Microsoft Dynamics 365 Government

Article
01/19/2017

Applies To: Dynamics 365 (online), Dynamics CRM Online

[This topic is prerelease documentation and is subject to change in future releases.]

In response to the unique and evolving requirements of the United States public sector, Microsoft has created Microsoft Dynamics 365 Government that is available to qualified government entities in the United States. This section provides an overview of features that are specific to Microsoft Dynamics 365 Government. We recommend that you read this supplementary section alongside the Microsoft CRM Online Service Description.

About Dynamics 365 Government plans

Dynamics 365 Government plans are available to qualified government and private entities, limited to (i) United States (US) federal, state, local, tribal, and territorial government entities; (ii) private entities using Dynamics 365 Government to provide solutions to a government entity or a qualified member of the cloud community; and (iii) private entities with customer data subject to government regulations for which the use of Dynamics 365 Government is the appropriate service to meet the regulatory requirements. Access to Dynamics 365 Government plans is restricted to the offerings described below, each plan is offered as a monthly subscription and can be licensed to an unlimited number of users:

Dynamics 365 Enterprise edition Plan 1 for Government
Dynamics 365 for Sales, Enterprise Edition for Government
Dynamics 365 for Customer Service, Enterprise Edition for Government
Dynamics 365 for Field Service, Enterprise Edition for Government
Dynamics 365 for Project Service Automation, Enterprise Edition for Government
Dynamics 365 for Case Management, Enterprise Edition for Government
Dynamics 365 for Team Members, Enterprise Edition for Government
Enhance Support for Microsoft Dynamics 365 Applications and Plan 1 for Government
Pro Direct Support for Microsoft Dynamics 365 Applications and Plan 1 for Government
Dynamics 365 Enterprise Edition - Additional Portal for Government
Dynamics 365 Enterprise Edition - Additional Portal Page Views for Government
Dynamics 365 Enterprise Edition - Additional Production Instance for Government
Dynamics 365 Enterprise Edition - Additional Non-Production Instance for Government
Dynamics 365 Enterprise Edition - Additional Database Storage for Government

What is “customer data” and “customer content?”

This section describes Dynamics 365 Government commitments that apply to customer content and to customer data.

Customer data, as defined in the Online Service Terms, means all data, including all text, sound, video, or image files, and software, that are provided to Microsoft by, or on behalf of, Customer through use of the Online Service. Customer content refers to a specific subset of customer data that has been directly created by users, such as content stored in databases through entries in Dynamics 365entities (e.g. contact information). Content is generally considered confidential information, and in normal service operation, is not sent over the Internet without encryption.

For more information on the Microsoft Dynamics 365 (online) protection of customer data, see the Microsoft Online Services Trust Center.

Customer data and customer content

Data segregation for Government Community Cloud

When provisioned as part of Dynamics 365 Government, the Microsoft Dynamics 365 (online) service is offered in accordance with the National Institute of Standards and Technology (NIST) Special Publication 800-145.

Microsoft refers to this offer as the Government Community Cloud.

In addition to the logical separation of customer content at the application layer, the Dynamics 365 Government service provides your organization with a secondary layer of physical segregation for customer content by using infrastructure that is separate from the infrastructure used for commercial Microsoft Dynamics 365 (online) customers. This includes using Azure services in Azure’s Government Cloud. To learn more, see Azure Government.

Customer content located within the United States

Dynamics 365 Government services are provided from datacenters physically located in the United States. Microsoft Dynamics 365 (online) customer content is stored at rest in datacenters physically located only in the US.

If your users are located within the US while using Microsoft Social EngagementMicrosoft Social Engagement or if you adopt the use of Active Directory Federation Services (AD FS) 2.0 and set up policies to help ensure your users connect to the services through single sign-on, any customer content that is temporarily cached in Microsoft Social Engagement will be located in the US.

Restricted data access by administrators

Access to Dynamics 365 Government customer content by Microsoft administrators is restricted to personnel who are US citizens. These personnel undergo background investigations in accordance with relevant government standards.

Certifications and accreditations

Dynamics 365 Government is designed to support the Federal Risk and Authorization Management Program (FedRAMP) accreditation at a Moderate Impact level. FedRAMP artifacts are available for review by federal customers who are required to comply with FedRAMP. Federal agencies can review these artifacts in support of their review to grant an Authority to Operate (ATO).

Dynamics 365 Government has features designed to support customer’s CJIS Policy requirements for law enforcement agencies.

Dynamics 365 Government and other Microsoft services

Dynamics 365 Government includes several features that allow users to address customer calls through Skype for Business, email editing for sales materials and, in general, integration with other Microsoft enterprise service offerings such as Office 365 for Government. Dynamics 365 Government is deployed within Microsoft datacenters in a manner consistent with a multi-tenant, public cloud deployment model; however, client applications including but not limited to the web-user client, Dynamics 365 for tablets, Dynamics 365 for phones, Microsoft Dynamics 365 for Outlook, Unified Service Desk for Microsoft Dynamics 365 and any third-party client application that connects to Dynamics 365 Government are not part of Dynamics 365 Government's accreditation boundary and government customers are responsible for managing them.

Dynamics 365 Government leverages the Microsoft Office 365 customer administrator UI for customer administration and billing – Dynamics 365 Government maintains the actual resources, information flow, and data management, while relying on Microsoft Office 365 to provide the visual styles that are presented to the customer administrator through their management console. For purposes of FedRAMP ATO inheritance, Dynamics 365 Government leverages the physical data centers managed by Microsoft’s Global Foundation Services (GFS) and Microsoft AzureMicrosoft Azure (including Microsoft Azure for Government) ATOs for infrastructure and platform services, respectively.

Dynamics 365 Government and third-party services

Microsoft Dynamics 365 (online) provides the ability to integrate third-party applications into the service. These third-party applications and services might involve storing, transmitting, and processing your organization’s customer data on third-party systems that are outside of the Microsoft Dynamics 365 (online) infrastructure and therefore are not covered by the Microsoft Dynamics 365 (online) compliance and data protection commitments. We recommend that you review the privacy and compliance statements provided by the third parties when assessing the appropriate use of these services for your organization.

Dynamics 365 Government and Azure Services

Azure Active Directory (AAD) is not part of the Dynamics 365 Government accreditation boundary and government customers are responsible for using AD FS to uniquely identify and authenticate their organizational users. Notwithstanding, it is important to note that AAD provides critical functionality to both Dynamics 365 Government and AD FS, whose dependencies are described in detailed in the Dynamics 365 Government SSP (Service Security Plan).

When a user of an organization employing AD FS attempts to access Microsoft Dynamics 365 (online), the user is redirected to a login page hosted on the organization’s AD FS server. The user provides his credentials to his organization's AD FS server, which attempts to authenticate the credentials using the organization’s existing Active Directory infrastructure. If the credentials are authenticated, the organization’s AD FS server issues a SAML (Security Assertion Markup Language) ticket containing information about the user’s identity and group membership. The customer AD FS server signs this ticket using one half of an asymmetric key pair and it sends the ticket to AAD via encrypted TLS. AAD validates the signature using the other half of the asymmetric key pair and grants access based on the ticket. The user's identity and group membership information remain in an encrypted fashion in AAD; in other words, limited user-identifiable information is stored in AAD. Full details of the AAD security architecture and control implementation can be found in the Microsoft Azure SSP. The AAD account management services are hosted on physical servers managed by the Microsoft Global Foundation Services (GFS). Network access to these servers is controlled by GFS-managed network devices using rules set by Microsoft Azure. Users do not interact directly with AAD..