft Trust Center.
To access Microsoft Defender for Identity GCC, visit this link: https://portal.gcc.atp.azure.com
Defender for Cloud Apps customers who are using GCC should use this URL to log on to the service: https://portal.cloudappsecuritygov.com
EMS for US GCC High and DoD customers
The EMS offerings for US GCC High and DoD customers are built on the Microsoft Azure Government cloud and are designed to inter-operate with the Microsoft 365 GCC High and DoD environments. The EMS E5 suite is available for both GCC High and DoD customers. Azure Active Directory P1/P2, Microsoft Intune, Azure Information Protection P1/P2, Microsoft Defender for Cloud Apps, and Defender for Identity are certified FedRAMP-High.
GCC High and DoD customers can use a separate set of endpoints for Intune based on different requirements and management needs. Below is a list of EMS management portals available to US GCC High and DoD customers (depending on service availability):
- Microsoft 365 Portal: https://portal.office365.us (for user, group, and license management])
- Azure / Intune Admin Portal: https://portal.azure.us
- Intune Web Company Portal: https://portal.manage.microsoft.us
- Microsoft Defender for Cloud Apps Portal: https://portal.cloudappsecurity.us
- Defender for Identity Portal: https://portal.atp.azure.us
Parity with commercial
While our goal is to deliver all commercial features and functionality to government customers with our US Government offerings, there are some capabilities not yet available in the Azure Government environment. Known existing gaps between our commercial offerings and EMS offerings available to GCC High and DoD customers as of November 2019 are found on the following product pages:
- Azure Active Directory:
- Visit the Azure Active Directory Premium page of the Azure Government Documentation site for a list of features that are currently not available in Azure Government.
- Azure Information Protection:
- Visit the Azure Information Protection Premium page for a list of features that are currently not available in Azure Government.
- Microsoft Intune:
- Visit the Microsoft Intune page for a list of features that are currently not available in Azure Government.
- Defender for Identity:
- Visit the Defender for Identity page for a list of features that are currently not available in Azure Government.
- Microsoft Defender for Cloud Apps:
- Visit the Microsoft Defender for Cloud Apps page for a list of features that are currently not available in Azure Government.
Location of customer data
US Government GCC customers
EMS services currently available for US Government customers (Azure AD P1/P2, Intune and Azure Information Protection P1/2) are provided from data centers physically located in the United States. Your organization's customer data is stored at rest within the United States. GCC customers can also choose to add-on commercial offering of Microsoft Defender for Cloud Apps with the purchase of an EMS E5 license. (This is not a US GCC service and does not adhere to all GCC attributes). For information on where Microsoft stores customer data at rest in connection with Microsoft Defender for Cloud Apps, a commercial service, review the Online Services Terms.
US Government GCC High and DoD customers
Organizations that use EMS for US Government GCC High and DoD offerings benefit from the following features:
- Your organization's customer content is physically segregated from customer content in Microsoft's commercial services.
- Your organization's customer content is stored within the United States.
- Access to your organization's customer content is restricted to screened Microsoft personnel.
- Compliance with certifications and accreditations that are required for US Public Sector customers, including Department of Defense Security - Requirements Guidelines, Defense Federal Acquisition Regulations Supplement (DFARS), and International Traffic in Arms Regulations (ITAR)
More information can be found on the Microsoft Trust Center page.
Third-party apps and services
Various EMS services provide the ability to work seamlessly with certain third-party applications and services. These third-party applications and services might involve storing, transmitting, and processing your organization's data or content on third-party systems that are outside of the EMS infrastructure and therefore are not covered by our compliance and data protection commitments. It is recommended that you review the privacy and compliance statements provided by these third parties when assessing the appropriate use of third-party apps and services for your organization.
For more information, see Microsoft 365 Government.