Navigating the Azure Government Portal

The Azure Government Portal is a powerful tool for managing your cloud resources, and navigating it can seem daunting at first. To get started, you'll need to access the portal by going to the Azure Government website and clicking on the "Sign in" button.

The portal is organized into several main sections, including Overview, Resources, and Cost Analysis, which provide a clear and concise view of your cloud resources and costs. You can also customize the dashboard to display the information that's most important to you.

One of the key features of the Azure Government Portal is the ability to manage access and permissions for your users, which is crucial for ensuring the security and compliance of your cloud resources. To do this, you'll need to create and manage Azure Active Directory (AAD) users and groups.

The portal also provides a range of tools and resources to help you manage and troubleshoot your cloud resources, including the Azure Government Knowledge Center and the Azure Government Community Forum.

To access the Azure Government portal, you need to sign in using your Azure Government credentials. If you don't have these credentials, contact the user administrator or billing admin of your Azure Government Microsoft Entra tenant.

They will add you as a new user in Azure Government Active directory. To do this, they'll follow these steps: sign in to the Azure Government portal with a user administrator or billing admin role, navigate to Microsoft Entra ID > Users, select New user > Create new user from the menu, provide the new user's information, and copy the autogenerated password.

Once you have the credentials, sign into the Azure Government Portal and you should see Microsoft Azure Government in the upper left section of the main navigation bar.

Accessing the Azure Government portal is a straightforward process. You can manage your Enterprise Agreement (EA) billing account or billing profile using the portal.

To access the portal, you'll need Azure Government credentials. If you don't have these, contact your user administrator or billing admin of your Azure Government Microsoft Entra tenant to get added as a new user.

The user administrator or billing admin will need to follow these steps to add you: sign in to the Azure Government portal with a user administrator or billing admin role, navigate to Microsoft Entra ID > Users, select New user > Create new user from the menu, provide the new user's information, copy the autogenerated password, and select Create.

Once you have your credentials, sign in to the Azure Government Portal and you should see Microsoft Azure Government in the upper left section of the main navigation bar.

To access your customer Enterprise Agreement (EA) billing profile or enrollment, you'll need to assign the right permissions to your Azure Government user account. This involves reaching out to an existing Partner Administrator.

They should be able to assign one of the following roles to your account: Partner Administrator, Partner Administrator (read only).

You can also refer to the list of available roles to ensure you get the right one:

Once you have the necessary permissions, you can access your billing profile or enrollment.

CATO certification is a must-have for government entities and contractors doing business with the USG, as it ensures continuous management of risk in DevOps processes and activities.

Without cATO certification, organizations can face security risks, compliance issues, operational inefficiencies, reputation damage, and tougher competition.

Security breaches and non-compliance can harm an organization's reputation, leading to loss of citizen and customer trust.

The USG requires cATO certification for DevOps contractors and agencies to continue doing business with them.

To obtain cATO certification, organizations can either get certified themselves or use another cATO certified entity like Azure Government.

Here are the challenges without cATO certification:

Azure Government simplifies the cATO certification process by providing pre-validated, compliant cloud infrastructure and advanced security tools.

To create a tenant in the Azure Government Portal, you'll need to submit a request to your organization if you don't have an existing Azure Government tenant.

You can submit a request to create a tenant, and partners can also submit a request for their own organization. To start the process, select at least Azure Government Trial, which will result in Azure Tenant creation after approval.

Enter your desired domain and username, making sure to follow the parameters provided in the tool tip. This will help your organization easily identify the purpose for the tenant.

Provide your organization's information, ensuring that the details match the ones shown on legal documents for the organization associated with government contracts. The organization contact person must be an employee and have access to the email address entered.

On the Supporting information page, select all applicable categories or type "This request is for partner migration due to enterprise portal deprecation" in the Additional notes box.

Select the agreement boxes and then submit the request. After the tenant is created successfully, the contact email address will receive a confirmation email with user credentials.

The user credentials must be associated with an EA role, such as a Partner administrator, to access Cost Management + Billing. An existing Partner administrator can assign EA roles to the new user credential.

Azure Government provides a physically isolated instance of Microsoft Azure, ensuring segmentation and world-class security services critical to US government systems. This secure environment supports various compliance standards and offers dedicated security functions to ensure data integrity and sovereignty within U.S. borders.

Azure Government operates on a tiered security classification system, with enclaves designed for differing security classification levels, including Azure Government, Azure Government Secret, and Azure Government Top Secret. These enclaves cater to specific security needs, making it easier for government entities to build, deploy, and manage cloud-based infrastructure and applications.

Azure Government has already obtained the required formal credentials and authorizations, eliminating the need for customers to go through a long and complicated process. The cloud platform maintains authorizations that pertain to all Azure public regions in the United States, as well as specific authorizations for US Gov regions, including US Gov Arizona, US Gov Texas, and US Gov Virginia.

Azure Government supports various compliance standards, including:

Azure Government services operate on a physically isolated instance of Microsoft Azure, providing world-class security services critical to US government systems. This segmentation is essential for optimal security and compliance.

Azure Government supports various scenarios for building, deploying, and managing cloud-based and cloud-native infrastructure and applications. Operated by screened and cleared US persons, it eliminates the need for customers to obtain similar certifications via a long, complicated process.

Azure Government has the required formal credentials and authorizations in place, supporting thousands of public sector customers. This includes authorizations from the Federal Risk and Authorization Management Program (FedRAMP) and the Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) Impact Level (IL) 2, 4, 5, and 6.

Azure Government maintains authorizations that pertain to all Azure public regions in the United States, as well as authorizations specific to Azure Government regions US Gov Arizona, US Gov Texas, and US Gov Virginia.

Azure Government provides a secure and compliant environment for U.S. government entities, offering different levels of security depending on the classification and sensitivity of data. Each level supports various compliance standards and offers dedicated security functions to ensure data integrity and sovereignty within U.S. borders.

For Azure Government customers, Microsoft provides Microsoft Defender for Endpoint, which offers security features and limitations specific to US Government customers.

The Duo Universal Prompt offers a simplified login experience for web-based applications, with a redesigned visual interface and security enhancements.

If you created your Microsoft Azure Active Directory application before March 2024, you can activate the Universal Prompt experience for users from the Duo Admin Panel.

Microsoft Azure Active Directory applications created after March 2024 have the Universal Prompt activated by default, so no action is required.

To activate the Universal Prompt for applications created before March 2024, you should read the Universal Prompt Update Guide for more information about the update process and the new login experience for users.

The Universal Prompt Update Guide is a valuable resource for understanding the changes and benefits of the updated login experience.

To create a Duo conditional access policy, you'll need to navigate to the Microsoft Entra admin center's Conditional Access configuration area.

First, click Policies on the left and then click New Policy. Enter a descriptive name for the new policy, like "Require Duo MFA".

Make your desired policy assignments, such as assigning the policy to selected users or Entra ID security groups, to specific Entra ID cloud apps, or to other Entra ID conditions like client platform or network.

To allow users access with Duo authentication, click on Grant access and check the box next to the RequireDuoMFA custom control you created earlier.

The final step to creating the new Duo policy is to enable it. Click the On toggle switch underneath "Enable policy", and then click Create. Entra ID creates and enables the new "Require Duo MFA" policy.

Azure Services offer a wide range of cloud-based tools for developers, including Azure Active Directory, which provides identity and access management capabilities.

You can use Azure DevOps to plan, code, and test your projects in a collaborative environment. This service is particularly useful for teams working on complex software development projects.

Azure Storage provides a highly available and durable storage solution for your data, with options for blob, file, and queue storage.

Azure Kubernetes Service (AKS) is a Microsoft service that provides application scalability and seamless automated integration with other Azure services. It supports a microservices architecture and multi-region availability.

Using AKS within the Azure Government Cloud has multiple benefits, including strict security and compliance requirements. This is particularly important for organizations that need to adhere to FIPS, NIST, FedRAMP, and other compliance requirements.

One of the tools that can make achieving compliance easier is Open Policy Agent (OPA), which allows authorized users to enforce fine-grained, context-aware access policies across the Kubernetes environment. This helps maintain compliance for access control policies.

Azure Government aims to match service availability in Azure. However, not all services are available in Azure Government.

For the latest information on service availability, check Products available by region. This is the best place to find up-to-date information on which services are available in Azure Government.

Service availability in Azure Government implies that all corresponding service features are available, unless otherwise noted. Variations to this approach and other applicable limitations are tracked and explained in this article.

The Language Understanding features are not currently available in Azure Government. This means you won't be able to use these features in your Azure Government deployment.

App Service resources are also not fully available in Azure Government. Specifically, the following resources are not currently available.

Using Azure Machine Learning in the Azure Government environment can be a bit tricky, as it's not available everywhere.

For feature variations and limitations, you can check Azure Machine Learning feature availability across cloud regions. This will give you a clear idea of what to expect.

Azure Machine Learning can be used in conjunction with other services like Azure Bot Service and Cognitive Services, but you'll need to consider the service availability in the Azure Government environment.

If you're planning to use Azure Machine Learning, make sure to check the product availability by region to ensure it's available where you need it.

Azure Services offer a robust platform for building and deploying bots, but it's essential to understand what's available and what's not in Azure Government.

Bot Framework Composer integration is not currently available in Azure Government.

Some Azure Bot Service features are also not available in Azure Government, specifically Channels, due to the unavailability of dependent services.

If you're looking to deploy Bot Framework and Azure Bot Service bots to Azure Government, you'll want to check out the Configure Bot Framework bots for US Government customers documentation for more information.

Azure Database for PostgreSQL is a feature-rich service that's part of the Azure family. It's available in various regions, but there are some limitations to be aware of.

In Azure Government regions, you'll find Flexible Server availability under the name Azure Database for PostgreSQL – Flexible Server. This is an important distinction to keep in mind if you're working in a government setting.

Azure Database for PostgreSQL has some features that aren't currently available in Azure Government. Specifically, Azure Cosmos DB for PostgreSQL, formerly known as Azure Database for PostgreSQL – Hyperscale (Citus), is not supported in this region. If you're interested in learning more about supported regions for Azure Cosmos DB for PostgreSQL, you can check out the Regional availability for Azure Cosmos DB for PostgreSQL page.

The Single Server deployment option for Azure Database for PostgreSQL also has some missing features in Azure Government.

Azure Front Door is a great service for managing traffic to your applications. It's available in general availability in Azure Government regions US Gov Arizona and US Gov Texas.

You can choose between the Standard and Premium tiers. However, there's one important thing to keep in mind when using Azure Front Door in Azure Government regions.

The Managed certificate for enabling HTTPS is not supported in Azure Government, so you'll need to use your own certificate instead.

Traffic Manager is a crucial service in Azure that ensures the health of your application. Traffic Manager health checks can originate from certain IP addresses for Azure Government.

If you're using Azure Government, it's essential to review the IP addresses in the JSON file to allow incoming connections from these IP addresses at the endpoints to check its health status.

When developing applications for the Azure Government portal, it's essential to be aware of the differences between global Azure and Azure Government. Certain services and features available in global Azure might not be available in Azure Government.

When writing sample code, review it to ensure it's compatible with the Azure Government cloud services environment. This will help you avoid any potential issues or errors.

To get started with Azure Government, you can use Azure CLI or PowerShell to obtain Azure Government endpoints for services you provisioned. You can run the `az cloud show` command and provide `AzureUSGovernment` as the name of the target cloud environment.

For example, `az cloud show --name AzureUSGovernment` will get you different endpoints for Azure Government. Alternatively, you can use a PowerShell cmdlet such as `Get-AzEnvironment` to get endpoints and metadata for an instance of Azure service.

Here's a table outlining API endpoints in Azure vs. Azure Government for accessing and managing some common services:

When configuring network security groups (NSGs) for secured virtual networks, you'll want to allow access to certain IP addresses and ports. For Azure Government, allow the following IP addresses with an Allowed port of 443:

Migration and Management is a crucial aspect of moving an application to Microsoft Azure Gov Portal.

First and foremost, you need to consider the application's compatibility with Azure. Analyze whether your application is architecturally fit for Microsoft Azure before making the move.

Application class is another important factor to consider. Business critical and LOB applications demand high availability, so you'll want to verify how your application is classified in the business.

You'll also need to check if your application is integrated with other on-premise applications and shared services. This will help you determine if there are any potential roadblocks or opportunities for improvement.

Database compatibility is also a key consideration. Analyze whether your existing database is best fit to migrate to Azure.

Scalability and elasticity are also important factors to consider. Identify whether your application design supports scalability, as Azure supports it.

Finally, don't forget to consider compliance requirements, cost, and security. Check if there are enterprise compliance and regulations that govern whether the data can be moved/stored outside the enterprise's control. Verify whether moving the application is cost-effective for the enterprise. Clarify whether the same level of security can be provided after migrating to Microsoft Azure in terms of data security, authentication, and authorizations.

Here are the key considerations for migration and management in a concise table:

To set up MFA for Entra ID, you'll need to create a Duo Entra ID Application. This involves signing up for a Duo account and logging in to the Duo Admin Panel to protect a Microsoft Azure Active Directory application.

The Duo Admin Panel allows you to adjust settings for your new Azure Active Directory Duo application, such as changing the application's name or enabling self-service.

You can also enable Remembered Devices on the Microsoft Azure Active Directory Duo application, which allows users to remember their devices for future Duo authentication.

If you want to apply different Remembered Devices settings to different Entra ID and Office applications, you can create multiple Duo custom controls with different settings.

To require Duo MFA for users, you'll need to create a Duo Conditional Access Policy. This involves creating a new policy in the Entra ID admin center and assigning it to selected users or security groups.

The policy can be assigned to specific Entra ID cloud apps, or to other Entra ID conditions like client platform or network.

To enable the policy, you'll need to toggle the "Enable policy" switch to On and click Create.

If you want to prevent Entra ID from offering users the option to set up the Microsoft Authenticator app for sign-in, you can disable the registration campaign and system preferred multifactor authentication settings.

Here are the steps to disable the Microsoft Authenticator app:

To get started with Azure Government, you'll need to acquire and access the platform. This can be done by visiting the Azure Government portal.

The Azure Government platform is designed specifically for the U.S. government, adhering to federal and state policies, and providing a secure, compliant infrastructure-as-a-service (IaaS) for federal information systems.

Azure Government offers several security levels to align with standardized government information classification levels, keeping data within U.S. boundaries and ensuring U.S. citizens staff any related facilities.

To access Azure Government, you'll need to navigate through the following steps:

These steps will help you understand the platform's features and ensure a smooth onboarding process.