Are government agencies territorial

Microsoft Power Apps US Government

In response to the unique and changing needs of the US public sector, Microsoft developed Power Apps for US Governments, which includes various plans for US government organizations. This section provides an overview of the features that are specific to Power Apps US Government. It is recommended that you read this supplementary section in addition to the Power Apps documentation, which contains information about the general Power Apps service description. For the sake of brevity, this service is generally referred to as Power Apps Government Community Cloud (GCC) or Power Apps Government Community Cloud - High (GCC High).

The Power Apps service description for US government agencies is designed to act as an adjunct to the general Power Apps service description. It defines the clear obligations of this service and the differences to the Power Apps offerings that have been available to our customers since October 2016.

Learn about Power Apps environments and plans for US governments

The US Government Power Apps plans are monthly subscriptions and can be licensed to an unlimited number of users.

The Power Apps GCC environment meets federal requirements for cloud services, including FedRAMP High, DoD DISA IL2, and criminal justice systems requirements (CJI data types).

In addition to the features and capabilities of Power Apps, organizations using Power Apps for US Government Agencies can take advantage of the following features that are unique to Power Apps for US Government Agencies:

  • Your company's customer content is physically separate from customer content in Microsoft's commercial Power Apps services.
  • Your organization's customer content is stored in the United States.
  • Access to your company's customer content is limited to certified Microsoft employees.
  • Power Apps for US Government Agencies complies with the certifications and accreditations required for US public sector customers.

Starting September 2019, eligible customers can now deploy Power Apps US Government in the GCC High environment, which enables single sign-on and seamless integration with Microsoft 365 GCC High deployments. Microsoft designed the platform and our workflows to meet the requirements that correspond to the DISA SRG IL4 compliance framework. We anticipate that our US Department of Defense and other federal agencies currently using Microsoft 365 GCC High are using the Power Apps US Government GCC High deployment option, which enables and requires the customer to use Azure AD Government for customer identities , in contrast to GCC, which uses Public Azure AD. For our customer base in the US Department of Defense, Microsoft operates the service in such a way that these customers can meet the ITAR regulations and the DFARS procurement regulations as documented and required in their contracts with the US Department of Defense.

Customer authorization

Power Apps for US Government Agencies is available to (1) US federal, state, local, tribal, and territorial government entities, and (2) other entities that process data that are subject to government regulations and requirements and who use Power Apps is reasonable for US government agencies to meet these requirements, subject to validation of eligibility. Microsoft's validation of eligibility includes confirming processing of data subject to the International Traffic in Arms Regulations (ITAR), law enforcement data subject to the FBI's Criminal Justice Information Services (CJIS) policy, or other government regulated or regulated data controlled data. The confirmation may require approval by a government agency with special data processing requirements.

Government agencies with questions about eligibility for Power Apps US Government should contact their team. After renewing the customer contract for Power Apps for US government agencies, a re-examination of the eligibility is required.

Power Apps plans for US government agencies

Access to US government agency Power Apps plans is limited to the following offerings. Each plan is offered as a monthly subscription and can be licensed for an unlimited number of users:

  • Power Apps per App Plan for Government
  • Power Apps per user plan for government
  • In addition to the standalone plans, Power Apps and Power Automate functionalities are also included in certain Microsoft 365 US Government and Dynamics 365 US Government plans, so that customers can use Microsoft 365 and apps for customer interaction (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service and Dynamics 365 Project Service Automation).

For more information about the differences in functionality between these license groups, see the Power Apps Licensing Information page. Power Apps for US Government Agencies is available through volume licensing and cloud solution provider purchase channels. The Cloud Solution Provider program is currently not available to GCC High customers.

What are "customer data and customer content"?

Customer data, as defined in the online service terms, is any data, including any text, audio, video or image files and software, provided to Microsoft by or on behalf of customers through the use of the online service. Customer content refers to a specific subset of customer data created directly by users, for example content stored in databases through entries in the Microsoft Dataverse entities (e.g. contact information). Content is generally treated as confidential information and is not sent unencrypted over the Internet during normal service operations.

For more information on Power Apps protection for customer data, see Microsoft Online Services Trust Center.

Data separation for the government community cloud

If the Power Apps service is provided as part of Power Apps for US government agencies, the service is offered in accordance with NIST (National Institute of Standards and Technology) Special Publication 800-145.

In addition to logically separating customer content at the application layer, the Power Apps US government service provides your organization with a secondary layer of physical separation for customer content through the use of infrastructure that is separate from infrastructure used for commercial Power Apps customers . This includes the use of Azure services in the Azure Government Cloud. For more information, see Azure Government.

Customer content within the US

Power Apps services for US government agencies are provided from data centers that are physically located in the US. Power Apps customer content for US government agencies is stored at rest in data centers that are only physically located in the US.

Restricted data access by administrators

Access to Power Apps customer content for US government agencies by Microsoft administrators is limited to employees who are US citizens. These personnel must undergo environmental investigations in accordance with the relevant national standards.

Power Apps support and service technical staff do not have persistent access to customer content hosted in Power Apps for US government agencies. Any employee requesting a temporary elevation that would grant access to customer content must first pass the following background checks.

Microsoft personnel investigation and background checks1description
US citizenshipVerification of US citizenship
Examination of the professional careerReview of seven (7) years of professional career
Training reviewVerification of the highest educational qualification
Social Security Number (SSN) searchVerification that the SSN provided is valid
Review of criminal recordsA seven (7) year criminal record review for criminal offenses and offenses at the state, county, local, and state levels
List of the Office of Foreign Assets Control (OFAC)Validated against the Treasury Department's list of groups with whom US Persons are prohibited from conducting commercial or financial transactions
List of the Bureau of Industry and Security (BIS, Office for Industry and Security)Validation against the Ministry of Commerce's list of natural and legal persons excluded from export activities
Office of Defense Trade Controls Debarred Persons List (DDTC)Reviewing the list of individuals and entities in the State Department not allowed to engage in export activities related to the defense industry
Fingerprint verificationBackground checking of fingerprints in FBI databases
CJIS background checkState-awarded state and state criminal record review conducted by a CSA-appointed agency in each state that has registered to participate in the Microsoft CJIS-IA program.

1 Applies only to individuals with temporary or permanent access to customer content hosted in Power Apps for US Government Agencies (GCC).

Certifications and Accreditations

Power Apps for US Government Agencies supports Federal Risk and Authorization Management Program (FedRAMP) accreditation at a high impact level. The focus on DoD DISA IL2 is derived from this. FedRAMP artifacts are available for review by federal customers who are required to comply with FedRAMP. Federal agencies can examine these artifacts to aid their verification in order to grant an Authority to Operate (ATO).

Power Apps for US Government has features that can support the customer's CJIS law enforcement requirements. Please visit the Power Apps for US Government product page for more information on certification and accreditation.

Microsoft designed the platform and our workflows to meet the requirements that correspond to the DISA SRG IL4 compliance framework. We anticipate that our customer base at the US Department of Defense and other federal agencies currently using Microsoft 365 GCC High are using the Power Apps US Government GCC High deployment option, which enables and requires the customer to use Azure AD Government for customer identities , in contrast to GCC, which uses Public Azure AD. For our customer base in the US Department of Defense, Microsoft operates the service so that these customers can meet ITAR regulations and DFARS procurement regulations.

Power Apps for US government agencies and other Microsoft services

Power Apps US Government provides several features that users can use to connect and integrate with other Microsoft business services offerings, such as Microsoft 365 US Government, Dynamics 365 US Government, and Microsoft Power Automate US Government. Power Apps for US Government Agencies is deployed in Microsoft data centers in such a way that the application is consistent with a multi-tenant cloud deployment model; however, client applications, including but not limited to the web user client, Power Apps mobile applications, and third-party client applications that connect to Power Apps for US government agencies, are not part of the Power Apps accreditation limit for US -Government agencies and government customers are responsible for their management.

Power Apps US Government uses the customer administrator UI of Microsoft 365 for the management and billing of customers - Power Apps US Government manages the actual resources, the flow of information and the data management, while for the representation that is displayed to the customer administrator in his management console Microsoft 365 is used. For the purpose of the FedRAMP ATO acquisition, Power Apps for US government agencies uses Azure (including Azure Government) ATOs for infrastructure and platform services.

If you introduce the use of Active Directory Federation Services (AD FS) 2.0 and have policies in place to help ensure that your users can connect to the services using single sign-on, all cached customer content will be in the United States.

Power Apps for US government agencies and third-party services

Power Apps for US Government Agencies provides the ability to integrate third-party applications into the service through connectors. These third-party applications and services may include storing, transmitting, and processing your organization's customer data on third-party systems that are external to the US government agency Power Apps infrastructure. They are not covered by Power Apps for US government agencies and are therefore not subject to compliance and data protection agreements.

It is recommended that you read the privacy and compliance statements made available by third party vendors when considering using these services for your organization.

US Government Power Apps and Azure Services

The Power Apps services for US government agencies are provided by Microsoft Azure for government agencies. Azure Active Directory (Azure AD) is not part of the Power Apps accreditation boundary for US government agencies, but it relies on the Azure AD customer tenant for customer tenant and identity functions such as authentication, federated authentication, and licensing.

When a user from an organization using AD FS tries to access Power Apps for US Government Agencies, the user is redirected to a login page hosted on the organization's AD FS server. The user gives their credentials to their organization's AD FS server. The organization's AD FS server tries to authenticate the credentials using the organization's existing Active Directory infrastructure.

If authentication is successful, the organization's AD FS server issues a Security Assertion Markup Language (SAML) ticket that contains information about the user's identity and group membership.

The customer's AD FS server signs the ticket using half of an asymmetrical key pair and sends the ticket to Azure AD via encrypted Transport Layer Security. Azure AD verifies the signature using the other half of the asymmetrical key pair and then grants access according to the ticket.

The user's identity and group membership information remains encrypted in Azure AD. In other words, only limited user-identifiable information is stored in Azure AD.

Full details of the Azure AD security architecture and control implementation can be viewed in the Azure SSP. End users do not interact directly with Azure AD.

Power Apps Service URLs for US Government Agencies

You are using a different set of URLs to access Power Apps environments for US government agencies (see the following table).

For customers with network restrictions, ensure that your end users' access points are granted access to the following domains:

GCC customers:

* .microsoft.us
* .powerapps.us
* .azure-apihub.us
* .azure.us
*. usgovcloudapi.net
* .microsoftonline.com
*. microsoft.com
* .windows.net
*. azureedge.net
*. azure.net
* .crm9.dynamics.com
* .dynamics365portals.us

For more information on how to access Dataverse environments that users and administrators can create in your tenant, see the required IP address ranges:

https://www.microsoft.com/download/confirmation.aspx?id=57063 (with focus on AzureCloud.usgovtexas and AzureCloud.usgovvirginia)

GCC High customers:

* .microsoft.us
* .powerapps.us
* .azure-apihub.us
* .azure.us
*. usgovcloudapi.net
* .microsoftonline.us
*. azureedge.net
*. azure.net
* .crm.microsoftdynamics.us
* .high.dynamics365portals.us

For more information on how to access Dataverse environments that users and administrators can create in your tenant, see the required IP address ranges:

https://www.microsoft.com/download/confirmation.aspx?id=57063 (with focus on AzureCloud.usgovtexas and AzureCloud.usgovvirginia)

Regional investigation service is out of date

From March 2nd, 2020 the regionalInvestigation Service will be out of date.More information: Regional Discovery Service is out of date

Connectivity between Power Apps for US government agencies and Azure public cloud services

Azure is divided among several clouds. By default, tenants can open firewall rules to a cloud-specific environment. However, the cross-cloud network is different and requires certain firewall rules to be opened for communication between services. If you are a Power Apps customer and you have existing SQL environments in the Azure public cloud that you need to access, you will need to open certain firewall rules in SQL for the Azure Government cloud IP address range for the following data centers :

  • USGov Virginia
  • USGov Texas

Check out the Azure IP address range and Service Tags - Cloud for US Government Agencies with a focus on AzureCloud.usgovtexas and AzureCloud.usgovvirginia. Also note that these are the IP address ranges required for your end users to have access to the service URLs.

Configure mobile clients

Signing in with the Power Apps mobile client requires a few additional configuration steps.

  1. On the login page, select the gear icon in the lower right corner.
  2. Choose region Settings.
  3. Choose one of the following options:
    • GCC: US ​​Government GCC
    • GCC High: US Government GCC High
  4. click on OK.
  5. Select on the login page Log In out.

The mobile application will now use the US government's cloud domain.

Configuration of local data gateways

Install an on-premises data gateway to quickly and securely transfer data between a canvas app that is integrated with Power Apps and a data source that is not in the cloud, such as a local SQL Server database or a local SharePoint website .

If your organization (tenant) has already configured and successfully connected the on-premises data gateway for Power BI for US government agencies, the process and configuration that your organization performed to activate it will also enable on-premises connectivity for Power Apps. However, if you are unable to connect to your tenant, you may need to go through a process to add your tenant to an approved list, which enables this feature for your tenant. In this case, please open a support ticket to submit your request. The support team follows a set process to answer your request.

Power Apps Function Limitations for US Government Agencies

Some of the features available in the commercial version of Power Apps are not available to Power Apps customers for government agencies. The Power Apps team is actively working to make the following features available to US government customers and will update this article when these features become available:

  • Embed in Power BI.

  • Ability to add apps to teams using the Add to Teams button.

  • Connectors: The most popular connectors (based on usage telemetry) used in our commercial service have been released. If there is a connector available in the commercial offering that was not provided, contact support. We will then examine your request. Note that third-party connectors are not added to GCC High. It will examine features with the Digital Loss Prevention (DLP) management functionality that allow connectors to be added “blocked by default”. Until that is possible, third-party connectors pose a measurable threat to organizations that rely on the GCC High environment to maintain the necessary data extraction controls.

  • AI Builder.

  • Geospatial functions are not available in government environments.

Requesting support

Do you have a problem with your service? You can create a support case to solve the problem.

More information: Contact technical support

See also

Microsoft Power Automate US Government
UI flows
Dynamics 365 US Government