Power BI for US government customers
This article is for US government customers who are deploying Power BI as part of a Microsoft 365 Government plan. Government plans are designed for the unique needs of organizations that must meet US compliance and security standards. The Power BI service that's designed for US government customers differs from the commercial version of the Power BI service. These feature differences and capabilities are described in the following sections.
Before you can get a Power BI US government subscription and assign licenses to users, you have to enroll in a Microsoft 365 Government plan. If your organization already has a Microsoft 365 Government plan, skip ahead to Buy a Power BI Pro subscription for government customers.
Government cloud instances
If you're a new customer, you have to validate your organization's eligibility before you can sign up for a Microsoft 365 Government plan. Get started by completing the Microsoft 365 for Government eligibility validation form. Microsoft 365 provides different environments for government agencies to meet varying compliance requirements. To ensure that you're selecting the right plan for your organization, consult the Microsoft 365 US Government service descriptions for each environment:
Microsoft 365 Government Community Cloud (GCC) is designed for federal, state, and local government.
Microsoft 365 Government Community Cloud High (GCC High) is designed for federal agencies, defense industry, aerospace industry, and other organizations that hold controlled unclassified information. This environment is suited for national security organizations and companies that have International Traffic in Arms Regulations (ITAR) data or Defense Federal Acquisition Regulations Supplement (DFARS) requirements.
The Microsoft 365 DoD environment is designed exclusively for the US Department of Defense.
If you've already deployed Power BI to a commercial environment and want to migrate to the US government cloud, you'll need to add a new Power BI Pro or Premium Per User (PPU) subscription to your Microsoft 365 Government plan. Next, replicate the commercial data to the Power BI service for US government, remove commercial license assignments from user accounts, and then assign a Power BI Pro government license to the user accounts.
Buy a Power BI Pro subscription for government customers
After you've deployed Microsoft 365, you can add a Power BI Pro subscription. Follow the guidance in Enroll your US government organization to buy the Power BI Pro government service. Buy enough licenses for all the users who need to use Power BI, and then assign the licenses to individual user accounts.
Power BI US Government isn't available as a Free license. To access the government community cloud, each user must be assigned a Pro or Premium Per User (PPU) license. If a user account has been assigned a Free license, the user is authorized to access only the commercial cloud and will encounter authentication and access issues. If you've purchased Power BI Premium, you don't have to assign Pro licenses to enable user access. Users in the organization can access reports that are shared with them as long as the reports are published to a Premium capacity. To review the differences between license types, see Power BI service features by license type.
Sign in to Power BI for US government
The URL for connecting to Power BI differs for government users and commercial users. To sign in to Power BI, use the following URLs:
|Commercial version||GCC||GCC High||DoD|
Your account might be set up in more than one cloud. If your account is set up that way, when you sign in to Power BI Desktop, you can choose which cloud to connect to.
In this video, Using Power BI Desktop in government clouds, Technical Specialist Steve Winward shows how you can apply a registry setting to go directly to the right cloud endpoint for your environment. The registry key settings to bypass the global discovery endpoint are shared on GitHub.
Allow connections to Power BI
To use the Power BI service, you must allow connections to required endpoints on the internet. These destinations have to be reachable to enable communication between your own network, Power BI, and other dependent services.
In the table below, we list the required endpoints to add to your allowlist to enable connection to the Power BI service for general site usage. These endpoints are unique to the US government cloud. The Power BI service requires only TCP Port 443 to be opened for the listed endpoints. The endpoints for getting data, dashboard and report integration, Power BI visuals, and other optional services aren’t unique to the US government cloud. To also add these URLs to your allowlist, see Add Power BI URLs to your allowlist.
Authentication, identity, and administration for Power BI depend on connectivity to Microsoft 365 services. You also have to connect to Microsoft 365 to view audit logs. To identify the endpoints for these services, see Microsoft 365 integration in the table below.
Power BI URLs for general site usage
|Backend APIs||GCC: api.powerbigov.us|
|GCC High: api.high.powerbigov.us|
|Backend APIs||GCC: *analysis.usgovcloudapi.net|
|GCC High: *.high.analysis.usgovcloudapi.net|
|Backend APIs||All: *.pbidedicated.usgovcloudapi.net|
|Content Delivery Network (CDN)||GCC: gov.content.powerapps.us|
|GCC High: high.content.powerapps.us|
|Microsoft 365 integration||GCC: Worldwide endpoints|
|GCC High: US Government GCC High endpoints|
|DoD: US Government DOD endpoints|
|GCC High: *.high.powerbigov.us|
|Service telemetry||All: dc.services.visualstudio.us|
|Informational messages (optional)||All: dynmsg.modpim.com|
|NPS surveys (optional)||All: nps.onyx.azure.net|
Connect government and global Azure cloud services
Azure is distributed across multiple clouds. By default, you can enable firewall rules to open a connection to a cloud-specific instance, but cross-cloud networking is different. To communicate between services in the public cloud and services in the Government Community Cloud, you have to configure specific firewall rules. For example, if you want to access public cloud instances of a SQL database from your government cloud deployment of Power BI, you need a firewall rule in the SQL database. Configure specific firewall rules for SQL databases to allow connections to the Azure Government Cloud for the following datacenters:
- USGov Iowa
- USGov Virginia
- USGov Texas
- USGov Arizona
- US DoD East
- US DoD Central
To get the US government cloud IP ranges, download the Azure IP Ranges and Service Tags – US Government Cloud file. ranges are listed for both Power BI and Power Query.
For more information about Microsoft Azure Government cloud services, see Azure Government documentation.
To set up firewalls for SQL databases, see Create and manage IP firewall rules.
Power BI feature availability
To accommodate the requirements of government cloud customers, there are some differences between government plans and commercial plans. Our goal is to make all features available in government clouds within 30 days of general availability. In some cases, underlying dependencies prevent us from making a feature available. The list below shows features that aren't yet available in a particular government environment or that are available with limited functionality. The list uses the following key:
|The feature is available in the environment, with any exceptions defined in footnotes.|
|The feature isn't available in the environment and we don't have an estimated time frame for delivery.|
We include the quarter for estimated availability if release is planned for an environment.
|Azure B2B Collaboration between government and commercial cloud1|
|Embed in SharePoint Online using the Power BI web part|
|Data Protection (MIP labels)|
|Dataflows - Direct Query||Not planned|
|Dataflows - SQL Compute engine optimization||Not planned|
|Power BI tab in Teams3|
|Large models||Not planned|
|Call Quality Data Connector|
|Bring Your Own Storage (Azure Data Lake Gen 2)|
|Tenant metadata scanning flow4|
1 Although B2B Collaboration is available for GCC, the external user must be issued a license in that environment. Commercial cloud licenses aren't valid in GCC. For more information about known limitations with B2B Collaboration for US government, Compare Azure Government and global Azure.
2 Marketplace apps aren't available to US Government cloud instances so template apps are limited to private and organizational apps.
3 The Power BI experience in Teams for GCC is limited, works only for classic workspaces, and doesn't include the enhanced functionality described in Embed Power BI Content in Microsoft Teams.
4 The tenant metadata scanning flow is composed of the following Power BI REST APIs: getmodifiedworkspaces, getscanresult, getscanstatus, and postworkspaceinfo. These APIs are not supported in sovereign clouds.