Microsoft Flow US Government
In response to the unique and evolving requirements of the United States public sector, Microsoft has created Microsoft Flow US Government plans. This section provides an overview of features that are specific to Microsoft Flow US Government. We recommend that you read this supplementary section as well as the Microsoft Flow service getting started topic. For brevity, this service is commonly referred to as Flow GCC.
The Microsoft Flow US Government Service Description serves as an overlay to the general Microsoft Flow Service Description. It defines the unique commitments and differences compared to the general Microsoft Flow offerings that have been available to our customers since October, 2016.
About Microsoft Flow US Government environments and plans
Microsoft Flow US Government plans are monthly subscriptions and it can be licensed to an unlimited number of users.
The Microsoft Flow GCC environment is compliant with the Federal requirements for cloud services, including FedRAMP High, and DoD DISA IL2. It is also compliant with the criminal justice systems (CJI data types) requirements.
In addition to the features and capabilities of Microsoft Flow, organizations that use Microsoft Flow US Government benefit from the following unique features:
Your organization's customer content is physically separated from customer content in commercial offering of Microsoft Flow.
Your organization's customer content is stored within the United States.
Access to your organization's customer content is restricted to screened Microsoft personnel.
Microsoft Flow US Government complies with all certifications and accreditations that US Public Sector customers require.
Microsoft Flow US Government is available to (1) US federal, state, local, tribal, and territorial government entities, and (2) other entities which handle data that is subject to government regulations and requirements and where use of Microsoft Flow US Government is appropriate to meet these requirements, subject to validation of eligibility. Microsoft's validation of eligibility includes confirmation of handling data subject to International Traffic in Arms Regulations (ITAR), law enforcement data subject to the FBI's Criminal Justice Information Services (CJIS) Policy, or other government-regulated or controlled data. Validation may require sponsorship by a government entity with specific requirements for the handling of data.
Entities with questions about eligibility for Microsoft Flow US Government should consult their account team. Microsoft re-validates eligibility when it renews customer contracts for Microsoft Flow US Government.
Microsoft Flow US Government plans
Access to Microsoft Flow US Government plans is restricted to the offerings described in the following section; each plan is offered as a monthly subscription and can be licensed to an unlimited number of users:
Microsoft Flow/PowerApps Plan 1 US Government
Microsoft Flow/PowerApps Plan 2 US Government
In addition to the standalone plans, Microsoft Flow and PowerApps capabilities are also included in certain Office 365 US Government and Dynamics 365 US Government plans allowing customers to extend and customize Office 365 and Dynamics 365 with Microsoft Flow and PowerApps capabilities.
Licensing is available in customer tenants from mid-April 2019.
Additional information and details regarding the differences in functionality between these groups of licenses are described in more detail here: Microsoft Flow licensing information.
Microsoft Flow US Government is available through the Volume Licensing and Cloud Solution Provider purchasing channels.
Differences between customer data and customer content
Customer data, as defined in the Online Service Terms, means all data, including all text, sound, video, or image files, and software that are provided to Microsoft by, or on behalf of, customers through the use of an Online Service.
Customer content refers to a specific subset of customer data that has been directly created by users, such as content stored in databases through entries in the Common Data Service entities (for example, contact information). Content is generally considered confidential information, and in normal service operations, is not sent through the Internet without encryption.
For more information on how Microsoft Flow protects customer data, see the Microsoft Online Services Trust Center.
Data segregation for Government Community Cloud
When provisioned as part of Microsoft Flow US Government, the Microsoft Flow service is offered in accordance with the National Institute of Standards and Technology (NIST) Special Publication 800-145.
Microsoft refers to this offer as the Government Community Cloud (GCC).
In addition to the logical separation of customer content at the application layer, the Microsoft Flow Government service provides your organization with a secondary layer of physical segregation for customer content by using infrastructure that is separate from the infrastructure used for commercial Microsoft Flow customers. This includes using Azure services in Azure’s Government Cloud. To learn more, see Azure Government.
Customer content located within the United States
Microsoft Flow US Government runs in datacenters physically located in the United States and stores customer content at rest in datacenters physically located only in the United States.
Restricted data access by administrators
Access to Microsoft Flow US Government customer content by Microsoft administrators is restricted to personnel who are US citizens. These personnel undergo background investigations in accordance with relevant government standards.
Microsoft Flow support and service engineering staff do not have standing access to customer content hosted in Microsoft Flow US Government. Any staff who requests temporary permission elevation which would grant access to customer content must first have passed the following background checks.
|Microsoft Personnel Screening and Background Checks 1||Description|
|U.S. citizenship||Verification of U.S. citizenship|
|Employment history check||Verification of seven (7) year employment history|
|Education verification||Verification of highest degree attained|
|Social Security number (SSN) search||Verification that the SSN the employees provides is valid|
|Criminal history check||A seven (7) year criminal record check for felony and misdemeanor offenses at the state, county, and local level and at the federal level|
|Office of Foreign Assets Control list (OFAC)||Validation against the Department of Treasury list of groups with whom U.S. persons are not allowed to engage in trade or financial transactions|
|Bureau of Industry and Security list (BIS)||Validation against the Department of Commerce list of individuals and entities barred from engaging in export activities|
|Office of Defense Trade Controls Debarred Persons list (DDTC)||Validation against the Department of State list of individuals and entities barred from engaging in export activities related to the defense industry|
|Fingerprinting check||Fingerprint background check against FBI databases|
|CJIS background screening||State-adjudicated review of federal and state criminal history by state CSA appointed authority within each state that has signed up for the Microsoft CJIS IA program|
1 Applies only to personnel with temporary or standing access to customer content hosted in Microsoft Flow US Government (GCC).
Certifications and accreditations
Microsoft Flow US Government is designed to support the Federal Risk and Authorization Management Program (FedRAMP) accreditation at a High Impact level. This program infers alignment to DoD DISA IL2. FedRAMP artifacts are available for review by federal customers who are required to comply with FedRAMP. Federal agencies can peruse these artifacts in support of their review to grant an Authority to Operate (ATO).
Currently, the Microsoft Flow US Government services are under review with FedRAMP, but have been granted a Security Assessment Report (SAR) by a qualified 3PAO.
As Microsoft moves to refresh FedRAMP artifacts as part of the standard audit cycles, content will be updated accordingly.
Microsoft Flow US Government has features designed to support customers' CJIS Policy requirements for law enforcement agencies. Please visit the Microsoft Flow US Government products page in the Trust Center for more detailed information related to certifications and accreditations.
Microsoft Flow US Government and other Microsoft services
Microsoft Flow US Government includes several features that allow users to connect to, and integrate with, other Microsoft enterprise service offerings such as Office 365 US Government, Dynamics 365 US Government, and PowerApps US Government.
Microsoft Flow US Government runs within Microsoft datacenters in a manner consistent with a multi-tenant, public cloud deployment model; however, client applications including, but not limited to the web-user client, Microsoft Flow mobile application (when available), and any third-party client application that connects to Microsoft Flow US Government, are not part of Microsoft Flow US Government's accreditation boundary. Government customers are responsible for managing them.
Microsoft Flow US Government leverages the Office 365 customer administrator UI for customer administration and billing.
Microsoft Flow US Government maintains the actual resources, information flow, and data management, while relying on Office 365 to provide the visual styles that are presented to the customer administrator through their management console. For purposes of FedRAMP ATO inheritance, Microsoft Flow US Government leverages Azure (including Azure for Government) ATOs for infrastructure and platform services, respectively.
If you adopt the use of Active Directory Federation Services (AD FS) 2.0 and set up policies to help ensure your users connect to the services through single sign-on, any customer content that is temporarily cached will be located in the United States.
Microsoft Flow US Government and third-party services
Microsoft Flow US Government provides the ability to integrate third-party applications into the service through Connectors. These third-party applications and services might involve storing, transmitting, and processing your organization’s customer data on third-party systems that are outside of the Microsoft Flow US Government infrastructure and therefore are not covered by the Microsoft Flow US Government compliance and data protection commitments.
Review the privacy and compliance statements provided by the third parties when assessing the appropriate use of these services for your organization.
Microsoft Flow US Government and Azure Services
The Microsoft Flow US Government services are deployed to Microsoft Azure Government. Azure Active Directory (Azure AD) is not part of the Microsoft Flow US Government accreditation boundary, but takes a reliance on a customer’s Azure AD tenant for customer tenant and identity functions, including authentication, federated authentication, and licensing.
When a user of an organization employing ADFS attempts to access Microsoft Flow US Government, the user is redirected to a login page hosted on the organization’s ADFS server.
The user provides credentials to their organization's ADFS server. The organization's ADFS server attempts to authenticate the credentials using the organization’s Active Directory infrastructure.
If authentication is successful, the organization’s ADFS server issues a SAML (Security Assertion Markup Language) ticket that contains information about the user’s identity and group membership.
The customer’s ADFS server signs this ticket using one half of an asymmetric key pair and then it sends the ticket to Azure AD via encrypted TLS. Azure AD validates the signature using the other half of the asymmetric key pair and then grants access based on the ticket.
The user's identity and group membership information remain encrypted in Azure AD. In other words, only limited user-identifiable information is stored in Azure AD.
You can find full details of the Azure AD security architecture and control implementation in the Azure SSP.
The Azure AD account management services are hosted on physical servers managed by the Microsoft Global Foundation Services (GFS). Network access to these servers is controlled by GFS-managed network devices using rules set by Azure. Users do not interact directly with Azure AD.
Microsoft Flow US Government service URLs
There are a different set of URLs to access Microsoft Flow US Government. Refer to the following table for a cross reference:
|Commercial version URL||US Government version URL|
Connectivity between Microsoft Flow US Government and Public Azure Cloud services
Azure is distributed among multiple clouds. By default, tenants are allowed to open firewall rules to a cloud-specific instance, but cross-cloud networking is different and requires opening specific firewall rules to communicate between services. If you are a Microsoft Flow customer and you have existing SQL instances in azure public cloud which you need to access, you must open specific firewall ports in SQL to the Azure Government Cloud IP space for the following datacenters:
- USGov Virginia
- USGov Texas
Please refer to the Azure IP Ranges and Service Tags – US Government Cloud document, focusing attention on AzureCloud.usgovtexas and AzureCloud.usgovvirginia. Also note that these are the IP ranges required for your end-users to have access to the service URLs.
On-premises Data Gateway configuration
Install an On-Premises Data Gateway to transfer data quickly and securely between a canvas app that's built in Microsoft Flow and a data source that isn't in the cloud. Examples include on-premises SQL Server databases or on-premises SharePoint sites.
If your organization (tenant) has already configured and successfully connected the On-Premises Data Gateway for PowerBI US Government, then the process your organization executed to enable that will also enable on-premises connectivity for Microsoft Flow. However, if you are unable to connect to your tenant, then you may need to go through a “whitelisting” process, which enables this capability for your tenant. Should this occur, you can open a support ticket to address your needs. The support team follows an established process to address your request.
Microsoft Flow US Government feature limitations
Some of the features available in the commercial version of Flow are not available in Flow US Government customers. The Flow team is actively working on making these features available to US Government customers and will update this article when these features become available.
Trigger Microsoft Flow US Government flow from SharePoint Lists
Trigger Microsoft Flow US Government flow from Dynamics 365 for Customer Engagement GCC
Approvals – Although US Government customers may use Microsoft Flow approvals, they will not be able to send actionable emails, and will need to direct approvers to the Approval Center. As a workaround, Microsoft Flow makers can leverage standard email connectors to notify someone that an approval pending. In that case, they would also include the hyperlink, within the email, which points to the Approval Center where US Government customers may act on the approvals.
Submitting templates is disabled in GCC to address enterprise data governance and data flow concerns.
Connectors – The most popular connectors in use in our commercial service (based on usage telemetry) have been published; if there is a Connector available in the commercial offering that you do not see deployed, please contact support and we will review your request