Build 26280.ge_prerelease.240824-1650

I am running the Windows 2025 domain controllers deployed on Hyper-V virtual machines. Hyper-V is installed on Standard D16s v3 Azure virtual machine.

Scenario 1

When I create a Azure VM snapshot and then deploy a new Azure VM from that snapshot, the Windows 2025 Hyper-V based domain controllers won’t boot (there is a back screen with infinite loading spinner).

Scenario 2

– A Hyper-V checkpoint is created for Hyper-V based domain
– The domain controller is restored from the checkpoint
– The domain controller is backed up using Windows Server backup
– The domain controller is restored to a new Hyper-V VM from Windows server backup
– After the recovery, it won’t boot with same back screen with infinite loading spinner as in Scenario 1

Both scenarios work well in all previous Windows versions.

​Build 26280.ge_prerelease.240824-1650 I am running the Windows 2025 domain controllers deployed on Hyper-V virtual machines. Hyper-V is installed on Standard D16s v3 Azure virtual machine. Scenario 1When I create a Azure VM snapshot and then deploy a new Azure VM from that snapshot, the Windows 2025 Hyper-V based domain controllers won’t boot (there is a back screen with infinite loading spinner). Scenario 2- A Hyper-V checkpoint is created for Hyper-V based domain- The domain controller is restored from the checkpoint- The domain controller is backed up using Windows Server backup- The domain controller is restored to a new Hyper-V VM from Windows server backup- After the recovery, it won’t boot with same back screen with infinite loading spinner as in Scenario 1Both scenarios work well in all previous Windows versions.   Read More

​

Introduction

CAPI2 log is a diagnostic log in Windows that tracks cryptographic operations. It track events related to certificate validation, key exchange. It also record how Windows and applications use cryptographic algorithms for securing data. This is crucial for diagnosing issues with SSL/TLS, digital signatures, and other encryption-related processes. CAPI2 logs are particularly useful for diagnose security-related problems in Windows systems. When troubleshooting issues related to cryptographic operations in Windows, it may be necessary to enable and collect logs for both Schannel and CAPI2. This article will help you to configure and collect these logs for diagnostic purposes.

Schannel Logging

Before enabling CAPI2 logs, you need to configure Schannel logging. Schannel is responsible for handling encryption and certificate-based authentication on Windows systems. Follow the below steps to enable Schannel logging:

Open Registry Editor.
Go to Run type regedit, and then click OK.
Take a backup of your registry. Go to File -> Export and choose a location and backup name and click Save. Refer the warning section before making any changes in registry.
Locate the following key in the registry –

HKEY_LOCAL_MACHINESystemCurrentControlSetControlSecurityProvidersSCHANNEL

Right-click and select Modify the EventLogging key.
Update the value to 0x0003

Value Name: EventLogging

Data Type: REG_DWORD

Value:  3

Click OK and close the Registry Editor.
You need to reboot the system to logging take effect.
To disable the Schannel log update EventLogging value to 0x00000.

Warning

Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

CAPI2 Log

To enable CAPI2 logs follow the below steps –

Open Event Viewer (press Win + R, type eventvwr, and press Enter).
Navigate to Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational
Now right-click and Clear Log to delete all existing logs (if any).

To enable the logs right-click again and select Enable Log.
Reproduce the issue.
To disable the CAPI2 logs right- click and select Disable Log.

Conclusion

By following these steps, you can configure and collect both Schannel and CAPI2 logs for cryptographic troubleshooting. Remember to disable Schannel and CAPI2 logging after the issue is resolved to avoid unnecessary log generation in the future.  This log will be helpful to diagnose and troubleshoot SSL, TLS and other cryptographic related issues. If you want us to do that, please contact us with a case and we will do it for you.

​Microsoft Tech Community – Latest Blogs –Read More 

The traditional network security models are becoming increasingly ineffective in a world where remote work and cloud services are the norm. Conventional technologies like VPNs, while popular, offer limited protection in a boundary-less landscape, typically granting users excessive network access and posing significant risks. If compromised, these can lead to unauthorized access and potentially lateral movement within corporate networks, exposing sensitive data and resources. Microsoft Entra Private Access is at the forefront of addressing these challenges by effectively integrating identity and network access controls.

Microsoft Entra Private Access

In July we announced general availability of Microsoft Entra Suite, which brings together identity and network access controls to secure access to any cloud or on-premises application or resource from any location. We also announced Microsoft’s Security Service Edge (SSE) solution general availability. Microsoft Entra Private Access, a core component of Microsoft’s SSE solution, allows you to replace your VPN with an identity-centric Zero Trust Network Access (ZTNA) solution to securely connect users to any private resource and application without exposing full network access to all resources. It’s built on Zero Trust principles to protect against cyber threats and mitigate lateral movement. Through Microsoft’s global private network, give your users a fast, seamless, edge-accelerated access experience that balances security with productivity.

Figure 1: Secure access to all private applications, for users anywhere, with an identity centric ZTNA

Modernize access to private applications

Despite the cloud’s growing dominance, you may still rely on on-premises infrastructure and use legacy VPNs to enable your remote workforce. Legacy VPNs typically grant excessive access to the entire network by making the remote user’s device part of your network.

Figure 2: Legacy VPNs typically grant excessive access to the entire network

Microsoft Entra Private Access helps you easily start retiring your legacy VPN and level up to an identity-centric ZTNA solution that helps reduce your attack surface, mitigates lateral threat movement, and removes unnecessary operational complexity for your IT teams. Unlike traditional VPNs, Microsoft Entra Private Access protects access to your network for all your users— whether they are remote or local, and accessing any legacy, custom, modern, or private apps that are on-premises or on any cloud.

Figure 3: Replace legacy VPN with an identity centric ZTNA solution

For example, Microsoft Entra Private Access enhances security for Remote Desktop Protocol (RDP) sessions by enabling access without direct network connectivity. It leverages Conditional Access policies, including multifactor authentication (MFA), to validate both device and user identities. This ensures that only authenticated users with compliant devices can establish an RDP session on your network, providing a secure and seamless remote access experience. By integrating with Microsoft Entra ID, Microsoft Entra Private Access validates access tokens and connects users to the appropriate private server, reinforcing the security posture without the need for traditional VPN solutions.

Accelerate your journey to Zero Trust with Microsoft Entra Private Access

Microsoft Entra Private Access helps you accelerate your journey to ZTNA and meets this need by offering a streamlined approach to help enforce least privilege access to on-premises or private applications, reinforcing the importance of extending Zero Trust principles to any private app(s) or resource(s), regardless of their location — on-premises or any cloud.

Figure 5: Accelerate your ZTNA journey with Microsoft Entra Private Access

Here, in more detail, are the key capabilities that help you move from legacy VPNs to ZTNA:

QuickAccess policy simplifies transitioning from legacy VPNs to easily onboard with Microsoft Entra Private Access. It allows you to create network segments that can include multiple apps and resources.

Figure 6: Fast and easy migration from legacy VPNs with Quick Access policy

Over time, Private Application Discovery enables you to discover all your private apps, onboard them to enable segmented access, and simplify enabling the creation of Conditional Access policies for groups of apps based on business impact levels.

Figure 7: Automatic private application discovery and onboarding

Enforce Conditional Access across all private resources

To enhance your security posture and minimize the attack surface, it’s crucial to implement robust Conditional Access controls, such as MFA (biometric and/or phish resistant), across all private resources and applications including legacy or proprietary applications that may not support modern identity.

The familiar Conditional Access policies used today can now be extended to all private apps, including legacy apps and non-web resources, such as RDP, SSH, SMB, SAP, or any other TCP- or UDP-based private application, resource, or network endpoint.

Figure 8: Enforce Conditional Access across all private resources

Conditional Access is applied to every network flow, ensuring comprehensive security coverage across all your private apps and resources—including MFA, location-based security, advanced segmentation, and adaptive least-privilege access policies—without making any changes to your apps or resources.

Deliver seamless access to private apps and resources with single sign-on

Single sign-on (SSO) simplifies the user experience by eliminating the need to sign in to each private application individually. By enabling SSO, users gain seamless access to all necessary private applications, whether located on-premises or across various clouds, without the need for repeated authentication or modifications to existing apps.

Microsoft Entra Private Access further streamlines this process by providing SSO for on-premises resources, utilizing Kerberos for secure, ticket-based authentication. For an even more integrated experience, you can opt to implement Windows Hello for Business with cloud Kerberos trust, offering a modern, passwordless sign-on option for users. This cohesive approach to SSO, supported by Microsoft Entra Private Access, ensures a secure and efficient access management system for private resources across the enterprise landscape.

Deploy across various platforms, ports, and protocols

Enable secure connectivity to private resources from Windows and Android, with support for iOS and MacOS coming later this year, and Linux support to follow. This service spans all operating systems and accommodates any port and protocol, including SMB, RDP, FTP, SSH, SAP, printing, and all other TCP/UDP-based protocols. For security teams already using an Application Proxy, you can seamlessly and confidently transition to Microsoft Entra Private Access knowing that all existing use cases and access to existing private web applications will keep working with no disruption.

Securing just-in-time access to sensitive resources

Microsoft Entra Private Access tightly integrated with Privileged Identity Management (PIM), a service within Microsoft Entra ID Governance, helps you secure just-in-time access to private resources for privileged users. This integration ensures that privileged access is granted only when necessary, aligning with the Zero Trust principle of least privilege access. It allows for the enforcement of robust Conditional Access controls such as MFA, to ensure that only eligible and validated users can access sensitive resources. This approach not only enhances security but also supports compliance and auditing requirements by providing detailed tracking and logging of privileged access requests.

Secure access to Azure managed services with Microsoft Entra Private Access

Azure offers many managed services, such as Azure SQL, Azure Storage, and Azure ML, among others. Microsoft Entra Private Access ensures a secure, private connection to Azure services while enforcing security policies and posture during access, allowing you enforce Conditional Access controls such as MFA and IP-based access controls. With comprehensive enforcement of identity and network access controls, Microsoft Entra Private Access ensures that managed services are accessed securely. Here are two key scenarios:

Secure Azure managed services access: Typically, Azure services are accessed over the internet. However, for security reasons, it’s preferable to keep the traffic between users or applications and Azure services private, avoiding exposure to the internet. This can be achieved through Microsoft Entra Private Access, where services like Azure Storage can be connected to a virtual network (vNet) using Private Link. This ensures that all traffic remains private, while additional identity and network access controls are enforced.

Figure 11: Enable secure access to Azure Storage with Private Access through Private Link

Service endpoint for controlled access: In contrast to Private Link, the service endpoint method does not integrate services into a vNet. Instead, it restricts incoming traffic to connections from specified connector IP addresses through Microsoft Entra Private Access. This approach helps secure access to Azure services by permitting access solely through an approved path, where additional security measures like MFA and device posture can be enforced.

Figure 12: Ensures a single, secure path to the Azure managed services through Microsoft Entra Private Access

Simplify Microsoft Entra private network connector  deployment for your private workloads

In addition to Microsoft Entra admin center, private network connector is now available on Azure Marketplace and AWS Marketplace in preview. This will allow users to easily deploy a virtual machine with a pre-installed Private Access Connector through a streamlined managed model for Azure and AWS Workloads. The Marketplace offerings automate the installation and registration process, simplifying authentication setup, thus enhancing user experience.

Figure 13: Microsoft Entra private network connector on Microsoft Azure Marketplace

Figure 14: Microsoft Entra private network connector on AWS Marketplace

The Microsoft Entra private network connector is a required software component to enable Microsoft Entra Private Access. It sits alongside customers’ private applications in customer network and is designed to provide secure and convenient access to them from any device and location. It acts as a bridge between Microsoft’s SSE edge and application servers, facilitating the authentication, authorization, and encryption of traffic.

Enable edge accelerated Zero Trust private domain name resolution

Microsoft Entra Private Access enhances your organization’s domain name resolution (DNS) capabilities and simplifies the process of accessing IP-based app segments and private resources using FQDNs, allowing your users to access private resources with single label names or hostnames without complex configurations. With accelerated DNS at Microsoft’s SSE edge , DNS responses are cached, leading to significantly faster resolution times and enhanced performance. Moreover, the integration of DNS with Conditional Access adds an extra layer of identity-centric security controls, allowing for more granular control over access to private resources.

For instance, with Private DNS support, you can provide your domain suffixes to simplify Zero Trust access to private apps using FQDNs, streamlining the connection process to internal resources, while using your existing DNS deployments. This is particularly beneficial in scenarios where your users need to seamlessly access private resources without the need for VPNs or domain-joined devices, while offering a more secure and efficient way to manage access.

Simplify access and improve end user experience at a global scale

Enhance user productivity by leveraging Microsoft’s vast global edge presence, providing fast and easy access to private apps and resources—located on-premises, on private data centers, and across any cloud. Users benefit from optimized traffic routing through the closest worldwide Point of Presence (PoP), reducing latency for a consistently swift hybrid work experience.

Deploy side-by-side with third-party network access solutions

A distinctive feature of Microsoft’s SSE solution is its built-in compatibility with third-party network access solutions where it allows you only acquire the traffic you need to send to Microsoft’s SSE edges. Leverage Microsoft and third-party network access solutions in a unified environment to harness a robust set of capabilities from both solutions to accelerate your Zero Trust journey. The flexible deployment options by Microsoft’s SSE solution empowers you with enhanced security and seamless connectivity for optimal user experience.

Conclusion

Simplifying and securing access for your hybrid workforce is crucial in a landscape where traditional boundaries have dissolved. Enforcing least-privilege access and minimizing reliance on legacy tools like VPNs are essential steps in reducing risk and mitigating sophisticated cyberattacks.

Microsoft Entra Private Access helps you secure access to all your private apps and resources for users anywhere with an identity-centric ZTNA solution. It allows you to replace your legacy VPN with ZTNA to securely connect users to any private resource and application without exposing full network access to all resources.

The unified approach across identity and network access within Microsoft’s SSE solution signifies a new era of network security. This approach ensures that only authorized users are authenticated, and their devices are compliant before accessing private resources.

Learn More

To get started, begin a trial to explore Microsoft Entra Private Access general availability. You can also sign up for an Entra suite trial, which includes Microsoft Entra Private Access. For further help contact a Microsoft sales representative and share your feedback to help us make this solution even better.

Ashish Jain, Principal Group Product Manager

Abdi Saeedabadi, Senior Product Marketing Manager

Read more on this topic

Microsoft Entra Private Access
Microsoft Security Service Edge now generally available 
Simplify your Zero Trust strategy with the Microsoft Entra Suite and unified security operations platform, now generally available
Watch Zero Trust spotlight webcast
Watch Microsoft Entra Private Access tech accelerator webinar
Get started and try Microsoft Entra Private Access
Get started and try Microsoft Entra Internet Access
Get started and try Entra suite products

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

Microsoft Entra Internet Access
Microsoft Entra News and Insights | Microsoft Security Blog
⁠⁠Microsoft Entra blog | Tech Community
⁠Microsoft Entra documentation | Microsoft Learn
Microsoft Entra discussions | Microsoft Community

​Microsoft Tech Community – Latest Blogs –Read More 

Hello,

I’ve tried a ton of different functions and it seems that I simply have to make a huge nested IF function for this but I will see if any of you smart excel folk have any answers first.

I have a category in my list where there are 4 columns and 4 rows (however each row is independent so its fine to consider it as one)

The column headers are properties of our equipment (equipment type, serial number, thickness etc.)

Im looking to have each cell in each column show all available option when all cells in the row are blank and for each cell that has data input into it, the filters start adding up.

e.g. if i add an option for equipment type then the serial numbers and thicknesses filter down to include that. and if i add a thickness then the serial numbers would include both filters.

I have made it work when i input data from left to right on the row but ideally i would like to make it also work if people start adding information in a random order to start filtering their options for the remaining blank cells in the row based on whichever cells have data in them.

Is there an easy IF OR solution for this or will i just have to make a nested if function for the entire list of options for what cells are blank or filled in?

Thanks for your help 

​Hello, I’ve tried a ton of different functions and it seems that I simply have to make a huge nested IF function for this but I will see if any of you smart excel folk have any answers first. I have a category in my list where there are 4 columns and 4 rows (however each row is independent so its fine to consider it as one) The column headers are properties of our equipment (equipment type, serial number, thickness etc.) Im looking to have each cell in each column show all available option when all cells in the row are blank and for each cell that has data input into it, the filters start adding up. e.g. if i add an option for equipment type then the serial numbers and thicknesses filter down to include that. and if i add a thickness then the serial numbers would include both filters. I have made it work when i input data from left to right on the row but ideally i would like to make it also work if people start adding information in a random order to start filtering their options for the remaining blank cells in the row based on whichever cells have data in them. Is there an easy IF OR solution for this or will i just have to make a nested if function for the entire list of options for what cells are blank or filled in? Thanks for your help   Read More

​

This article is the second of a series in the Microsoft Tech Community Public Sector Blog and touches on several key principles for compliance, including data residency versus data sovereignty.  For the first article in the series, please refer to History of Microsoft Cloud Service Offerings leading to the US Sovereign Cloud for Government.  To keep this article concise, I will refrain from repeating content from the first. I recommend that you review the first article if you are unfamiliar with the architectural relationships between Azure, Microsoft 365 and Dynamics 365.In this article, we will focus on each of the US-based cloud offerings from Microsoft and compare the differences in compliance, including the compendium of common factors customers may use to decide which of our offerings align with current and future requirements in demonstrating compliance with US Government regulations and underlying cybersecurity frameworks.

September 2024 Update

Microsoft 365 Commercial + Azure Commercial

FedRAMP in Azure

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP enables government agencies to accelerate the adoption of cloud services with confidence, knowing they meet high security standards and comply with federal regulations. FedRAMP authorization is a rigorous and comprehensive process that involves extensive documentation, testing, and auditing by independent third-party assessors (3PAO). FedRAMP authorization demonstrates Microsoft’s commitment to delivering cloud services that meet the most stringent security and compliance requirements of the US Government. 

You can demonstrate compliance with the FedRAMP High Impact Level in both Azure Commercial and Azure Government.  Azure Commercial and Azure Government each have a Provisional Authorization to Operate (P-ATO/PA) from the FedRAMP Program Management Office (PMO). The PMO is the primary governance and decision-making body for FedRAMP. Representatives from the Department of Defense, the Department of Homeland Security, and the General Services Administration serve on the PMO board. The PMO grants a P-ATO to Cloud Service Providers (CSP) that have demonstrated FedRAMP compliance and may chose not to pursue an Agency ATO as they are not mutually exclusive.

You can find a full list of Azure services that meet the requirements of FedRAMP High in the Azure compliance scope documentation.

For more information, please reference:

Microsoft FedRAMP Documentation (https://aka.ms/fedramp)
FedRAMP Package F1209051525:  Azure Commercial Cloud | FedRAMP Marketplace
FedRAMP Package F1603087869:  Azure Government (includes Dynamics 365) | FedRAMP Marketplace

FedRAMP in Microsoft 365

Cloud services bundled together in Microsoft 365 are split into two separate sets of authorizations, Office 365 and Azure. 

The Office 365 productivity services include:

Activity Feed Service (AFS)

Information Protection (IP)

Office Service Infrastructure (OSI)

Cloud Input Intelligence (CII) (aka Windows Ink)

Microsoft Teams (MS Teams)

Office for Web

Customer Insight and Analysis (CIA) (aka Usage Reports)

ObjectStore

People Card

Exchange Online (EXO)

Office 365 Remote Access Service (ORAS)

Query Annotation Service (QAS)

Falcon

Office 365 Suite User Experience (SUE)

Search Content Service (SCS)

Hauk

Office Intelligent Services (IS)

SharePoint Online (SPO)

including Project Online and OneDrive for Business

All other services fall under Azure including (but not limited to) :

Entra ID (Azure Active Directory)

Microsoft Cloud App Security

Azure Multi-factor Authentication (MFA)

Azure Information Protection

Microsoft Defender Advanced Threat Protection (MDATP)

Microsoft Stream

Azure Key Vault

Microsoft 365 Defender

Microsoft Defender Vulnerability Management

Azure Sentinel

Microsoft PowerApps

Microsoft Purview

Intune

Microsoft Stream

Microsoft Secure Score

Microsoft 365 Defender

Power BI

Many more… Azure compliance scope

For the cloud services listed as in scope for Azure Commercial, we have the FedRAMP P-ATO as described in the previous section.

For the productivity services listed as in scope for Office 365 Commercial, Microsoft does not support FedRAMP.  For those that have read previous versions of this blog, you may find it as a surprise that Microsoft 365 in Commercial has changed from FedRAMP High ‘Equivalent’ to ‘No’.  This changed as a result of the release of the U.S. Department of Defense memorandum for ‘FedRAMP Moderate Equivalency for Cloud Service Provider’s Cloud Service Offerings’ dated December 21, 2023.  The memo outlines requirements to achieve ‘Equivalency’ including a Body of Evidence (BOE) that is not in scope for Office 365 Commercial data enclaves other than for Microsoft 365 Government (GCC).

For more information, please see the section below FedRAMP in GCC.

The FedRAMP Marketplace for ‘Microsoft – Office 365 Multi-Tenant & Supporting Services’ only applies to GCC and no other data enclaves of Microsoft 365 Commercial.

The accreditation package for ‘Microsoft – Office 365 Multi-Tenant & Supporting Services‘ defines the scope of accreditation as covering the cloud services management plane and a dedicated portion of the data plane. This often confuses customers as the whole of the Commercial service is not within the accreditation boundary; only the data enclave for GCC as defined to support the accreditation package.  Any customer deciding to use the Microsoft 365 Commercial service to demonstrate FedRAMP compliance or equivalency will struggle to achieve this due to how the accreditation scope is defined.  In other words, the accreditation package and associated Body of Evidence (BOE) only includes the scope of accreditation for GCC.

You may wonder why the scope is different?  Take access controls as an example.  While the same access controls may be applied to any Commercial service data enclave (the whole of the data plane); they are applied with different Organizationally Defined Values (ODV).  Both Commercial and GCC data enclaves require personnel screening validations that are tied to access control requirements:

Commercial screening does not require US Citizenship and other US Government related requirements necessary to support the management of US government regulated data (e.g. Controlled Unclassified Information).
GCC screening does include these requirements and validates their existence prior to any access control action.

Such differences make the Commercial service untenable for Microsoft 365 to support FedRAMP holistically in the Commercial service.

For context of what a ‘data enclave’ is, please refer to the History of Microsoft Cloud Service Offerings leading to the US Sovereign Cloud for Government.

A word about FedRAMP in Commercial and how it relates to CUI

A common misconception by many is regarding FedRAMP as ‘the’ requirement to protect Controlled Unclassified Information (CUI) in a cloud service offering.  It is important to note that FedRAMP is just one component of overall compliance relative to CUI in a shared responsibility model.  For example, the CUI-Specified category for ‘Export Controlled’ (CUI//EXPT) such as for data regulated by the International Traffic in Arms Regulation (ITAR) imposes an additional set of ‘Specified’ standards from the US Department of State that requires data sovereignty (e.g. US persons in US locations). Export-Controlled data such as ITAR technical data is one of the components of overall compliance to holistically safeguard CUI.

I often get pulled into customer conversations on suitability for CUI in the Microsoft 365 Commercial cloud.  While a very nuanced conversation (especially working with sub-contractors and supplier hosted in Commercial), Microsoft does not recommend it.  Why? We did not create Microsoft 365 Commercial to support the management of CUI.  Thus, in the table above for Microsoft 365, you can observe that CUI is presented as ‘No’.

The way I frame this out for customers is this: your higher watermark for compliance to gain coverage of CUI is in alignment with other controls above and beyond FedRAMP.  If you are affiliated with law enforcement and the criminal justice system, you will likely require CJIS adjudication from the FBI or from the US State you are in.  If you are affiliated with the Internal Revenue Service or Department of Revenue, you will likely require IRS 1075 for coverage of Federal Tax Information.  If you are affiliated with US Defense or Military, you will likely require export controls that include the ITAR and Export Administration Regulations (EAR).  Each one of these require screened US Persons and data residency/sovereignty in the Continental United States (CONUS).  These are what will direct you to our Government cloud offerings and diminish Microsoft 365 Commercial as an option.

Note: There is an entire article for Microsoft US Sovereign Cloud Myth Busters – CUI Effectively Requires Data Sovereignty

New Feature Releases in Commercial

Here is another aspect of Commercial to keep in mind.  The release of new features and services into Commercial clouds is not predicated on FedRAMP compliance the same way it is for release into Government clouds.  For example, a new feature can release to Commercial cloud tenants before it has FedRAMP compliance.  However, the new feature will not be released as Generally Available (GA) in Government cloud tenants until it complies with FedRAMP.  In my opinion, this is another compelling data point for our customers trying to decide on ‘Commercial vs Government’, as there is a risk of users organically adopting new features in your tenant before the features are authorized for FedRAMP.

Note: First-party products and features developed by Microsoft follow the NIST SP 800-53 control framework out of the starting gate, accelerating the path to FedRAMP authorization and reducing the risk of using such features before authorization.  However, this may not hold true for all products we ingest through 3rd-party acquisitions and partnerships that could require a much heavier lift to achieve the same levels of compliance.

Microsoft’s Secure Future Initiative (SFI) makes security our top priority at Microsoft, above all else—over all other features.  We have evolved our security approach, with our work guided by the following three security principles:

Secure by Design: Security comes first when designing any product or service.
Secure by Default: Security protections are enabled and enforced by default, require no extra effort, and are not optional.
Secure Operations: Security controls and monitoring will continuously be improved to meet current and future threats.

I invite you to read Charlie Bell’s blog on Secure Future Initiative (SFI), as it has been driving security that is helpful for compliance as well.

DFARs 7012 and NIST SP 800-171 in Microsoft 365 Commercial

This is for the Defense Industrial Base (DIB) including Aerospace and Defense (A&D) contractors of the US Department of Defense (DoD).  It also applies to Federally Funded Research and Development Centers (FFRDCs), University Affiliated Research Centers (UARCs), energy and healthcare organizations.  To substantially contract with the DoD, you will likely need to demonstrate compliance with the Defense Federal Acquisition Regulation supplement 252.204-7012 (DFARs 7012).  If you have the requirement, your contracts will have a DFARs 7012 Clause, or you will be notified of a ‘flow-down’ in sub-contracts to you.  DFARs 7012 mandates the protection of CUI and Covered Defense Information (CDI) with an implementation of NIST SP 800-171, and FedRAMP Moderate ‘or Equivalent’ Impact Level for clouds used to store, process, or transmit CUI.  It is a set of controls that are used to secure Non-Federal Information Systems (predominately in the private sector).

Due to not supporting FedRAMP in Microsoft 365 Commercial, you will observe a ‘No’ for DFARs 7012. 

DFARs 7012 in Azure Commercial

As mentioned in the previous section, Microsoft 365 Commercial has a ‘No’ for DFARs 7012.  However, Azure Commercial can demonstrate support for DFARS clause 252.204-7012.  We have an auditor’s attestation letter summarizing how DFARS 7012 is supported for Azure services.  This translates to a commitment where we demonstrate DFARs 7012 compliance in Azure Commercial. 

Note: For more details on how we implement DFARs 7012 in Azure, please see https://aka.ms/DFARsAzure.

The coverage of DFARs 7012 in Azure Commercial offers you more choice in the selection of Microsoft cloud offerings that best suit your requirements for the protection of CUI. For example, those organizations that choose Microsoft 365 Government (GCC) deployed on top of Azure Commercial cloud regions in the US may now have paired Azure services that meet DFARs 7012 requirements.  While we do not offer this same commitment for Microsoft 365 Commercial, we do offer DFARs 7012 compliance in Microsoft 365 Government (GCC) that operates in conjunction with Azure Commercial.  See below for more details in the GCC section.

Commercial will not always recognize US Government requirements

As I mentioned, there are guidance, operational and support differences between the services provided for Azure Commercial and Microsoft 365 Commercial, as opposed to those purpose built for the US Government.  There is no way to identify a government tenant within the Commercial service. 

Unfortunately, there is a painful learning curve when a customer discovers this post sale/deployment while in the middle of an incident. I have been on calls assisting such customers that were routed through our global support staff and were frustrated that ‘Microsoft’ did not understand that they had US Government requirements and should not have been routed to offshore support personnel in Asia. That is how the global Commercial service works.  If you have requirements for screened US persons in US locations, there are Microsoft purpose-built cloud offerings exclusively for supporting US Government obligations that are more suitable to sovereignty requirements.  See below in the GCC High + Azure Government section on support commitments for US persons.

Regulation Changes Impact to Commercial versus Government

Recent updates to FedRAMP “Equivalency” requirements highlight the ongoing evolution of U.S. government standards and regulations. Industry has an obligation to mature cloud service offerings and consumption practices to match and even exceed these security and compliance requirements set forth by the US government (and preferably as proactively as possible to reduce undue churn and reactive burdens). While Microsoft strives to align all our cloud service offerings to the same set of security controls and practices as reasonably practical, Commercial services achieving government certifications like FedRAMP should not be presumed unless specifically stated. It’s crucial for customers to stay informed about these changes to avoid non-compliance risks.

FCI in Microsoft 365 Commercial

In general, all US Government contractors have a requirement in their contracts to comply with 15 safeguarding requirements and procedures for Federal Contract Information (FCI) in the Federal Acquisition Regulations (FAR) 52.204-21 Basic Safeguarding of Covered Contractor Information Systems (FAR 21). You may demonstrate compliance for the FAR 21 in Commercial to protect FCI, but there is a caveat.  Microsoft 365 Commercial is not intended for US Government requirements.  There is a risk that changes in regulations may lead to non-compliance in the future.  Ultimately, it is a risk decision your organization will need to make.

Cybersecurity Maturity Model Certification (CMMC)

One of the most common questions I get is, “What cloud offerings meet the requirements for CMMC”?

Cybersecurity frameworks are applied to all Microsoft cloud offerings consistently across the spectrum of services. Cybersecurity ‘maturity‘ is often represented as the efficacy of process and automation of practices. There are specific control requirements and ODVs that are unique to each cloud offering. For example, sovereign clouds such as Microsoft 365 Government (GCC High) and Azure Government have controls in place for restricting sensitive data access to only screened US persons with data processing, transmission and storage only within CONUS. Sovereign clouds are more restricted in terms of the specificity of control requirements in relation to other cloud environments.  Even though control requirements may vary from one cloud environment to another, each may demonstrate a level of cybersecurity maturity in alignment with CMMC.

In other words, you may demonstrate compliance with CMMC in the Commercial cloud depending on what level you are pursuing.   CMMC by itself should not be the only decision factor on choosing which cloud offering is most appropriate.  For example, CMMC 2.0 Level 2 and higher is intended for protection of CUI.  I have captured details regarding CUI throughout this article to help you make a more informed decision.

To net it out, Microsoft recommends the following: 

You may demonstrate compliance with CMMC 2.0 Level 1 for the data protection of FCI in Commercial and in our Government clouds. However, there is a caveat mentioned above that Microsoft 365 Commercial is not intended for US Government requirements.  The safer long-term risk posture is to use our Government cloud service offerings.
We recommend the US Sovereign Cloud with Azure Government and Microsoft 365 Government (GCC High) for data protection of CUI in alignment with CMMC 2.0 Levels 2-3. 

We understand you may have a different risk appetite and choose a different basis for your cybersecurity program. We do have customers that chose GCC (versus GCC High), in cases where they have CUI-Basic that does not require explicit commitments to protect CUI-Specified and ITAR/EAR export-controlled data.  Others have added additional compensating controls, such as FIPS 140-2 validated end-to-end encryption to protect export-controlled data. However, many in the DIB (especially the larger tier 1 prime contractors) have chosen the US Sovereign cloud due to the comprehensive data protection offered holistically across all categories of CUI.

Ultimately, this is a risk decision made by the customer in meeting their current and future requirements. 

It is important to note that while cost and risk are prime decision criteria for our customers, many also consider future changes to their business strategy and scope of competition. Our Government cloud offerings are segregated environments where it is neither a short nor inexpensive customer project to migrate from one to another. If opportunities arise in the future to pursue business requiring a higher watermark for compliance, or a potential increase of work in other regions or industries, you may promote such criteria to assess in a decision of which cloud to choose.  There are many criteria to assess in such a decision, but we have attempted to portray the keys ones in context of this article.

Microsoft 365 Government (GCC)

Scope of Services in GCC

The Microsoft 365 Government (GCC) cloud offering is a data enclave of Commercial.  A data enclave in this context is a segregated environment, with infrastructure residing in Azure regions.  In the case of GCC, the data enclave is in CONUS and paired with Azure Commercial US regions.  There is a commitment to ensure data residency and data processing is in CONUS for the primary Office workloads.  In addition, only screened US persons in US locations are authorized for customer content access.

The service description for all Microsoft 365 Government offerings may be found at http://aka.ms/o365usgovservicedescription

At the time of this writing, the service availability for GCC covered workloads are:

Exchange Online & Exchange Online Protection
SharePoint Online & OneDrive for Business Online
Teams & Voice (Phone System & Audio Conferencing)
Office for the web
Microsoft Defender
Power BI Pro
Project Online
and more as documented in the Service availability for each plan

Given GCC is a data enclave of Commercial, there are several shared services.  These shared services may have data processing globally Outside the Continental United States (OCONUS) and leverage a global follow-the-sun support model.  Most notably, this includes a global network and a global directory.  For example, Entra ID (formerly Azure Active Directory) in Azure Commercial is shared with GCC.  Entra ID is supported globally and may have data processing (authentication) occur OCONUS along with service management by global support personnel. This is one of the reasons Microsoft will not commit to export controls in GCC.

As a result, you will observe a ‘No’ in the column for ITAR & EAR for GCC along with a caveat for CMMC Levels 2-3.

Customer Support for GCC and Azure Commercial

Microsoft 365 Government (GCC) customer support is provided under the same terms and conditions offered to Microsoft 365 Commercial, without assurances for agent physical location nor citizenship.

The latest version of the Customer Support Terms and Conditions for GCC (referencing the above statement) can be found here.

GCC operates in conjunction with Azure Commercial, which is supported with a global follow-the-sun support model as well.  For products and services that fall under Azure Commercial, such as IaaS and PaaS deployments in the same tenant as GCC, the Azure Product Terms outlines coverage for customer support.

Many people are confused by this.  After all, I mentioned above that GCC restricts access to restricted customer content to authorized screened US Persons only.  This is true of datacenter personnel who request temporary permission elevation under management oversight, granting access to customer content only when necessary.  While datacenter personnel are limited in their access to restricted customer content, customer support personnel have no direct standing access to the datacenter nor to customer content.  They can only be exposed to sensitive information when it is provided directly by the customer during a customer support ticket.  We remind you not to share any controlled, sensitive, or confidential information with support personnel as part of your support incident, and follow your own internal data sharing controls, policies and procedures when engaging with Microsoft customer support.

Note:  Microsoft Purview Customer Lockbox is a popular feature to moderate access to your data.   We even have Customer Lockbox for Azure releasing to more and more Azure services.

DFARs 7012 in GCC

As mentioned in the section for DFARS 7012 in Commercial, this applies to the DIB, FFRDCs, UARCs, etc. working with the DoD.  Ultimately, NIST SP 800-171 is holistically derived from NIST SP 800-53.  Think of it as a subset of the controls that apply Non-Federal Information Systems.  Given Microsoft uniformly implements NIST SP 800-53, in accordance with Appendix C of 800-171, we have coverage for NIST SP 800-171 controls in GCC.

In addition to NIST SP 800-171, GCC and its pairing with Azure Commercial can demonstrate support for DFARS clause 252.204-7012 sub-paragraphs (c)-(g).  We have an auditor’s attestation letter that shows on two pages summarizing how those sub-paragraphs are supported.  Microsoft will support a flow-down for DFARs 7012 in GCC.  This translates to a commitment where we demonstrate DFARs 7012 compliance in GCC.  As a result of the flow-downs commitment, you will observe a ‘Yes’ in the GCC column for DFARs 7012.

Note: For more details on how we implement DFARs 7012 in GCC, please see https://aka.ms/DFARsGCC.

Controlled Unclassified Information is a Maybe in GCC

The NIST SP 800-60 Volume 2 registry is rather large.  There are many CUI categories, to include multiple information types.  The question is, which CUI category is in scope?  This is especially true for the DoD CUI Program Registry. Several categories may not require data sovereignty, such as Privacy, Legal, etc. Is it permissible to rely on data residency in GCC?  Maybe.  However, many of the CUI-Specified categories to include Defense, Export Controlled, Nuclear, etc. undoubtedly require the US Sovereign cloud and are not appropriate for storage within GCC.  Ultimately, customers are responsible for ensuring they review the relevant regulations and Microsoft’s offering prior to determining which Microsoft Government cloud service offering is the best fit to support their obligations for CUI.

As not all CUI-Specified can be supported, you will observe a caveated ‘Yes’ in the GCC column for CUI.

CMMC in GCC

You may demonstrate compliance with CMMC 2.0 Level 1 in GCC for protection of FCI.  You may also demonstrate compliance with CMMC 2.0 Levels 2-3 with notable caveats.  The intent of CMMC 2.0 Levels 2+ is to safeguard CUI.  As mentioned in the previous section, GCC is not permissible for all categories of CUI.  Most notably, GCC does not support export-controlled data, such as ITAR and EAR natively.  As such, we recommend the US Sovereign Cloud with Microsoft 365 Government (GCC High) and Azure Government for CMMC Levels 2-3 to holistically safeguard all categories of CUI.  Please see the CMMC section above in Commercial for more rationale.

You will observe a ‘Yes’ in the GCC column for CMMC L1.  However, as not all CUI-Specified can be supported, you will observe a caveated ‘Yes’ in the GCC column for CMMC L2-3.

FedRAMP in GCC

For the productivity services listed as in scope for Office 365, you can demonstrate compliance with the FedRAMP High Impact Level in the GCC data enclave.  At the time of this writing, we successfully completed multiple FedRAMP High Impact Level audits, including a Security Assessment Reports (SAR).  This is sufficient for us advertising FedRAMP High ‘Equivalency’, as it completes Microsoft’s scope of responsibility towards FedRAMP accreditation for a Federal Agency ATO. In other words, we support accreditation with Federal agencies at the FedRAMP High Impact Level.

Microsoft validates the controls for Office 365 into FedRAMP holistically because we operate all instances of Microsoft 365 employing a consistent control framework and uniform implementations of controls based on the US National Institute for Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 5 (NIST SP 800-53 – a requirement of FedRAMP).

The FedRAMP Marketplace for ‘Microsoft – Office 365 Multi-Tenant & Supporting Services’ lists our package with Agency ATOs from over 30 different Federal Government Agencies for FedRAMP Moderate Impact Level.  In brief, this means the FedRAMP PMO has completed its review of one or more Agency ATOs. It also indicates the FedRAMP PMO is satisfied that Microsoft meets the FedRAMP requirements and had earned a listing on the Marketplace as ‘Authorized’. With the Agency ATOs in place, the FedRAMP PMO will not complete a P-ATO for Office 365 as that would be redundant to Agencies’ work and is not mutually exclusive.

Together, the P-ATOs for Azure Commercial along with the Agency ATOs for Office 365 (GCC) provide holistic coverage for FedRAMP authorizations covering the Microsoft 365 Government (GCC) suite of cloud services.

For more information, please reference:

Microsoft FedRAMP Documentation (https://aka.ms/fedramp)
FedRAMP Package MSO365MT:  Office 365 Multi-Tenant & Supporting Services | FedRAMP Marketplace

StateRAMP in GCC

StateRAMP is a non-profit membership organization comprised of CSPs, government officials, and 3PAOs.  The StateRAMP standard is based on the NIST 800-53, Revision 5 catalog of security controls along with FedRAMP, and enables state and local governments to manage third-party risk and verify cloud security.  Cloud solutions that secure StateRAMP certifications are listed in its Authorized Products List.  States that are required to have their own cybersecurity standards have extended reciprocity with the StateRAMP certification or adopted StateRAMP as their standard.  Microsoft helped to develop the StateRAMP standard and continues to support its role in US state and local government cybersecurity.

As mentioned above in the section on FedRAMP in Azure, both Azure Commercial and Azure Government each maintain FedRAMP High P-ATOs issued by the FedRAMP PMO in addition to Moderate and High Agency ATOs issued by individual federal agencies for the in-scope services.

The following cloud service offerings have achieved the StateRAMP Authorized Security Status for the High Impact Level as shown on the Authorized Products List:

Microsoft 365 Government (GCC)
Azure Commercial
Azure Government
Dynamics 365 Commercial
Dynamics 365 Government (GCC)

For more information, please reference StateRAMP – Azure Compliance

DoD CC SRG in GCC and Azure Commercial

The Defense Information Systems Agency (DISA) is an agency of the DoD that is responsible for developing and maintaining the DoD Cloud Computing (CC) Security Requirements Guide (SRG). The SRG defines the baseline security requirements used by the DoD to assess the security posture of a CSP and establishes a baseline requiring a FedRAMP Moderate authorization for all information Impact Levels (IL).

SRG Section 5.1.1 (DoD use of FedRAMP Security Controls) states that IL2 information may be hosted in a CSP that minimally holds a FedRAMP Moderate authorization.  Given that Microsoft 365 Government (GCC) and Azure Commercial are both FedRAMP Moderate authorized (and higher), you may demonstrate compliance for IL2.  As such, there is effectively ‘Equivalency’ between DoD CC SRG IL2 and FedRAMP Moderate.

For more information, please see Microsoft SRG Documentation.

Criminal Justice Information Services in GCC

The most dominant tenant populations in GCC include State and Local Government (SLG) entities, such as highway patrol, sheriff, local law enforcement, etc. that require CJIS.  The CJIS security policy provides 13 areas that should be evaluated to determine if cloud services can be used and are consistent with CJIS requirements. These areas correspond closely to the NIST SP 800-53 control implementation for FedRAMP Moderate with a security policy aligning with CJIS.

Microsoft will sign the CJIS Security Addendum in states with CJIS Information Agreements. These tell state law enforcement authorities responsible for compliance with CJIS Security Policy how Microsoft’s cloud security controls help protect the full lifecycle of data and ensure appropriate background screening of operating personnel with access to CJI. Microsoft continues to work with state governments to enter into CJIS Information Agreements.

Microsoft has assessed the operational policies and procedures of Azure Government, Microsoft 365 Government (GCC), and Dynamics 365 Government (GCC), and will attest to their ability in the applicable services agreements to meet FBI requirements for the use of in-scope services.

CJIS status in the United States

47 states and the District of Columbia with management agreements, highlighted on the map in green include:

Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oklahoma, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and the District of Columbia.

Microsoft’s commitment to meeting the applicable CJIS regulatory controls allows Criminal Justice organizations to implement cloud-based solutions and be compliant with CJIS Security Policy V5.8.

Current as of April 2024 – Criminal Justice Information Services (CJIS) Security Policy – Microsoft Compliance

Note: This section also applies to CJIS in Azure Government as well.

For information from the FBI: Security Control Mapping of CJIS Security Policy

Microsoft 365 Government (GCC High) + Azure Government

ITAR in GCC High and Azure Government

These cloud services are purpose built for export controls in the US, to include ITAR and EAR.  I have customers interpret that GCC is suitable for export controls.  I’ve even had customers decide that Commercial is sufficient.  I tell them that I am not a lawyer, and I cannot give you legal counsel, but I think that is extremely unwise.  I can’t stop you from leveraging Commercial or GCC for CUI-Specified categorized as Export Controlled (CUI//EXPT), especially for ITAR and EAR. I hope you take advantage of every data protection feature that we offer you!  GCC High and Azure Government were created to give you a commitment for export controls in the US.  This includes a US Sovereign Cloud accreditation boundary encompassing all services attached to Azure Government, Microsoft 365 Government (GCC High) and Dynamics 365 Government (GCC High).  For example, the network is sovereign and constrained to CONUS.  The GCC High directory services with Entra ID are provided by Azure Government and are sovereign to the US.

DoD CC SRG Equivalency in GCC High

We have evolved the US Sovereign Cloud to include PII protections.  PII protections are now all the way up to IL4 in GCC High (aligned with FedRAMP High).  In fact, we manage the GCC High environment with the same set of control scope and ODVs as the DoD environment.  This translates to SRG ‘equivalency’ of both IL4 and IL5 in GCC High.

However, for most Federal contractors and the DIB, SRG impact level is a moot point.  Technically speaking, the SRG only applies to Federal information systems.  IL4 is not an authorization the DoD will provide to a non-Federal nor private-sector entities, nor is it for a CSP cloud environment not in use directly by the DoD.  For the DIB, DFARs 7012 and CMMC is what applies to non-Federal and private sector information systems.  As such, Microsoft has pivoted away from advertising the SRG impact levels in alignment with Microsoft 365 Government (GCC High).  We now focus on how our DIB/FFRDC/UARC customers may demonstrate compliance with CMMC leveraging our cloud service offerings.

That said, we often get pulled into customer conversations where they have a contract with the US DoD including a CC SRG IL5 requirement.  The DoD is telling their prime contractor “You must put this data in an IL5 environment” with no exceptions.  However, the environment is in the contractor’s information systems.  The DoD does not certify a contractor’s environment for the CC SRG, regardless of whether it’s on-premises or in the cloud.  As such, the CC SRG does not apply to contractor-owned environments.  It’s impossible for a contractor to certify their information systems as IL5 because it’s not a DoD-owned environment.  As such, I break it down this way…

Gov’t Owned, Gov’t Operated (GOGO) = CC SRG IL 2/4/5 (NIST SP 800-53) under DISA security cognizance.
Gov’t Owned, Contractor-Operated (GOCO) = CC SRG IL 2/4/5 (NIST SP 800-53) under DISA security cognizance.  The Contractor masquerades on-behalf of the DoD.
Contractor-Owned, Contractor-Operated (COCO) = DFARS 7012 + CUI-Specified protections (e.g. DDTC regs for ITAR).  DISA does NOT have security cognizance.  CMMC will in the future.

An older slide (circa 2017) but still helpful in visualizing the below breakdown between GOGO (DoD Information Systems), GOCO (Systems Operated on Behalf of the DoD) and COCO (Contractor’s Internal System) and the appropriate alignment with NIST 800-171 vs SRG.

Reference from ‘Protecting the DoD’s Unclassified Information’

We are IL5 compliant for the DoD cloud we provide for GOGOs and GOCOs​. In accordance with the requirements imposed by the DoD, Microsoft will not allow COCOs in the DoD cloud.  Only the DoD can sponsor tenancy in that service, yet they have not allowed any COCOs to date. If a customer feels they require a cloud service accredited at IL5, this is an issue they need to raise with the DoD. IL5 is defined as to restrict tenancy to only entities authorized by DISA​. 

We offer IL4​ ‘Equivalent’ cloud services in GCC High. It’s ‘Equivalent’ because the DoD has not granted IL4 to GCC High since they have no intent from their mission owners in the DoD consuming that service (instead intending them to utilize the DoD cloud services).

If a contractor has DoD compliance requirements for a COCO, we expect those to fall under security cognizance for DFARS 7012 and CMMC that GCC High can support.

DoD CC SRG in Azure Government

Cloud services in Azure Government are authorized for DoD CC SRG IL2 and IL4.  In addition, Azure Government has over 120 services accredited at IL5 (148 as of the time of this writing).  These services include a broad range of IaaS, PaaS and SaaS capabilities.  When supporting IL5 workloads on Azure Government, the isolation requirements can be met in different ways.  The Isolation guidelines for IL5 workloads documentation addresses configurations and settings for the isolation required to support IL5 data with specific service instructions.

You can find a full list of Azure Government services that meet the requirements of the DoD in the Azure Government audit scope documentation.

For more information, please reference:

Department of Defense Impact Level 4 – Azure Compliance
Department of Defense Impact Level 5 – Azure Compliance

DFARs 7012 and NIST SP 800-171 in GCC High and Azure Government

Microsoft will support a Flow-Down for DFARs 7012 in GCC High and in Azure Government.  This translates to a commitment where we demonstrate DFARs 7012 compliance in the US Sovereign Cloud.  This includes DFARs 7012 alignment with NIST SP 800-171 in a shared responsibility model with the Customer.

Note: You may access our Attestation of Compliance with DFARS included with our Body of Evidence (BoE).

FedRAMP High Equivalency in GCC High

You can demonstrate compliance with the FedRAMP High Impact Level in GCC High.  We successfully completed multiple FedRAMP High Impact Level audits, including Security Assessment Reports (SAR).  This is sufficient for purposes of us advertising FedRAMP High ‘Equivalency’, as it completes Microsoft’s scope of responsibility towards FedRAMP authorization for a Federal Agency ATO. The FedRAMP PMO now has the task to review the Agency ATOs and Microsoft’s submitted Body of Evidence (BOE).

We have several Federal Agencies actively deployed in GCC High, demonstrating compliance with FedRAMP High.  The Agency ATOs include but are not limited to the U.S. Department of Homeland Security (DHS), the U.S. Department of Justice (DoJ), the U.S. Federal Bureau of Investigation (FBI), and the U.S. Department of the Treasury.

Note: The FedRAMP High Impact Level is not a requirement for DFARs 7012 compliance.  FedRAMP Moderate ‘or Equivalent’ is specifically required for DFARs 7012. 

For more information, please reference:

Microsoft FedRAMP Documentation (https://aka.ms/fedramp)
FedRAMP Package FR1824057433:  Microsoft Office 365 GCC High | FedRAMP Marketplace
Body of Evidence (BoE) section below

As discussed in the section for FedRAMP in Microsoft 365 Commercial, holistic coverage for Microsoft 365 includes both Office 365 productivity services and Azure services bundled together.  The section below on Azure Government includes all the cloud services that fall in-scope for the Azure Government P-ATO.

FedRAMP High in Azure Government and Dynamics 365 GCC High

As described above for Azure Commercial, Azure Government has a P-ATO for FedRAMP High from the FedRAMP PMO.

There are over 140 Azure services (161 services as of the time of this writing) covered by the FedRAMP High P-ATO in Azure Government.  You may even observe that Dynamics 365 Government (GCC High) falls under the scope of the Azure Government P-ATO in the FedRAMP Marketplace where the P-ATO is recognized as ‘Authorized’ by the FedRAMP PMO.

FedRAMP 3PAO Assessments

The Third-Party Assessment Organization (3PAO), Kratos Defense & Security Solutions, conducts the annual assessments of both Office 365 and for Azure utilizing the FedRAMP High Baseline security controls. As part of the assessment, Kratos applies the NIST SP 800-30, Revision 1 methodology to identify system risks based on likelihood, impact, and risk exposure. 

The security requirements for FedRAMP High are met as follows:

NIST SP 800-53 Revision 4 requirements validated by Kratos based on this analysis and analysis conducted during the annual assessment
Federal Information Processing Standards (FIPS) Publication 199 requirements validated by Kratos based on this analysis and analysis conducted during the annual assessment
FIPS Publication 200 requirements validated by Kratos based on this analysis and analysis conducted during the annual assessment
NIST SP 800-60 requirements validated by Kratos based on this analysis and analysis conducted during the annual assessment
NIST SP 800-61 requirements validated by Kratos based on this analysis and analysis conducted during the annual assessment

The result of the 3PAO assessment includes a Security Assessment Report (SAR), a Security Assessment Plan (SAP) and letters of attestation found in the Body of Evidence.

FedRAMP Body of Evidence

The FedRAMP Body of Evidence (BoE) is a collection of documents, artifacts, and evidence that demonstrate the security controls implemented by a CSP to demonstrate compliance with the FedRAMP security control baseline through an assessment conducted by a FedRAMP authorized 3PAO.  It provides a comprehensive record of the security measures in place to protect federal data.

Office 365 and Azure’s BoEs include the following:

SSP: The System Security Plan provides an overview of the security requirements for the Cloud Services and describes the controls in place or planned for implementation to provide a level of security appropriate for the information to be transmitted, processed or stored by the system.
CIS & CRM: The Control Implementation Summary (CIS) report includes control implementation responsibility and implementation status of the FedRAMP security controls.  Also included in the CIS is an Excel spreadsheet for the Customer Responsibility Matrix (CRM).  The CRM identifies what controls are inherited from the cloud service provider, versus those controls that are the responsibility of the customer (tenant owner).  Most importantly, the CRM identifies the controls that are shared responsibility of both the CSP and the customer.
SAR: The Security Assessment Report is generated by the 3PAO during the annual assessment.
SAP: The Security Assessment Plan (SAP) lists the scope and security controls selected for annual assessment by the 3PAO.
Penetration Testing Report: Cloud penetration testing report produced by Azure FedRAMP High and DoD SRG compliance program.
DFARs Compliance Attestation Letter:  Attestation of Compliance with Defense Federal Acquisition Regulation Supplement (DFARs) clause 252.204-7012.
CMMC Compliance Attestation Letter:  Attestation of Compliance with Cybersecurity Maturity Model Certification (CMMC) Requirements.

For more information on the specific requirements for a BoE, please review the U.S. Department of Defense memorandum for ‘FedRAMP Moderate Equivalency for Cloud Service Provider’s Cloud Service Offerings’ dated December 21, 2023.

The BoE is considered highly sensitive and confidential information.  Historically, many CSPs have not been willing to share their BoE with customers, especially for Government cloud offerings.  However, Microsoft is transparent and will allow for customers of our government solutions to access the BoE under a Non-Disclosure Agreement (NDA).  To request the BoE, you must be a customer and make an E-mail request to:

Office 365 GCC High: O365FedRAMP@microsoft.com
Azure Government: AzFedDoc@microsoft.com

Note: If you have your Microsoft NDA handy and can provide the document ID, it can save time during the request.

DoD Memo for FedRAMP Moderate ‘Equivalency’

The DoD memorandum for ‘FedRAMP Moderate Equivalency for Cloud Service Provider’s Cloud Service Offerings’ establishes the definition of ‘Equivalency’.  Please note the second paragraph of the memo:

This memorandum does not apply to Cloud Service Offerings (CSOs) that are FedRAMP Moderate Authorized under the existing FedRAMP process.

With this established, any cloud service that falls under the Azure Government P-ATO is fully covered and advertised in the FedRAMP Marketplace as ‘Authorized’. 

For the Office 365 GCC High cloud services, we can demonstrate compliance with FedRAMP Moderate ‘Equivalency’ with our BoE in the manner the memo describes.  Fundamentally, the memo requires a CSP to do all the activities leading to a FedRAMP Agency ATO or P-ATO, minus the FedRAMP PMO’s review. Microsoft has done the FedRAMP Agency ATO process numerous times and is in the process of finishing the PMO’s review. Microsoft’s BOE will suffice to meet any FedRAMP Moderate equivalency review by assessors and members of the Defense Industrial Base (DIB).

CMMC in the US Sovereign Cloud

You may demonstrate compliance with all maturity levels of CMMC in the US Sovereign Cloud.  We exclusively recommend our US Sovereign Cloud with Microsoft 365 Government (GCC High) and Azure Government for data protection of CUI in alignment with CMMC 2.0 Levels 2-3.

CJIS in Azure Government

CJIS in Azure Government is aligned with the same description as provided above in the section “Criminal Justice Information Services in GCC”.

CJIS in GCC High

Criminal Justice Information Services in Microsoft 365 Government (GCC High) is described as for ‘Federal’ only.  CJIS Information Agreements are signed primarily at the US State level.  Most US States have Information Agreements established for both Microsoft 365 Government (GCC) and for Azure Government.  However, those agreements are not in scope for Microsoft 365 Government (GCC High).  This is because no State nor local government entities deploy into GCC High.  To date, only Federal agencies and the DIB/FFRDC/UARC deploy into GCC High.  Thus, a US State has not had the need to sign a CJIS Information Agreement for GCC High.  It doesn’t mean that GCC High is non-compliant with CJIS.  That is evident as the US Federal Bureau of Investigation (FBI) is deployed in GCC High.  Hence, the FBI has authorized the use of GCC High for CJIS at the ‘Federal’ level.

NERC and FERC in the US Sovereign Cloud

Microsoft has engaged with multiple entities obligated to demonstrate compliance requirements of the North American Electric Reliability Corporation (NERC) and/or the Federal Energy Regulatory Commission (FERC).  They find the US Sovereign Cloud with Microsoft 365 Government (GCC High) High and Azure Government to be the closest match of Microsoft cloud service offerings to fulfill their requirements. Due to the dynamic scope of applicability that an entity may define, we recommend you request explicit support from your Microsoft account team if you have compliance requirements in this area.

Customer Support for the US Sovereign Cloud

The US Sovereign Cloud with Azure Government, Microsoft 365 Government (GCC High) and Dynamics 365 Government (GCC High) offer differentiated support staffing, with technical support provided 24×7 by screened US Persons in a US Location.  However, these terms do not preclude the use of global support staff in customer support escalations. It is not uncommon for Microsoft customer support to rely on support engineers that specialize in specific services or technologies and are subject matter experts in niche areas.  These support engineers might be located anywhere in the world and could be introduced to provide expertise and guidance on a specific customer support ticket. Since customer support personnel have no direct standing access to the datacenter nor to customer content, they can only be exposed to sensitive information when it is provided directly by the Customer during a customer support ticket.  We remind you not to share any controlled, sensitive, or confidential information with support personnel as part of your support incident, and follow your own internal data sharing controls, policies and procedures when engaging with Microsoft customer support.

Important:  Within the US Sovereign Cloud, you may request your ticket to remain limited and restricted to “screened US Persons in a US Location” only.  However, availability of the subject matter engineer may be limited to US time zones as opposed to 24×7 support.  This may negatively impact the response and mitigation of the Customer support ticket.

Note:  Microsoft Purview Customer Lockbox is a popular feature to moderate access to your data.   We even have Customer Lockbox for Azure releasing to more and more Azure services.

Considerations for US person-only Tenant for Government Clouds

This is an organizational decision, and not one that is required to achieve compliance.

There are no restrictions for US persons nor for citizenship checks imposed by Microsoft on tenant owners (organizations) giving access control to their tenants in US Government cloud service offerings.  As with all Cloud Service Providers (CSP), it is a shared scope of responsibility for compliance.  Microsoft commits to personnel that are US persons on the back end with the CSP specific scope of responsibility, but it is the organization’s (customer’s) responsibility to protect their content according to their own regulatory requirements.

Microsoft 365 Government (DoD)

If you are not in the DoD, don’t worry about it.  You’re not getting into the service.  Only the DoD and those approved by them (such as service providers or entities authorized by the DoD) are allowed into the DoD regions for Microsoft 365 and Azure Government.

That said, if you are a DoD contractor with requirements for DoD CC SRG IL5, please read the section above on ‘DoD CC SRG Equivalency in GCC High’.

Azure Government Secret + Office 365 Government Secret

DoD CC SRG in Azure Government Secret

CC SRG IL6 is reserved for the storage, processing and transmission of information classified up to the Collateral Secret level. For a hyper-scale cloud offering, information that must be processed and stored at IL6 can only be hosted in an air-gapped government community cloud. Because of the requirement that the entire cloud infrastructure be dedicated and separate (air-gapped) from other CSP infrastructures, IL6 may only be provided by CSPs under contract to the DoD or a federal agency.

Azure Government Secret maintains an IL6 P-ATO at the high confidentiality, high integrity, and customer-determined availability (H-H-x) information categorization. In addition, DISA is the primary Authorizing Official (AO) for Azure Government Secret, with all other Secret compliance frameworks recognizing a program of reciprocity with the DoD CC SRG.  Over 67 Azure Government Secret services are accredited for IL6 as of the time of this writing.  These services include a broad range of IaaS, PaaS and SaaS capabilities.  We have many more services in the queue for authorization by DISA as we speak.

Note:  Azure Government Secret is the first and only classified cloud service offering (CSO) to have received the highest possible P-ATO at the H-H-x information categorization.

You can find a full list of Azure Government services that meet the requirements of the DoD in the Azure Government audit scope documentation.

For more information, please reference:

Department of Defense Impact Level 6 – Azure Compliance
Azure Government for national security
Introduction to Microsoft Azure Government Secret
Announcing new Azure Government capabilities for classified mission-critical workloads

DoD CC SRG in Office 365 Government Secret

Since announcing the general availability of Azure Government Secret, our mission has been to support all US government agencies, departments, municipalities, public sector employees and industry with IL6 compliant productivity and collaboration tools. Office 365 Government Secret is authorized for IL6 and generally available for use by the DoD today with hundreds of thousands of seats actively deployed. In addition, this O365 environment is built to support the DoD along with US Federal Civilian, Intelligence Community (IC), and US government partners (industry) working within the Secret enclave with our SaaS capabilities.

For more information, please reference Announcing Office 365 Government Secret cloud.

National Industrial Security Program Operations Manual

The National Industrial Security Program (NISP) has oversight by the DoD’s Defense Counterintelligence and Security Agency (DCSA).  Just as facilities and individuals require a clearance to gain access to classified information, cleared contractor Information Systems (IS) must be assessed and authorized prior to processing classified information.

DCSA serves as the Authorizing Official (AO) for contractor IS, such as for Contractor-Owned & Contractor-Operated (COCO) Internal Research & Development (IRAD) environments. The NISP has published guidance for industry to properly manage and protect against unauthorized disclosure of classified information, including Collateral classifications (Confidential & Secret).  The NISP has recognized a program of reciprocity with the DoD CC SRG IL6 including authorizations for use of cloud by industry based on the NISP Operations Manual (NISPOM).

You can now demonstrate compliance with the NISPOM and achieve an ATO using Azure Government Secret.

Note: Azure Government Secret is the first and only classified cloud service offering (CSO) to be authorized by the NISP with industry partners connecting to our hyper-scale cloud using non-government (aka ‘private’) COCO networks.

Joint Special Access Programs Implementation Guide

A Special Access Program (SAP) is a highly classified program established to protect sensitive information and impose enhanced security measures with compartmentalized access requirements that go beyond what is typically required for information at the same (Collateral) classification levels.  In addition to Collateral controls (e.g. IL6 & NISPOM), a SAP imposes more rigorous requirements, non-disclosure agreements (NDA) to get ‘read-in’ to the program, special document markings, etc.  Within the DoD, a SAP is better known with Special Access Required (SAR) markings.

Note: Word to the wise, when talking about SAP with your fellow cybersecurity fellows, make sure you differentiate between SAP for classified IS, as opposed to the ERP company solutions. It’s amazing how often you can talk past each other!

A big difference between Collateral versus SAP/SAR requirements is requiring cleared personnel, facilities (SAPF) and IS to be ‘read-in’ to the program, effectively compartmentalizing access to the individual program.

The Joint Special Access Programs Implementation Guide (JSIG) provides standardized policies for cybersecurity and information assurance, procedures, and implementation guidance for use in the management of IS at all classification levels under the purview of the SAP Authorizing Official (AO).  Based on NIST SP 800-53, the NIST Risk Management Framework (RMF) and JSIG Protection Levels (e.g. PL2, PL3), JSIG includes the compliance control set required to achieve an ATO for SAP IS environments.

Azure Government Secret maintains JSIG ATOs at Protection Levels up to 3 (PL3).

For more information, please reference Joint Special Access Program Implementation Guide  – Azure Compliance

Intelligence Community Directive

Intelligence Community Directive (ICD) 503, also known as ‘Risk Management for Federal Information Systems’ is a standard developed by NIST in collaboration with the US Intelligence Community (IC) for risk management and certification of IS across the IC. It provides a framework for managing risk and ensuring the confidentiality, integrity, and availability of information systems within US Federal agencies. ICD 503 is closely related to the NIST RMF and enables the IC to use NIST and Committee on National Security Systems (CNSS) standards for security assessments.

Azure Government Secret maintains ICD 503 ATOs with classified facilities authorized according to ICD 705.

For more information, please reference Intelligence Community Directive (ICD) 503 – Azure Compliance

Azure Government Top Secret + Office 365 Government Top Secret

Generally speaking, we do not disclose many details on our Top Secret (TS) Cloud Service Offerings (CSO) without an exclusive sponsorship by the US Government, other than what is mentioned in the blog article ‘Azure Government Top Secret now generally available for US national security missions’.  That said, TS does have support for JSIG and ICD 503/705 at TS classification levels (e.g. Collateral TS & TS/SCI), like what is described above for Secret.

Appendix

Please follow me here and on LinkedIn. Here are my additional blog articles:

Blog Title

Aka Link

Microsoft Collaboration Framework

https://aka.ms/ND-ISAC/CollabFramework 

ND-ISAC MSCloud – Reference Identity Architectures for the US Defense Industrial Base

https://aka.ms/ND-ISAC/IdentityWP 

Microsoft CMMC Acceleration Update

https://aka.ms/CMMC/Acceleration

History of Microsoft Cloud Service Offerings leading to the US Sovereign Cloud for Government

https://aka.ms/USSovereignCloud

The Microsoft 365 Government (GCC High) Conundrum – DIB Data Enclave vs Going All In

https://aka.ms/AA6frar

Microsoft US Sovereign Cloud Myth Busters – A Global Address List (GAL) Can Span Multiple Tenants

https://aka.ms/AA6seih

Microsoft US Sovereign Cloud Myth Busters – A Single Domain Should Not Span Multiple Tenants

https://aka.ms/AA6vf3n

Microsoft US Sovereign Cloud Myth Busters – Active Directory Does Not Require Restructuring

https://aka.ms/AA6xn69

Microsoft US Sovereign Cloud Myth Busters – CUI Effectively Requires Data Sovereignty

https://aka.ms/CUISovereignty

Microsoft expands qualification of contractors for government cloud offerings

https://aka.ms/GovCloudEligibility 

​Microsoft Tech Community – Latest Blogs –Read More 

Hi Active Directory Brain Trust, 

We’re aiming to implement following security restrictions as part of a AD security remediation. If anyone have implemented, consulted on these in the past, could I please seek your advise on how to implement these (which objects to target to begin with, what implications they may introduce for operations, how to phase out the implementation etc..). some useful info to ready plus your advises are highly appreciated !!

Deny Log On Through Remote Desktop ServicesDeny Log On LocallyDeny log on as a serviceDeny access to this computer from the network

​Hi Active Directory Brain Trust,  We’re aiming to implement following security restrictions as part of a AD security remediation. If anyone have implemented, consulted on these in the past, could I please seek your advise on how to implement these (which objects to target to begin with, what implications they may introduce for operations, how to phase out the implementation etc..). some useful info to ready plus your advises are highly appreciated !! Deny Log On Through Remote Desktop ServicesDeny Log On LocallyDeny log on as a serviceDeny access to this computer from the network  Read More

​

Hi,

Is PAL tracking the ACR from the client’s subscriptions, where my account is added as eligible for proper RBAC role but not having active assignment for most of the time?

​Hi,Is PAL tracking the ACR from the client’s subscriptions, where my account is added as eligible for proper RBAC role but not having active assignment for most of the time?  Read More

​

There should exist a setting called ‘PreviewModeEnabledSet’, that can enable or disable document previews. I am currently trying to find this setting with use of the Sharepoint REST API, but I can’t find the location of this setting. Does anyone know the route to this setting? 

Currently, my sharepoint page always shows a preview of a document, and the document will only start loading when the mouse is hovered over the embed. This is annoying, as it makes te site feel really slow. I want the document to load immediately when the page is loaded. 
So, to combat this, I want to try changing this setting, in the hopes this will make the documents load immediately on page load. 

https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#:~:text=PreviewModeEnabledSet,a%20SharePoint%20site.

​There should exist a setting called ‘PreviewModeEnabledSet’, that can enable or disable document previews. I am currently trying to find this setting with use of the Sharepoint REST API, but I can’t find the location of this setting. Does anyone know the route to this setting?  Currently, my sharepoint page always shows a preview of a document, and the document will only start loading when the mouse is hovered over the embed. This is annoying, as it makes te site feel really slow. I want the document to load immediately when the page is loaded. So, to combat this, I want to try changing this setting, in the hopes this will make the documents load immediately on page load.  https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#:~:text=PreviewModeEnabledSet,a%20SharePoint%20site.  Read More

​

I’m hunting around for a Microsoft presentation for Defender for EndPoint geared towards pitching it to clients, and cannot find anything for that purpose. Basically a PPT version of the video on this page: Microsoft Defender for Endpoint – Microsoft Defender for Endpoint | Microsoft Learn

Any suggestions on where I would find such a thing?

​I’m hunting around for a Microsoft presentation for Defender for EndPoint geared towards pitching it to clients, and cannot find anything for that purpose. Basically a PPT version of the video on this page: Microsoft Defender for Endpoint – Microsoft Defender for Endpoint | Microsoft Learn Any suggestions on where I would find such a thing?  Read More

​

I need to copy the names from the resulting filtered content of the sheet POSTO X to the corresponding sheet day, but the copy must follow these specific criteria: 

if column day is SN, then the name goes to Servico Diurno section, SN to Servico Noturno, and PL must be on both Servico Diurno e Servico Noturno…

My problem is to copy only the required data to the destination, this code is filtering correctly, but I can’t figure out how to copy just what I need in this range to the destination…

Public Sub UpdateExchangesBook()

Dim wsCt As Worksheet, wsMD As Worksheet, wsOrg As Worksheet, wsDst As Worksheet, rgDC As Range, rgDataEval As Range, rgDataFlt As Range, rgDsCel As Range, cM As Byte, cD As Byte, CalcCL As Byte, strStNm As String

With ThisWorkbook

Set wsCt = .Sheets(“Dados Gerais”)
Set wsMD = .Sheets(“TOTALIZAÇÃO”)
Set rgDC = wsMD.Range(wsMD.Range(“B1”), wsMD.Range(“B1”).End(xlToRight)).Cells
cM = wsCt.Range(“B2”).Value
CalcCL = 3

For Each x In rgDC
cD = Day(x)

If cM = 1 Then
If cD > 30 Then Exit For
cD = cD + 1
End If

strStNm = cD

If cM = 12 Then
If cD > 31 Then
strStNm = cD & “J”
End If
End If

Set wsDst = .Sheets(strStNm)

Set wsOrg = .Sheets(“POSTO A”)

CalcCL = CalcCL + 1
wsDst.Range(“A8:B27, A31:B50”).ClearContents

With wsOrg

.Unprotect “101”
If .AutoFilterMode Then .AutoFilterMode = False

Set rgDataEval = .Range(“A1:” & Cells(33, CalcCL).Address)
rgDataEval.AutoFilter Field:=CalcCL, Criteria1:=”S?”, Operator:=xlOr, Criteria2:=”PL”

Set rgDataFlt = .AutoFilter.Range.SpecialCells(xlCellTypeVisible).Offset(2, 0)

‘ this part is not generating the result as intended

If rgDataFlt.Rows.Count > 0 Then
For Each Z In rgDataFlt.Columns(CalcCL)
If StrComp(Z.Text, “SD”, vbTextCompare) Then
Set rgDsCel = wsDst.Range(“A27”).End(xlUp).Offset(1, 0)
rgDsCel.Value = rgDataFlt.Columns(1)
Set rgDsCel = wsDst.Range(“B27”).End(xlUp).Offset(1, 0)
rgDsCel.Value = Right(wsOrg.Range(“A1”).Value, 1)
End If
If StrComp(Z.Text, “SN”, vbTextCompare) Then
Set rgDsCel = wsDst.Range(“A50”).End(xlUp).Offset(1, 0)
rgDsCel.Value = rgDataFlt.Columns(1)
Set rgDsCel = wsDst.Range(“B50”).End(xlUp).Offset(1, 0)
rgDsCel.Value = Right(wsOrg.Range(“A1”).Value, 1)
End If
If StrComp(Z.Text, “PL”, vbTextCompare) Then
Set rgDsCel = wsDst.Range(“A27”).End(xlUp).Offset(1, 0)
rgDsCel.Value = rgDataFlt.Columns(1)
Set rgDsCel = wsDst.Range(“B27”).End(xlUp).Offset(1, 0)
rgDsCel.Value = Right(wsOrg.Range(“A1”).Value, 1)
Set rgDsCel = wsDst.Range(“A50”).End(xlUp).Offset(1, 0)
rgDsCel.Value = rgDataFlt.Columns(1)
Set rgDsCel = wsDst.Range(“B50”).End(xlUp).Offset(1, 0)
rgDsCel.Value = Right(wsOrg.Range(“A1”).Value, 1)
End If
Next
End If

.AutoFilterMode = False
.Protect “101”

End With

Next

End With

End Sub

Any help would be greatly appreciated!should be populated with 3sCamila And only on Serviço Diurno and the other names on both Servico Diurno e NortunoThis is the source dataFilter applied on the that should match the destination day sheet ( in this case #2)

​I need to copy the names from the resulting filtered content of the sheet POSTO X to the corresponding sheet day, but the copy must follow these specific criteria: if column day is SN, then the name goes to Servico Diurno section, SN to Servico Noturno, and PL must be on both Servico Diurno e Servico Noturno…My problem is to copy only the required data to the destination, this code is filtering correctly, but I can’t figure out how to copy just what I need in this range to the destination…  Public Sub UpdateExchangesBook()

Dim wsCt As Worksheet, wsMD As Worksheet, wsOrg As Worksheet, wsDst As Worksheet, rgDC As Range, rgDataEval As Range, rgDataFlt As Range, rgDsCel As Range, cM As Byte, cD As Byte, CalcCL As Byte, strStNm As String

With ThisWorkbook

Set wsCt = .Sheets(“Dados Gerais”)
Set wsMD = .Sheets(“TOTALIZAÇÃO”)
Set rgDC = wsMD.Range(wsMD.Range(“B1”), wsMD.Range(“B1”).End(xlToRight)).Cells
cM = wsCt.Range(“B2”).Value
CalcCL = 3

For Each x In rgDC
cD = Day(x)

If cM = 1 Then
If cD > 30 Then Exit For
cD = cD + 1
End If

strStNm = cD

If cM = 12 Then
If cD > 31 Then
strStNm = cD & “J”
End If
End If

Set wsDst = .Sheets(strStNm)

Set wsOrg = .Sheets(“POSTO A”)

CalcCL = CalcCL + 1
wsDst.Range(“A8:B27, A31:B50”).ClearContents

With wsOrg

.Unprotect “101”
If .AutoFilterMode Then .AutoFilterMode = False

Set rgDataEval = .Range(“A1:” & Cells(33, CalcCL).Address)
rgDataEval.AutoFilter Field:=CalcCL, Criteria1:=”S?”, Operator:=xlOr, Criteria2:=”PL”

Set rgDataFlt = .AutoFilter.Range.SpecialCells(xlCellTypeVisible).Offset(2, 0)

‘ this part is not generating the result as intended

If rgDataFlt.Rows.Count > 0 Then
For Each Z In rgDataFlt.Columns(CalcCL)
If StrComp(Z.Text, “SD”, vbTextCompare) Then
Set rgDsCel = wsDst.Range(“A27”).End(xlUp).Offset(1, 0)
rgDsCel.Value = rgDataFlt.Columns(1)
Set rgDsCel = wsDst.Range(“B27”).End(xlUp).Offset(1, 0)
rgDsCel.Value = Right(wsOrg.Range(“A1”).Value, 1)
End If
If StrComp(Z.Text, “SN”, vbTextCompare) Then
Set rgDsCel = wsDst.Range(“A50”).End(xlUp).Offset(1, 0)
rgDsCel.Value = rgDataFlt.Columns(1)
Set rgDsCel = wsDst.Range(“B50”).End(xlUp).Offset(1, 0)
rgDsCel.Value = Right(wsOrg.Range(“A1”).Value, 1)
End If
If StrComp(Z.Text, “PL”, vbTextCompare) Then
Set rgDsCel = wsDst.Range(“A27”).End(xlUp).Offset(1, 0)
rgDsCel.Value = rgDataFlt.Columns(1)
Set rgDsCel = wsDst.Range(“B27”).End(xlUp).Offset(1, 0)
rgDsCel.Value = Right(wsOrg.Range(“A1”).Value, 1)
Set rgDsCel = wsDst.Range(“A50”).End(xlUp).Offset(1, 0)
rgDsCel.Value = rgDataFlt.Columns(1)
Set rgDsCel = wsDst.Range(“B50”).End(xlUp).Offset(1, 0)
rgDsCel.Value = Right(wsOrg.Range(“A1”).Value, 1)
End If
Next
End If

.AutoFilterMode = False
.Protect “101”

End With

Next

End With

End Sub   Any help would be greatly appreciated!should be populated with 3sCamila And only on Serviço Diurno and the other names on both Servico Diurno e NortunoThis is the source dataFilter applied on the that should match the destination day sheet ( in this case #2)  Read More

​