Enterprise Mobility + Security for US Government service description
In response to the unique and evolving requirements of the United States public sector, Microsoft has created Enterprise Mobility + Security (EMS) plans for our United States government community customers. This document provides an overview of features that are specific to these EMS plans.
How to use this service description
The EMS for US Government Service Description is designed to serve as an overview of our applicable offerings and will cover: (1) which services and features are included in different offerings, (2) how the US Government offerings differ from our commercial offerings, and (3) our current compliance authorizations.
Customer eligibility
US Government offers are available to (1) US federal, state, local, and tribal government entities, and (2) other entities that handle data that is subject to government regulations and requirements and where use of services is appropriate to meet these requirements, subject to validation of eligibility. Validation of eligibility by Microsoft will include confirmation of handling government-regulated or controlled data. EMS plans for Gov, GCC High, and Department of Defense (DoD) customers are monthly subscriptions and are licensed on a per user basis. Entities with questions about eligibility should consult their account team.
EMS offers for US Government and Microsoft 365 interoperability
For more information on each of the products and their plans found in Enterprise Mobility + Security, visit the documentation resources and compare plans and pricing.
EMS US Government Offerings | Location of Hosted Services | Interoperable Microsoft 365 Government Community Cloud (GCC) Offer(s) |
---|---|---|
EMS for Gov Available in both E3 and E5* |
Azure Commercial Cloud | Microsoft 365 GCC |
EMS for GCC High Available in E3 and E5* |
Azure Government Cloud | Microsoft 365 GCC High Microsoft 365 DoD |
EMS for DoD Available in both E3 and E5* |
Azure Government Cloud | Microsoft 365 DoD |
EMS for US GCC customers
Microsoft Entra ID P1/P2, Microsoft Intune, and Azure Information Protection P1/P2 are hosted in the Azure commercial environment and are interoperable with the Microsoft 365 GCC platform. These services are certified FedRAMP-High.
Microsoft Defender for Cloud Apps is a commercial offering covered by the Azure Commercial FedRAMP High Authorization to Operate (ATO), but may not meet other GCC compliance attributes, such as CJIS background screening, IRS 1075, and access to customer content by US government screened personnel. A list of compliance offerings for Microsoft products and services can be found on the Microsoft Trust Center.
To access Microsoft Defender for Identity GCC, see Microsoft Defender for Identity for US Government offerings.
Defender for Cloud Apps customers who are using GCC should use this URL to sign in to the service: https://portal.cloudappsecuritygov.com
EMS for US GCC High and DoD customers
The EMS offerings for US GCC High and DoD customers are built on the Microsoft Azure Government cloud and are designed to inter-operate with the Microsoft 365 GCC High and DoD environments. The EMS E5 suite is available for both GCC High and DoD customers. Microsoft Entra ID P1/P2, Microsoft Intune, Azure Information Protection P1/P2, Microsoft Defender for Cloud Apps, and Defender for Identity are certified FedRAMP-High.
GCC High and DoD customers can use a separate set of endpoints for Intune based on different requirements and management needs. Below is a list of EMS management portals available to US GCC High and DoD customers (depending on service availability):
- Microsoft 365 Portal: https://portal.office365.us (for user, group, and license management)
- Azure / Intune Admin Portal: https://portal.azure.us
- Intune Web Company Portal: https://portal.manage.microsoft.us
- Microsoft Defender for Cloud Apps Portal: https://portal.cloudappsecurity.us
- Defender for Identity Portal: https://security.microsoft.us
Parity with commercial
While our goal is to deliver all commercial features and functionality to government customers with our US Government offerings, there are some capabilities not yet available in the Azure Government environment. Known existing gaps between our commercial offerings and EMS offerings available to GCC High and DoD customers as of November 2019 are found on the following product pages:
- Microsoft Entra ID:
- Visit the Microsoft Entra ID P1 and P2 page of the Azure Government Documentation site for a list of features that are currently not available in Azure Government.
- Azure Information Protection:
- Visit the Azure Information Protection Premium page for a list of features that are currently not available in Azure Government.
- Microsoft Intune:
- Visit the Microsoft Intune Government service description for an overview of the service offering in the GCC High and DoD environments and feature variations from the commercial offering.
- Defender for Identity:
- Visit the Defender for Identity page for a list of features that are currently not available in Azure Government.
- Microsoft Defender for Cloud Apps:
- Visit the Microsoft Defender for Cloud Apps page for a list of features that are currently not available in Azure Government.
Location of customer data
US Government GCC customers
EMS services currently available for US Government customers (Microsoft Entra ID P1/P2, Intune and Azure Information Protection P1/2) are provided from data centers physically located in the United States. Your organization's customer data is stored at rest within the United States. GCC customers can also choose to add on commercial offering of Microsoft Defender for Cloud Apps with the purchase of an EMS E5 license. (This isn't a US GCC service and doesn't adhere to all GCC attributes). For information on where Microsoft stores customer data at rest in connection with Microsoft Defender for Cloud Apps, a commercial service, review the Online Services Terms.
US Government GCC High and DoD customers
Organizations that use EMS for US Government GCC High and DoD offerings benefit from the following features:
- Your organization's customer content is physically segregated from customer content in Microsoft's commercial services.
- Your organization's customer content is stored within the United States.
- Access to your organization's customer content is restricted to screened Microsoft personnel.
- Compliance with certifications and accreditations that are required for US Public Sector customers, including Department of Defense Security Requirements Guidelines, Defense Federal Acquisition Regulations Supplement (DFARS), and International Traffic in Arms Regulations (ITAR)
More information can be found on the Microsoft Trust Center page.
Third-party apps and services
Various EMS services provide the ability to work seamlessly with certain third-party applications and services. These third-party applications and services might involve storing, transmitting, and processing your organization's data or content on third-party systems that are outside of the EMS infrastructure and therefore aren't covered by our compliance and data protection commitments. It's recommended that you review the privacy and compliance statements provided by these third parties when assessing the appropriate use of third-party apps and services for your organization.
For more information, see Microsoft 365 Government.