Blog Post

Public Sector Blog
3 MIN READ

Achieving ATO and ATU for Microsoft Azure and Microsoft 365: A Foundational Guide

bryanlopez's avatar
bryanlopez
Icon for Microsoft rankMicrosoft
Sep 11, 2025

Government agencies and contractors face stringent requirements when adopting cloud services. Achieving an Authorization to Operate (ATO) or Authority to Use (ATU) is a critical step in ensuring compliance with federal standards. Microsoft provides a robust framework to support these efforts through its Service Trust Portal, comprehensive documentation, and built-in compliance tools across Azure, Microsoft 365, and AI services.

This article functions as a primer for acquiring an ATO/ATU for Government entities and contractors. For a full breakdown of Compliance offerings at Microsoft visit the following link: https://aka.ms/MSGovCompliance

Understanding the Service Trust Portal (STP)

The Microsoft Service Trust Portal (STP) is a centralized resource for accessing security, compliance, and privacy documentation related to Microsoft cloud services.

Visit the Service Trust Portal: https://aka.ms/stp

It includes:

  • Audit reports from third-party assessors (e.g., SOC, ISO, FedRAMP)
  • Regulatory compliance guides and whitepapers
  • Risk assessment templates and control implementation details
  • AI-specific compliance documentation, including ISO 42001 alignment and risk assessments for Microsoft Copilot and Azure OpenAI

*Access requires authentication via Microsoft Entra ID and acceptance of Microsoft’s NDA for compliance materials.

The ATO/ATU Process for Microsoft Cloud Services

Microsoft cloud services—including Azure, Microsoft 365, Dynamics and Power Apps—are designed to meet federal compliance standards:

  • FedRAMP High Authorization: Azure and Microsoft 365 (GCC, GCC-H, DOD) have received FedRAMP High P-ATOs from the Joint Authorization Board (JAB).
  • Azure OpenAI Service: Now FedRAMP High authorized, enabling agencies to use GPT-4, GPT-3.5, and GPT-4o models securely within Azure Government.
  • Copilot for Microsoft 365 GCC High and DoD: Targeted for GA in Summer 2025, pending government authorization.

To achieve an ATO or ATU:

  1. Review STP documentation for existing authorizations and control mappings.
  2. Develop a System Security Plan (SSP) using Microsoft’s templates aligned to NIST SP 800-53.
  3. Engage a 3PAO for independent assessment or leverage existing P-ATO packages.
  4. Submit documentation to the authorizing agency.

Creating a System Security Plan (SSP)

An SSP outlines how a cloud service provider implements security controls. Microsoft provides:

  • Pre-filled control responses for Azure and Microsoft 365
  • Architecture diagrams and data flow models
  • Control implementation details for shared, customer, and Microsoft-managed responsibilities

These resources are available via the STP and Azure Policies.

Shared Responsibility Model

Microsoft operates under a shared responsibility model for cloud security and compliance. This model defines the division of responsibilities between Microsoft and the customer:

  • Microsoft's responsibilities include securing the physical infrastructure, network, hypervisor, and foundational services.
  • Customer responsibilities include configuring services securely, managing identities and access, protecting data, and ensuring compliance with internal policies.

For example:

  • In IaaS (Infrastructure as a Service), customers manage operating systems, applications, and data.
  • In PaaS (Platform as a Service), customers manage applications and data.
  • In SaaS (Software as a Service), customers primarily manage data and user access.

Understanding and implementing controls within this model is essential for achieving and maintaining an ATO or ATU.

Ongoing Risk Assessment and Compliance Monitoring

Microsoft provides a suite of tools for continuous compliance and risk management:

Azure

  • Azure Policy: Enforces compliance rules across resources.
  • Microsoft Defender for Cloud: Offers threat protection and compliance insights.

Microsoft 365

  • Microsoft Purview Compliance Manager: Provides over 320 regulatory templates, compliance scoring, and continuous control assessments.
  • Microsoft Defender for Office 365: Protects against phishing, malware, and insider threats.
  • Microsoft Entra ID Protection: Implements conditional access and identity governance.
  • Secure Score: Quantifies security posture and recommends improvements.

These tools support multicloud environments and integrate with AWS and GCP for unified compliance management.

Conclusion

Microsoft’s cloud ecosystem is built to support government agencies in achieving and maintaining ATO and ATU. With FedRAMP High-authorized services, AI compliance documentation, and powerful monitoring tools, agencies can confidently adopt Azure and Microsoft 365 while meeting the most stringent regulatory requirements.

Join the Discussion

Are you planning for AI in a government tenant? Already configuring access or testing use cases?

Join the conversation below to ask questions, share deployment insights, and connect with other public sector professionals working with Microsoft capabilities. Your feedback and experience help strengthen the community.

Updated Sep 11, 2025
Version 1.0
azure gov
best practices
federal
gcc
gcc high
nist
public sector
state
No CommentsBe the first to comment