Azure Government or Azure Commercial for CJIS 6.0: Choosing Your Compliance Path
Since 2014, United States criminal justice agencies have trusted Microsoft Azure Government to manage Criminal Justice Information (CJI). Built exclusively for regulated government data, it provides datacenters with physical, network, and logical isolation and is operated by CJIS-screened U.S. persons—the "gold standard" for compliance. However, we understand that flexibility is critical for modern agencies. As first announced with the release of CJIS Security Policy (CJISSECPOL) v5.9.1, agencies have the option to utilize Azure Commercial for CJIS workloads by leveraging advanced technical controls in place of traditional personnel screening. With the release of CJIS Security Policy 6.0, this hybrid landscape has evolved. The new policy moves beyond simple access control toward a "Zero Trust" framework which minimizes implicit trust, verifies all requests, and requires continuous monitoring. What’s New in CJIS 6.0? The 6.0 update (released late 2024) is a modernization overhaul. Key changes include: Phishing-Resistant MFA: Strict requirements for FIDO2 or certificate-based authentication for all privileged access. Continuous Monitoring: A shift from point-in-time audits to real-time threat detection and automated logging. Supply Chain Risk Management: Enhanced vetting of third-party software and vendors. The Choice: Azure Government or Azure Commercial: Criminal Justice Agencies can still choose between our two distinct offerings, but the "How" of compliance differs: Azure Government: The path of personnel screening. Microsoft executes CJIS Management Agreements with state CJIS Systems Agencies that include their screening of Microsoft personnel. This offers the broadest feature set with the simplest compliance burden. Azure Commercial: The path of technical controls. Because Azure Commercial support staff are not CJIS-screened, compliance relies on an agency implementing Customer Managed Keys (CMK) encryption. This way, Microsoft cannot access unencrypted criminal justice information, effectively removing Microsoft staff from the scope of trust. Our Commitment Whether you choose the physically secure location of Azure Government or the global scale of Azure Commercial, Microsoft provides the tools—Entra ID, Azure Key Vault, and Microsoft Sentinel—to meet the rigorous demands of CJIS 6.0. Step-by-Step Walkthrough for CJIS 6.0 in Azure Commercial Managing CJI in Azure Commercial requires you to bridge the gap between "standard commercial security" and "CJIS compliance" using your own configurations. Because Microsoft Commercial staff are not CJIS-screened, you must ensure they can never see unencrypted data. Phase 1: Foundation & Residency Step 1: Restrict Data Residency CJIS 6.0 mandates that CJI must not leave the United States. Action: Deploy all Azure resources (compute, storage, disks, networking, monitoring, logging, backups, etc.) exclusively in US regions (e.g., East US, West US, Central US). Policy: Use Azure Policy to deny the creation of resources in non-US regions to prevent accidental drift. o Documentation: Tutorial: Manage tag governance with Azure Policy (See the concept of "Allowed Locations" built-in policy). o Documentation: Azure Policy built-in definitions and assignment (Allowed locations) o Documentation: Details of the "Allowed locations" policy definition. Phase 2: The "Technical Control" (Encryption) This is the most critical step for Azure Commercial. Step 2: Implement Customer Managed Keys (CMK) To meet CJIS requirements in Azure Commercial, which is operated by Microsoft personnel who aren’t CJIS-screened, you must use encryption where you hold the keys, and Microsoft has no access. Action: Provision Azure Key Vault (Premium) or Managed HSM for FIPS 140-2 Level 2/3 compliance. o Documentation: About Azure Key Vault Premium and HSMs. o Documentation: Secure your Azure Managed HSM deployment. Action: Generate your encryption keys within your HSM or import them from on-premises. o Documentation: How to generate and transfer HSM-protected keys (BYOK). Action: Configure Disk Encryption Sets and Storage Account Encryption to use these keys. Do not use the default "Microsoft Managed Key" setting. o Documentation: Server-side encryption of Azure Disk Storage (CMK). o Documentation: Configure customer-managed keys for Azure Storage. o Documentation: Services that support customer-managed keys (CMKs) Step 3: Client-Side Encryption (For SaaS/PaaS) For data processing, encryption should happen before data reaches Azure. Action: Ensure applications encrypt CJI at the application layer before writing to databases (SQL Azure, Cosmos DB). This ensures that even a database admin with platform access sees only ciphertext. Step 3b (optional): Protecting CJI While In Use (Confidential Compute) CJIS Security Policy 6.0 requires that Criminal Justice Information be protected while at rest, in transit, and in use. In Azure Commercial, once CJI is decrypted for processing by an application, traditional encryption controls (including CMK) no longer protect the data from platform-level access risks such as memory inspection, diagnostics, or hypervisor operations. To address this risk, agencies may implement Azure Confidential Computing, which uses hardware-backed Trusted Execution Environments (TEEs) to cryptographically isolate data in memory and prevent access by cloud provider personnel—even at the infrastructure layer. o Documentation: Always Encrypted for Azure SQL Database. o Documentation: Client-side encryption for Azure Cosmos DB. o Documentation: Confidential Computing o Documentation: Confidential Compute Offerings Phase 3: Identity & Access (CJIS 6.0 Focus) Step 4: Phishing-Resistant MFA CJIS 6.0 raises the bar for Multi-Factor Authentication (MFA). SMS and simple push notifications may no longer suffice for privileged roles. Action: Deploy Microsoft Entra ID (formerly Azure AD). o Documentation: What is Microsoft Entra ID?. Action: Enforce FIDO2 security keys (like YubiKeys) or Certificate-Based Authentication (CBA) for all users accessing CJI. o Documentation: Enable passkeys (FIDO2) for your organization. o Documentation: How to configure Certificate-Based Authentication in Entra ID. Phase 4: Continuous Monitoring Step 5: Unified Audit Logging You must retain audit logs for at least one year (or longer depending on state rules) and review them weekly. Action: Enable Diagnostic Settings on all CJIS resources to stream logs to an Azure Log Analytics Workspace. o Documentation: Create diagnostic settings in Azure Monitor. Action: Deploy Microsoft Sentinel on top of Log Analytics. o Documentation: Quickstart: Onboard Microsoft Sentinel. Action: Configure Sentinel analytic rules to detect anomalies (e.g., "Mass download of CJI," "Access from foreign IP"). o Documentation: Detect threats out-of-the-box with Sentinel analytics rules. Phase 5: Endpoint & Mobile Step 6: Mobile Device Management (MDM) If CJI is accessed on mobile devices (MDTs, tablets), CJIS 6.0 requires remote wipe and encryption capability. Action: Enroll devices in Microsoft Intune. o Documentation: Enroll Windows devices in Intune. o Documentation: Enroll iOS/iPadOS devices in Intune. Action: Create a Compliance Policy requiring BitLocker/FileVault encryption and complex PINs. o Documentation: Create a compliance policy in Microsoft Intune. o Documentation: Manage BitLocker policy for Windows devices with Intune. Action: Configure "App Protection Policies" to ensure CJI cannot be copied/pasted into unmanaged apps (like personal email). o Documentation: App protection policies overview. Phase 6: Personnel & Documentation Step 7: Update your SEIP/SSP Since you are using Azure Commercial, your System Security Plan (SSP) must explicitly state that you are using encryption as the compensating control for the lack of vendor personnel screening. Action: Document the CMK architecture in your CJIS audit packet. Action: Ensure your agency's "CJI Administrators" (who manage the Azure keys) have met the policy’s personnel screening requirements o Documentation: Microsoft CJIS Audit Scope & Personnel Screening (Reference).
How do I add two personal account to microsoft learn portal ?
Hi Community, How do I add two personal account to microsoft learn portal which would allow me to see all my certification in one place. I have done my Microsoft certification using two different personal accounts. When I try to do it, I get an error "You can only have one personal account linked". Can someone advise or point me to the right direction how to approach Microsoft to help me resolve this issue. RegardsTwo Public Sector Roundtables at PPCC25
Heading to the Power Platform Community Conference in Las Vegas? Don’t miss two sessions designed for the public sector. The Microsoft Sovereign Cloud Architect Panel gives U.S. GCC, GCC High, and DoD customers direct access to Microsoft experts for roadmap and security insights. Meanwhile, Powering Public Impact brings together global government and education leaders to share strategies for governance, AI adoption, and scaling low‑code innovation. Join these conversations to learn, connect, and shape the future of digital transformation in government.Breaking the Search Habit
In today's fast-paced digital world, digital workers of all kinds are constantly seeking ways to streamline their workflows and enhance productivity. One of the most exciting new tools available is Copilot, an "answer engine" that goes beyond the capabilities of traditional search engines. To help illustrate the unique benefits of Copilot, I recently hosted a game show-style event showcasing its ability to synthesize information from multiple sources and provide comprehensive answers, saving time and energy. The best part? I used Copilot itself to help me create the framework for this gameshow in just a few minutes. I'll include the prompts and responses I used at the end of this article so you can see just how easy it was. A special thanks to all those who attended our recent Tribal Nations conference and learning event where leaders from some of America's most tech-forward tribes come to explore what Copilot could do to bring greater productivity and equity to its members and business interests. So, why a game show format? I believe that engagement == better learning so the game show format was designed to be interactive and quasi-competitive, making it easy and fun for participants to grasp the differences between Copilot and standard search engine experiences in a memorable way. The event featured a series of fun activities and challenges that highlighted Copilot's conversational ease and ability to provide composite answers. For example, participants were asked to solve complex queries using both Copilot and traditional search engines, demonstrating how Copilot's approach simplifies the process. For extra fun, Copilot also provided me with taglines, slogans, and even a fun graphic, all in literally just a few minutes. I went from idea to implementation, all in under 20 minutes. Copilot is an Answer Engine Unlike traditional search engines that require multiple queries and manual collation of information, Copilot acts as an answer engine, synthesizing data from various sources to provide a single, comprehensive response. The game show showcased activities where participants experienced firsthand how Copilot can save valuable time and effort. By leveraging Copilot, information professionals can focus on more strategic tasks rather than getting bogged down in repetitive search queries. I find this an incredibly important distinction for a couple reasons... First, we've all adopted search syntax as a second language. When we sit down at that search prompt we choose the right key words, in the right order, and heck… we've gotten pretty good at it. But the same string of keywords sent to Copilot frequently disappoint in results. It can be a challenge to trust the natural language capabilities of Copilot to hear and understand (and communicate back!) without using stilted search syntax tricks. Second, part of how Copilot differentiates itself from standard search queries is that it can actually retrieve information from disparate sources to compare and collate its response. The more specific and natural-language your question the better it seems to response. An example that seemed to resonate with folks during the gameplay: "I am a 49 year old cloud solution architect with 27 years of experience in the IT field, living in the Seattle area and I'm considering moving to Tampa Bay Florida. What can I expect in terms of changes to my cost of living and compensation?" What's important to note is that both contestants are likely to generate an answer, but Copilot excelled by doing it faster and more comprehensively. Collating and presenting data from several different searches as a complete answer, and it self-cites so you can quickly vet your information sources! Most importantly, it invites follow-up questions in a conversational manner that lets you dig further into details or compare more broadly in the abstract. Here's a quick screenshot of the reply generated in just seconds: Breaking the Search Habit The tagline "breaking the search habit" captures the key takeaway from the event. Copilot offers a different experience, emphasizing conversational ease over specific search syntax. Participants learned that talking to Copilot is more intuitive and efficient, allowing them to obtain the information they need without the hassle of crafting precise search queries, and then stitching together data from across a dozen different web results. This shift in approach can significantly enhance productivity and streamline workflows. Conclusion The game show event was a resounding success, providing participants with a fun and informative way to understand the benefits of Copilot. By breaking the search habit and embracing Copilot's answer engine capabilities, they unlocked new levels of efficiency and productivity. I encourage everyone to explore Copilot and experience the difference for themselves and hope that this approach can be a fun and engaging way to help folks in your organization add a powerful new capability to their toolkits. As promised, here are the handful of interactions with Copilot that produced everything I needed to make this fun game show in just minutes...Microsoft Ignite session: AI for the Public Sector with Microsoft 365 Copilot GCC available Nov 19
In today's rapidly evolving digital landscape, the public sector stands at the forefront of innovation, driven by the transformative power of AI. Microsoft 365 Copilot GCC (Government Community Cloud) is set to revolutionize how public sector organizations operate, offering new capabilities that will enhance human capabilities, streamline workflows, and support compliance with stringent security standards. AI for the Public Sector with Microsoft 365 Copilot GCC - OD803 Our Ignite On Demand session delves into the myriad ways Microsoft 365 Copilot GCC can empower your public sector organizations, from automating routine tasks to providing actionable insights that drive mission-critical decisions. We invite you to watch this session and discover how you can harness the power of AI to elevate your organization's capabilities. Microsoft Ignite | November 18-22, 2024 | ignite.microsoft.com The '101 on Microsoft Ignite 2024' What: Microsoft Ignite to learn more | Full Session scheduler Where: Hybrid | Chicago, IL (sold out) and Global Digital (online; free to register) When: November 18-22, 2024 Primary X handle & official hashtag: #MSIgnite (join in) AND follow @MicrosoftTeams, @SharePoint, @OneDrive, and @Events_MSFT The Ignite presentation highlights several key areas where Microsoft 365 Copilot GCC can make a significant impact for public sector strategists. We explore the role of AI in the public sector, emphasizing how AI can alleviate the burden of digital debt by automating repetitive tasks and optimizing workflows. The session also showcases the features of Microsoft 365 Copilot GCC such as Microsoft 365 Copilot Business Chat and AI-driven insights in applications embedded in apps you use everyday Word, Excel, PowerPoint, Teams and Outlook. Additionally, the presentation underscores the importance of responsible AI practices and data privacy, detailing Microsoft's commitment to security and compliance within the GCC environment. To start building your AI skills today and prepare your organization for the future, we encourage you to explore the following resources: Microsoft 365 Copilot GCC Blog: aka.ms/M365CopilotGCCBlog Microsoft 365 Copilot GCC High/DOD Blog: aka.ms/MS365CopilotGCCHighBlog Microsoft 365 Copilot – Readiness and Adoption Guide for Public Sector Roadmap ID # 415097 - Microsoft 365 Copilot GCC general availability -- the product referenced in this blog. Service description will be updated prior to general availability here Roadmap ID # 464984 - Microsoft Copilot general availability for GCC -- more information will be shared on this product closer to launch. Current information for WW/Ent environment on differences between these two products can be referenced here. Additionally, you can learn more about the roadmap for government AI adoption and specific Copilot scenarios for the US government. By leveraging these resources, you can ensure your organization is well-equipped to navigate the AI-driven future and deliver exceptional public services. The Roadmap for Government AI Adoption US Gov specific Copilot Scenarios content Other Microsoft 365 Copilot resources (environment agnostic): 3 short explainer videos: Microsoft 365 Copilot data security and privacy commitments Microsoft 365 - How Microsoft 365 Delivers Trustworthy AI (2024-01) Data, Privacy, and Security for Microsoft 365 Copilot Secure by default with Microsoft Purview and protect against oversharing Microsoft Purview data security and compliance protections for Microsoft Copilot Apply principles of Zero Trust to Microsoft 365 Copilot Learn about retention for Microsoft 365 Copilot This blog was written with support from Microsoft 365 Copilot, my AI assistant for work.
