Microsoft has secured updated IRAP assessments for Azure, Dynamics 365, and Microsoft 365, enabling Australian government agencies to deploy protected workloads across its cloud platforms. The certifications cover the PROTECTED classification—Australia's second-highest security tier for sensitive government information—and represent Microsoft's most comprehensive compliance offering for the Australian public sector to date.

What IRAP Certification Means for Australian Government Agencies

IRAP—the Information Security Registered Assessors Program—is Australia's mandatory framework for assessing cloud services used by government entities. Unlike self-assessments or vendor claims, IRAP involves independent third-party evaluation by certified assessors who verify security controls against the Australian Government's Protective Security Policy Framework (PSPF) and Information Security Manual (ISM).

For Australian government agencies, this certification means they can legally store and process PROTECTED-level data in Microsoft's cloud services without requiring additional security authorizations. PROTECTED data includes sensitive but unclassified information that could cause damage to national security, law enforcement, or individual privacy if compromised.

Technical Scope of the Updated Assessments

The updated assessments cover Microsoft's entire cloud ecosystem relevant to government operations:

Azure Services:
- Azure Government regions in Australia (specifically Australia East and Australia Southeast)
- Core infrastructure services including compute, storage, networking, and identity management
- Platform services like Azure SQL Database, Azure App Service, and Azure Kubernetes Service
- Security services such as Azure Security Center, Azure Sentinel, and Azure Active Directory

Microsoft 365 Services:
- Office 365 applications (Word, Excel, PowerPoint, Outlook)
- Collaboration tools including Teams, SharePoint Online, and OneDrive for Business
- Security and compliance features like Microsoft Defender for Office 365 and Compliance Manager
- Enterprise Mobility + Security components

Dynamics 365 Services:
- Customer engagement modules (Sales, Customer Service, Field Service)
- Finance and operations applications
- Power Platform integration capabilities

All services must be deployed through Microsoft's Australian datacenters to maintain compliance. The certification specifically excludes services hosted outside Australia and consumer-facing products like Xbox or consumer Skype.

Security Controls and Implementation Requirements

Microsoft's implementation addresses 1,200+ security controls required for PROTECTED workloads. Key technical requirements include:

Data Sovereignty: All PROTECTED data must reside exclusively within Australian datacenters with no replication to offshore facilities. Microsoft employs geo-fencing and access controls to enforce this boundary.

Encryption: Data-at-rest encryption using FIPS 140-2 validated cryptographic modules, with customer-managed keys available through Azure Key Vault. Transport Layer Security (TLS) 1.2 or higher for data-in-transit.

Identity and Access Management: Multi-factor authentication mandatory for all administrative access. Privileged Identity Management with just-in-time elevation for high-risk operations. Integration with Australian government identity providers via SAML 2.0 or OpenID Connect.

Network Security: Isolated government network connections via ExpressRoute for Government. Network security groups and Azure Firewall for micro-segmentation. Distributed denial-of-service (DDoS) protection at platform and tenant levels.

Monitoring and Logging: Comprehensive audit logging with 12-month retention. Security information and event management (SIEM) integration via Azure Sentinel. Real-time threat detection with automated response playbooks.

Physical Security: Microsoft's Australian datacentres comply with PSPF requirements for physical access controls, environmental protections, and personnel screening. Facilities maintain multiple layers of biometric authentication, 24/7 monitoring, and redundant utility connections.

Deployment Models and Configuration Requirements

Government agencies cannot simply subscribe to standard commercial offerings and achieve compliance. Specific deployment configurations are mandatory:

Azure: Agencies must use Azure Government offerings rather than commercial Azure. Tenant isolation is enforced through dedicated infrastructure with enhanced security monitoring. Certain services require specific configurations—for example, Azure Virtual Machines must use approved operating system images from the Azure Marketplace.

Microsoft 365: Agencies need Government Community Cloud (GCC) High or Department of Defense (DoD) instances, not commercial Microsoft 365. Data loss prevention policies must be configured to prevent PROTECTED data from being shared externally. Teams meetings involving PROTECTED information require specific security settings.

Dynamics 365: Separate government instances with enhanced security monitoring. Customizations must undergo security review before deployment. Integration with other systems requires secure API configurations with certificate-based authentication.

All deployments require continuous compliance monitoring through Microsoft's Compliance Manager, with agencies responsible for maintaining their security configurations and user access controls.

Practical Implications for Government Digital Transformation

The updated IRAP assessments arrive as Australian government agencies accelerate cloud adoption. The Digital Transformation Agency's 2023 Cloud Strategic Framework mandates cloud-first approaches for all new systems, with exceptions requiring ministerial approval.

For agencies migrating legacy systems, the certification reduces compliance overhead significantly. Previously, each agency needed to conduct individual security assessments for Microsoft services. Now they can leverage Microsoft's IRAP certification as a foundation, focusing their resources on agency-specific configurations and risk assessments rather than platform-level evaluations.

Smaller agencies particularly benefit. Without the budget for extensive security teams, they can now access enterprise-grade security through Microsoft's shared responsibility model. Microsoft handles platform security, while agencies manage their data, identities, and access controls.

Integration with Other Compliance Frameworks

Microsoft's Australian cloud services maintain multiple overlapping certifications:

  • ISO 27001: International information security standard
  • SOC 1, 2, and 3: Service organization controls for financial and operational reporting
  • FedRAMP Moderate (USA): Equivalent to Australian PROTECTED level
  • CSPF (New Zealand): New Zealand government cloud security framework

For agencies working with international partners, these overlapping certifications simplify cross-border collaborations. An Australian agency can share PROTECTED data with a U.S. federal agency using Microsoft's FedRAMP-authorized services, provided both parties maintain appropriate security configurations.

Limitations and Agency Responsibilities

IRAP certification doesn't guarantee security—it validates that Microsoft's platforms can support secure implementations. Agencies remain responsible for:

  1. Configuration Management: Properly configuring security settings for their specific workloads
  2. Identity Governance: Managing user access, role assignments, and privilege escalation
  3. Data Classification: Correctly identifying PROTECTED data and applying appropriate controls
  4. Incident Response: Developing and testing agency-specific response plans
  5. Continuous Monitoring: Regularly reviewing security logs and compliance status

Microsoft provides tools like Compliance Manager and Secure Score, but agencies must actively use them. The Australian Cyber Security Centre (ACSC) recommends monthly security reviews for PROTECTED systems.

Future Developments and Strategic Implications

Microsoft's investment in Australian government compliance reflects broader strategic priorities. The company has committed $5 billion to expanding its Australian datacentre footprint over the next two years, with additional regions planned for Canberra and other capital cities.

Technologically, Microsoft is developing Australian sovereign cloud capabilities. While not yet IRAP-assessed, these would provide enhanced data isolation for the most sensitive workloads. Early discussions suggest sovereign cloud would include dedicated infrastructure operated exclusively by Australian citizens with no foreign access—even for Microsoft support personnel.

For competing cloud providers, Microsoft's comprehensive IRAP coverage creates significant market pressure. While AWS and Google Cloud maintain IRAP certifications for some services, Microsoft's integrated offering across Azure, Microsoft 365, and Dynamics 365 provides a unified compliance story that appeals to agencies seeking to consolidate vendors.

Implementation Recommendations for Agencies

Agencies planning PROTECTED workloads on Microsoft platforms should:

Start with Architecture Review: Engage Microsoft's government cloud architects before procurement. Design systems with security and compliance as foundational requirements, not afterthoughts.

Implement Phased Migration: Begin with less sensitive workloads to establish operational patterns. Develop migration factories that incorporate security validation at each stage.

Invest in Skills Development: Cloud security requires different skills than traditional datacentre security. Budget for training existing staff or hiring specialists in cloud security architecture and compliance automation.

Establish Governance Early: Define clear policies for data classification, access management, and incident response before deploying PROTECTED data. Use Microsoft's policy templates as starting points but customize for agency-specific requirements.

Leverage Automation: Manual security processes don't scale in cloud environments. Implement Infrastructure as Code (IaC) with built-in compliance checks. Use Azure Policy and Microsoft 365 compliance tools to enforce standards automatically.

Plan for Continuous Compliance: Security isn't a one-time assessment. Implement regular compliance reviews, automated monitoring, and periodic re-assessment schedules. Microsoft updates its services monthly—agencies must track these changes for security implications.

The updated IRAP assessments represent both opportunity and responsibility for Australian government agencies. Microsoft has built a compliant platform, but agencies must build secure implementations on that foundation. Those who approach cloud adoption as a technical and cultural transformation—not just a technology migration—will realize the greatest benefits while maintaining the security standards Australians expect from their government.