International Traffic in Arms Regulations (ITAR)

The US Department of State is responsible for managing the export and temporary import of defense articles (meaning any item or technical data designated under the US Munitions List, as described in Title 22 CFR 121.1) that are governed by the Arms Export Control Act (Title 22 USC 2778) and the International Traffic in Arms Regulations (ITAR) (Title 22 CFR 120-130). The Directorate for Defense Trade Controls (DDTC) is responsible for managing entities governed under these programs.

Microsoft provides certain cloud services or service features that can support customers with ITAR obligations. While there is no compliance certification for the ITAR, Microsoft operates and has designed in-scope services to be capable of supporting a customer’s ITAR obligations and compliance program.

Microsoft Azure Government and Microsoft Office 365 U.S. Government for Defense provide support for customers with data subject to the ITAR through additional contractual commitments to customers regarding the location of stored data, as well as limitations on the ability to access such data to US persons. Microsoft provides these assurances for the infrastructure and operational components of these government cloud services, but customers are ultimately responsible for the protection and architecture of their applications within their environments.

Government and commercial entities that can provide proof of registration with DDTC are eligible for enrollment in Azure Government and Office 365 U.S. Government for Defense services. Customers must sign additional agreements formally notifying Microsoft of their intention to store ITAR-controlled data, so that Microsoft may comply with responsibilities both to our customers and to the US government.

The ITAR has specific obligations to report violations, which can provide certain risk mitigation benefits. The Microsoft Enterprise Agreement Amendment enables Microsoft and the customer to work together in reporting such violations.

Customers seeking to host ITAR-regulated data should work with their Microsoft account and licensing teams to learn more, obtain proper agreements, and access relevant system architecture information.

Frequently asked questions

Expand all

Government and commercial entities that can provide proof of registration with DDTC are eligible for enrollment in Azure Government and Office 365 U.S. Government for Defense services. Customers must sign additional agreements formally notifying Microsoft of their intention to store ITAR-controlled data, so that Microsoft may comply with responsibilities both to our customers and to the US government.

Please contact your Microsoft account representative.

Microsoft in-scope cloud services

Expand all

App Service: Web Apps, Application Gateway, Azure Active Directory*, Azure Backup, Azure Government Portal, Azure Notification Hubs, Azure Service Bus, Azure Site Recovery, Azure Resource Manager, Azure StorSimple, Cloud Services, Compute Resource Manager, Event Hubs, ExpressRoute, Key Vault, Load Balancer, Network Resource Provider, Power BI, SQL Database, Storage, Storage Resource Provider, Traffic Manager, Virtual Machines, Virtual Network, and VPN Gateway

*Note: The use of Azure Active Directory within Azure Government requires the use of components that are deployed outside of Azure Government on the Azure public cloud.

  • Office 365 U.S. Government Defense

Contact Trust Center

Need help evaluating our products? Can’t find the information you need?

Looking for general technical support?

Contact Microsoft support