The goal of this whitepaper is to have a single place to refer for US Federal security and accreditation resources for Power Platform and GCC.
- Azure Commercial FedRAMP Package
- Includes only commercial Power Platform and Dynamics 365 services
- Azure for Government FedRAMP Package
- Includes both GCC and GCC High environments for Power Platform and Dynamics 365 services
- Office 365 Multi-Tenant & Supporting Services
- Office 365 GCC
- Microsoft Office 365 GCC High
- Office 365 GCC High
If you need to request any of the actual FedRAMP packages from Microsoft, please send a request to [email protected].
A visual diagram of our FedRAMP packages above for a GCC customer is shown below,
Microsoft maintains a private, global network infrastructure that seamlessly interconnects all of our data centers. This dedicated network ensures that communications between Azure Government and Azure Commercial services occur over Microsoft's secure, high-speed fiber network, rather than the public internet. Our intelligent networking stack ensures that data travels efficiently within our ecosystem, providing reliable and secure connectivity for all services.
CISA's Secure Cloud Business Applications (SCuBA) official website can be found below,
CISA has published M365 Minimum Viable Secure Configuration Baseline documents for various Microsoft products. Below is a link to the entire GitHub repository,
The security baseline recommendations Power Platform and Power BI can be found below,
- Microsoft Power Platform M365 Minimum Viable Secure Configuration Baseline
- Microsoft Power BI M365 Minimum Viable Secure Configuration Baseline
For internal Agency use of Power Platform and Dynamics 365, our services leverage the security and auditing capabilities of Microsoft 365. We have a great blog series that outlines how Microsoft 365 services align to TIC. The blog links can be found below,
- Part 1 - Securing Mobile
- Part 2 - Securing the Endpoint
- Part 3 - Securing the Platform
- Part 4 - Auditing and Logging
You can view all of the audit logs specific to Power Platform and Dynamics 365 the same way you would for all other O365 services as described in the blog articles above. Details on each Power Platform / Dynamics 365 service and their corresponding auditing types that get logged can be found in our documentation pages below,
- Power Apps Audit Logs
- Power Automate Audit Logs
- Data loss prevention (DLP) Audit Logs
- Power Platform Connection Audit Logs
- Dataverse and model-driven apps Audit Logs
Full details of auditing capabilities inside of Dataverse can be found in the link below,
The sovereign cloud specific AAD applications for conditional access are below,
Service | AAD Application Name | AAD Application ID |
---|---|---|
Power Apps | Microsoft PowerApps |
475226c6-020e-4fb2-8a90-7a972cbfc1d4 |
Power Automate | Microsoft Flow |
7df0a125-d3be-4c96-aa54-591f83ff541c |
Dataverse / Dynamics 365 | Common Data Service |
00000007-0000-0000-c000-000000000000 |
Power BI | Microsoft Power BI Government Cloud |
fc4979e5-0aa5-429f-b13a-5d1365be5566 |
Service | AAD Application Name | AAD Application ID |
---|---|---|
Power Apps | PowerApps Service GCC L4 |
5e0cb1f6-2841-4956-9c76-868bfbc15a39 |
Power Automate | Microsoft Flow Portal GCC High |
9856e8dd-37b6-4749-a54b-8f6503ea93b7 |
Dataverse / Dynamics 365 | Common Data Service |
00000007-0000-0000-c000-000000000000 |
At this time (10/28/2022) there is a known issue that the Power Automate service does not show up in Azure for Government's Conditional Access portal. The work around to use conditional access in GCC High is to create a policy that is enforced for all cloud applications, versus selecting Power Automate individually.
We recommend using Azure Application Gateway with Power Pages to support CISA TIC requirements. Some of the benefits you get when using Azure Application Gateway with Power Pages are below,
- Built in Web Application Firewall (WAF)
- Content Delivery Network (CDN) of static content in Power Pages
- Restrict Power Pages traffic to a single IP address from Azure Application Gateway
Below is a great resource on designing a general web application to use Azure Front Door / Azure Application Gateway to meet TIC 3.0 requirements,
You can easily swap out the web application above with a Power Pages web application. That design would look like this,
Below we have great documentation on how to configure a Power Pages Portal with Azure Front Door. While today we recommend Azure Application Gateway, the documentation for Azure Front Door below can also be applied with an Azure Application Gateway instance.
Today Power Pages does not support Azure Front Door ID filtering. Once Power Pages supports Azure Front Door ID filtering (i.e.
X-Azure-FDID
header values) we will update this guidance to use Azure Front Door instead.
You can also configure diagnostic logs from Power Pages to get sent to an Azure Storage account.
When designing a Power Page, we highly recommend reviewing the security controls for any public facing website. Those details can be found in our public documentation below,
Use the following public documentation page to get the full list of internet URLs to allow for Power Platform and Dynamics 365 cloud services. Make sure to filter to your US Government cloud region (i.e. GCC, GCC High or DOD).
- Power Platform Government Endpoint URLs for Allow List
- Dynamics 365 Government Endpoint URLs for Allow List
Use the following Azure for Government service tags to get the IP ranges that Power Platform / Dynamics 365 use for GCC, GCC High and DOD cloud regions. You can find the full list of Azure for Government IP Ranges in the following document,
AzureCloud.usgovvirginia
AzureCloud.usgovtexas
AzureCloud.usdodcentral
AzureCloud.usdodeast
We also recommend that you set up monitoring for the Microsoft 365 Message Center to get notified to updates and changes that we announce ahead of time that could impact network and firewall policies you have configured. Details of the Microsoft 365 Message Center can be found on the public documentation page below,
Microsoft 365 Message Center Documentation
For Microsoft Business Applications, we recommend monitoring the following services,
- Dynamics 365 Apps
- Finance and Operations Apps
- Microsoft Dataverse
- Microsoft Power Automate
- Microsoft Power Automate in Microsoft 365
- Power Apps
- Power Apps in Microsoft 365
- Power BI
- Power Platform
Power Platform's data gateway enables you to combine on premise data with your data in the cloud. More details on the data gateway can be found in our public docs below,
Power Platform data gateway leverages the Azure Service Bus Relay service to communicate from the cloud to your on premise infrastructure. In GCC, GCC High and DOD there is a managed Azure Service Bus Relay namespace that lives in Azure for Government. Below is an example of how this is laid out in GCC,
If you want to have more control of the networking policies for the Azure Service Bus Relay instance, you can create your own in an Azure for Government subscription.
You can then configure your Power Platform data gateway instance to leverage your Azure Service Bus Relay instance in the steps below,
Also, if you are using Azure for Government ExpressRoute and you want the Power Platform data gateway to use ExpressRoute, you need to make sure you include the following Azure service tags into your ExpressRoute configuration,
For a full list of the Data Gateway ports and fully qualified domain names (FQDN) that are required to run Data Gateway, please see our public documentation page below. Be sure to reference the table for GCC, GCC High or DOD for your actual environments configuration details.
ServiceBus.USGovTexas
ServiceBus.USGovVirginia
ServiceBus.USDoDCentral
ServiceBus.USDoDEast
You can find the full list of Azure for Government IP Ranges in the following document,