Streamline controls with Microsoft Cloud for Sovereignty
In today’s complex global environment, public sector organizations are seeking to modernize their operations by tapping into the power of the hyperscale public cloud and cutting-edge technologies such as large language models (LLM). Microsoft Cloud for Sovereignty provides the guidance, tools, and controls to help public sector organizations plan, adopt, and manage the public cloud faster and easier, while also helping meet security and compliance requirements. It supports the digital transformation of government services through the innovation and scalability offered with Microsoft public cloud solutions.
We are excited to announce the latest release of Microsoft Cloud for Sovereignty. This builds upon our December 2023 general availability release, driven by customers and partner feedback, providing tools that simplify the configuration and deployment of complex sovereign controls and expand on best practice guidance. We are also releasing new guidance for comparable approaches to support implementations for Microsoft Power Platform and Microsoft Dataverse.
Microsoft Cloud for Sovereignty
Meet sovereign requirements with the Microsoft Cloud
What’s new in this release
Guardrails—Codified architectures and tooling that reduce complexity and make the process of building sovereign environments designed to help achieve regulatory requirements simple, predictable, and repeatable.
Tools—New assessment, policy compiler, and drift detection analysis tools to help better manage cloud environments. Introducing a new regional Microsoft Azure service that simplifies the management of Sovereign Landing Zone (SLZ) within the Azure Portal.
Guidance—Sample reference architectures on how to take advantage of LLMs and Microsoft Azure OpenAI Service based on Retrieval Augmented Generation (RAG) pattern with SLZ and guardrails, as well as guidance on workload migrations.
Learn more about how to help your organization unlock the power of the hyperscale cloud on the Microsoft Cloud for Sovereignty home and product documentation pages.
Guardrails to simplify building sovereign environments
We’ve released new features to the Sovereign Landing Zone (SLZ) on GitHub, policy portfolio, and new capabilities of the private preview of Microsoft Cloud for Sovereignty services on the Azure Portal.
Sovereign Landing Zone on GitHub
SLZ (generally available) is now configured to use the most recent version of the Azure built-in Sovereignty Baseline Policy Initiative. Similarly, users can also configure the SLZ to deploy any policy set in our portfolio. With this, users will be able to take advantage of our expanding policy portfolio. This capability is now also available for the Azure Landing Zone (ALZ). For more information about when to use either the ALZ or SLZ, review our comparison guidance.
Users can also configure specific policies (within policy sets) and include additional policies during deployment. For example, customers can easily enable rollout of policies starting with an audit mode and going into an enforcement mode on a granular level. SLZ compliance modules can now be deployed by engineers and administrators to “uplift” an existing landing zone with a similar structure, bringing it closer in line with sovereignty settings and an organization’s requirements.
Policy portfolio
Microsoft Cloud for Sovereignty policy portfolio has been updated to better help public sector customers meet several key regulatory frameworks. In collaboration with NATO’s Communication and Information Agency (NCIA), we have reviewed and validated the compliance of cloud deployments with NATO’s D32 directive on information protection (preview). Other updates include custom Azure policy initiatives and control mappings for the Cloud Security Alliance (CSA) Cloud Controls Matrix (now on GitHub), the Netherlands BIO (Baseline Informatiebeveiliging Overheid) Initiative, and the Italian National Cybersecurity Agency custom policy initiatives. These initiatives provide users helpful tools for navigating several diverse regulatory landscapes.
Tools in preview for Sovereign Landing Zones
Microsoft Cloud for Sovereignty Services on Azure Portal
Users now have the ability to search for “Microsoft Cloud for Sovereignty” within the Azure Portal. This search will provide visibility to new policy initiatives, documentation regarding the Government Security Program, and transparency logs. Additionally, users can conveniently locate instructions for onboarding into the preview program directly from the portal.
Managing landing zone configurations in the Azure Portal
This release streamlines the process of managing landing zone configurations within the Azure Portal. This enables the establishment of efficient and uniform infrastructure at scale by allowing users to create, update, duplicate, generate code, deploy, and delete configurations all from a single pane. For users who wish to customize their deployment, the platform offers the ability to generate a Bicep code package for their infrastructure. Additionally, for organizations seeking a no-code approach to configure and deploy an enterprise-scale landing zone, users can now deploy a landing zone configuration directly from the Azure Portal.
Sovereignty Baseline Policy Initiatives are automatically assigned to landing zone configurations within management groups, thanks to the fact that Sovereign Baseline Policy Initiatives are now Azure built-in policies.
Microsoft Cloud for Sovereignty lifecycle tools
The introduction of new capabilities (preview) offer support for pre-deployment evaluations to streamline policy management processes. These features, available in GitHub, are designed to empower users with greater visibility, control, and compliance across their Azure environments. Our goal is to continually improve the efficiency, reliability, and compliance capabilities of our tools to better meet the evolving needs of our customers.
Assess and evaluate Azure resources ahead of deployment
The assessment feature provides a pre-deployment evaluation of Azure resources against established best practices, including the evaluation of resource locations and Azure policy assignments. The tool assesses various aspects, such as the SLZ Baseline Policy assignment, Custom Policy Initiatives usage, and individual policy assignments, offering results categorized as good, better, or best based on severity findings. This is especially helpful during the planning stage of a sovereign implementation and works well with brownfield environments.
Policy compiler
The policy compiler is a tool that streamlines the policy management process. It systematically analyzes your organization’s policy initiatives by examining key components—such as display names, descriptions, parameters, and effects. By comparing these elements across different policies, the tool detects redundancies, conflicts, and gaps. It then uses this analysis to provide a set of reconciled policy initiatives, making policy management more efficient and reliable.
Landing zone drift analyzer
The drift analyzer monitors and compares the current state of the deployed cloud environment with its original intended landing zone configuration, identifying critical deviations or changes. These deviations, whether intentional or unintentional, are essential indicators of environmental integrity and compliance. Customer feedback will help the evolution of these tools for potential integration with sovereignty services on the Azure Portal.
Guidance for workload migration and AI configuration
We have recently updated the Microsoft Cloud Adoption Framework to include a sovereignty strategy when using cloud services.
Our product documents have been updated with guidance on:
- Sovereignty choices for monitoring Azure workloads
- Implement encryption with Customer-Managed Keys in Microsoft Cloud for Sovereignty
- Migrate and modernize with Microsoft Cloud for Sovereignty
This release includes our first guidance and reference architecture around AI and LLM configurations. These articles offer an illustrative example of using LLMs and Azure OpenAI Service within the context of the retrieval augmented generation (RAG) pattern for generative AI. Specifically, it explores how government and public sector organizations can apply these technologies within SLZ while also considering important guardrails.
We have also recently published guidance on how to configure Microsoft Power Platform and Dataverse environments to improve control over your data and enhance your digital sovereignty posture. This guidance is part of our ongoing efforts to promote digital sovereignty across Microsoft services, including non-Azure services.
Learn more about Microsoft Cloud for Sovereignty
- Microsoft Cloud for Sovereignty
- Microsoft Cloud for Sovereignty product documentation
- Sovereign Landing Zone (GitHub)
- Policy Portfolio (GitHub)
- Quickstarts (GitHub)
- Microsoft Cloud for Sovereignty on Azure Portal (preview)
- Microsoft Cloud for Sovereignty preview (GitHub for preview customers)
- Log into your Active Azure Directory (AAD) account to request to join Microsoft Cloud for Sovereignty Preview