Power BI for US government customers
This article is for US government customers who are deploying Power BI as part of a Microsoft 365 Government plan. Government plans are designed for the unique needs of organizations that must meet US compliance and security standards.
The Power BI service that's designed for US government customers differs from the commercial version of the Power BI service. These feature differences and capabilities are described in the following sections.
Before you can get a Power BI US government subscription and assign licenses to users, you have to enroll in a Microsoft 365 Government plan. If your organization already has a Microsoft 365 Government plan, skip ahead to Buy a Power BI Pro subscription for government customers.
Government cloud instances
If you're a new customer, you have to validate your organization's eligibility before you can sign up for a Microsoft 365 Government plan. Get started by completing the Microsoft 365 for Government eligibility validation form.
Microsoft 365 provides different environments for government agencies to meet varying compliance requirements. To ensure that you're selecting the right plan for your organization, consult the Microsoft 365 US Government service description for each environment:
Microsoft 365 Government Community Cloud (GCC) is designed for federal, state, and local government.
Microsoft 365 Government Community Cloud High (GCC High) is designed for federal agencies, defense industry, aerospace industry, and other organizations that hold controlled unclassified information. This environment is suited for national security organizations and companies that have International Traffic in Arms Regulations (ITAR) data or Defense Federal Acquisition Regulations Supplement (DFARS) requirements.
The Microsoft 365 DoD environment is designed exclusively for the US Department of Defense.
If you've already deployed Power BI to a commercial environment and want to migrate to the US government cloud, you'll need to add a new Power BI Pro or Premium Per User (PPU) subscription to your Microsoft 365 Government plan. Next, replicate the commercial data to the Power BI service for US government, remove commercial license assignments from user accounts, and then assign a Power BI Pro government license to the user accounts.
Buy a Power BI Pro subscription for government customers
After you've deployed Microsoft 365, you can add a Power BI Pro subscription. To buy the Power BI Pro government service, follow the guidance in Enroll your US government organization. Buy enough licenses for all the users who need to use Power BI, and then assign the licenses to individual user accounts.
Power BI US Government isn't available as a Free license. To access the government community cloud, each user must be assigned a Pro or Premium Per User (PPU) license. If a user account has been assigned a Free license, the user is authorized to access only the commercial cloud and will encounter authentication and access issues.
If you've purchased Power BI Premium, you don't have to assign Pro licenses to enable user access. Users in the organization can access reports that are shared with them, as long as the reports are published to a Premium capacity.
To review the differences between license types, see Power BI service features by license type.
Sign in to Power BI for US government
The URLs for connecting to Power BI differ for government users and commercial users. To sign in to the correct Power BI version, use one of the following URLs:
- Commercial version: https://app.powerbi.com
- GCC: https://app.powerbigov.us
- GCC High: https://app.high.powerbigov.us
- DoD: https://app.mil.powerbigov.us
Your account might be set up in more than one cloud. If your account is set up that way, when you sign in to Power BI Desktop, you can choose which cloud to connect to.
In this video, Using Power BI Desktop in government clouds, Technical Specialist Steve Winward shows how you can apply a registry setting to go directly to the right cloud endpoint for your environment. The registry key settings to bypass the global discovery endpoint are shared on GitHub.
Allow connections to Power BI
To use the Power BI service, you must allow connections to required endpoints on the internet. These destinations have to be reachable to enable communication between your own network, Power BI, and other dependent services.
The following table lists the required endpoints to add to your allowlist to enable connection to the Power BI service for general site usage. These endpoints are unique to the US government cloud. The Power BI service requires only Transmission Control Protocol (TCP) port 443 to be opened for the listed endpoints.
The endpoints for getting data, dashboard and report integration, Power BI visuals, and other optional services aren’t unique to the US government cloud.
To add these URLs to your allowlist also, see Add Power BI URLs to your allowlist.
Authentication, identity, and administration for Power BI depend on connectivity to Microsoft 365 services. You also have to connect to Microsoft 365 to view audit logs. To identify the endpoints for these services, see "Microsoft 365 integration" in the following table:
Power BI URLs for general site usage
|Back-end APIs||GCC: api.powerbigov.us
GCC High: api.high.powerbigov.us
|Back-end APIs||GCC: *.analysis.usgovcloudapi.net
GCC High: *.high.analysis.usgovcloudapi.net
|Back-end APIs||All: *.pbidedicated.usgovcloudapi.net|
|Content Delivery Network (CDN)||GCC: gov.content.powerapps.us
GCC High: high.content.powerapps.us
|Microsoft 365 integration||GCC: Worldwide endpoints
GCC High: US Government GCC High endpoints
DoD: US Government DOD endpoints
GCC High: *.high.powerbigov.us
|Service telemetry||All: dc.services.visualstudio.us|
|Informational messages (optional)||All: dynmsg.modpim.com|
|NPS surveys (optional)||All: nps.onyx.azure.net|
Connect government and global Azure cloud services
Azure is distributed across multiple clouds. By default, you can enable firewall rules to open a connection to a cloud-specific instance, but cross-cloud networking is different. To communicate between services in the public cloud and services in the Government Community Cloud, you have to configure specific firewall rules. For example, if you want to access public cloud instances of a SQL database from your government cloud deployment of Power BI, you need a firewall rule in the SQL database. Configure specific firewall rules for SQL databases to allow connections to the Azure Government Cloud for the following datacenters:
- USGov Iowa
- USGov Virginia
- USGov Texas
- USGov Arizona
- US DoD East
- US DoD Central
To get the US government cloud IP ranges, download the Azure IP Ranges and Service Tags – US Government Cloud file. Ranges are listed for both Power BI and Power Query.
For more information about Microsoft Azure Government cloud services, see Azure Government documentation.
To set up firewalls for SQL databases, see Create and manage IP firewall rules.
Power BI feature availability
To accommodate the requirements of government cloud customers, government plans differ from commercial plans in some respects. Our goal is to make all features available in government clouds within 30 days of general availability. In a few cases, underlying dependencies prevent us from making a feature available.
The following table lists features that aren't yet available in a particular government environment or that are available with limited functionality. The table uses the following keys:
|The feature is available in the environment, and any exceptions are defined in footnotes.|
|The feature isn't available in the environment, and we don't have an estimated time frame for delivery.|
If a release is planned for an environment, we include the quarter of estimated availability.
|Azure B2B collaboration between government and commercial cloud1|
|Embed in SharePoint Online by using the Power BI web part|
|Data Protection (MIP labels)|
|Dataflows - Direct Query||Not planned|
|Dataflows - SQL Compute engine optimization||Not planned|
|Power BI tab in Teams3|
|Large models||Not planned|
|Call Quality Data Connector||CY2021-Q4||CY2021-Q4||CY2021-Q4|
|Bring your own storage (Azure Data Lake Gen 2)|
|Tenant metadata scanning flow4|
1 Although B2B collaboration is available for GCC, external users must be issued a license in that environment. Commercial cloud licenses aren't valid in GCC. For more information about known limitations with B2B collaboration for US government, see Compare Azure Government and global Azure.
2 Because marketplace apps aren't available to US government cloud instances, template apps are limited to private and organizational apps.
3 The Power BI experience in Teams for GCC is limited. It works only for classic workspaces and doesn't include the enhanced functionality that's described in Embed Power BI content in Microsoft Teams.
4 The tenant metadata scanning flow is composed of the following Power BI REST APIs: getmodifiedworkspaces, getscanresult, getscanstatus, and postworkspaceinfo. These APIs are not supported in sovereign clouds.