FAQ: What Microsoft Azure and Microsoft Office 365 OFFICIAL accreditation means for your organisation

Microsoft Azure and Microsoft Office 365 now hold the UK Government’s recently launched “OFFICIAL” accreditation.

What does that mean?

It means that Microsoft Azure, an Infrastructure-as-a-Service and Platform-as-a-Service cloud computing platform, and Office 365, Microsoft’s public cloud productivity suite for e-mail, collaboration and unified communications, are now accredited to hold or transact public sector data for business conducted at the OFFICIAL level of Security Classification.

What data is considered “OFFICIAL”?

As defined by the documentation, ALL routine public sector business, operations and services and the data they involve should be treated as OFFICIAL - many departments and agencies will operate substantially or exclusively at this level.  

Examples of OFFICIAL business include:

  • The day-to-day business of government, service delivery and public finances.
  • Routine international relations and diplomatic activities.
  • Public safety, criminal justice and enforcement activities. 
  • Many aspects of defence, security and resilience.
  • Commercial interests, including information provided in confidence and intellectual property.
  • Personal information which falls under the protection of the Data Protection Act (1998) (which includes, for example, data such as health records).

Are these services available via G-Cloud?

Microsoft Office 365 and Microsoft Azure are just part of our offerings on the G-Cloud Framework, available through the CloudStore, demonstrating Microsoft’s commitment to supporting the UK government’s Cloud First policy, helping to reduce the cost of ICT and to achieve the aim of moving 50% of new ICT services to the cloud by 2015.

What services does Microsoft Office 365 include?

Microsoft Office 365 includes cloud-based versions of all your favourite productivity tools, including Outlook, Word, Excel and PowerPoint, and integrates them with Exchange Email, SharePoint collaboration (including content management and social networking), and Lync unified communications. SharePoint now includes OneDrive for Business, offering 1TB of storage per user and Lync includes instant messaging, presence and high-definition audio and video conferencing.  Learn more about what you can accomplish with Office 365.

Does it matter what device or platform I use to access those programs?

Microsoft Office 365 works happily in most common and modern browsers and is accredited to handle all OFFICIAL level work on a wide range of connected devices including laptops, tablets and smartphones when managed in line with the Government’sEnd User Device Guidance.

What does Microsoft Azure do?

Microsoft Azure supports the Government’s Digital-by-Default agenda and enables public sector organisations to develop and run applications for citizen-facing services, or departmental applications for internal users. It provides both Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) compute and storage capability on a pay-as-you-go basis, avoiding capital expenditure and the cost of running and maintaining expensive systems on-premise. It also offers a substantially more cost effective approach to data storage and backup, due to the massive economies of scale Microsoft can pass on to its customers.

What if my organisation prefers a private cloud solution?

Fortunately, Microsoft has also achieved Foundation Level Commercial Product Assurance for Windows Hyper-V, the first and, at the time of writing, only virtualisation product to do so.  This means that Windows Hyper-V is suitable to operate at multiple levels of threat and risk for OFFICIAL information inside UK government; facilitating its deployment for customers and partners delivering private cloud solutions inside government.

Where are Microsoft’s data centres?

Microsoft’s EU datacentres are based in Dublin and Amsterdam and Microsoft Office 365 and Microsoft Azure services comply with ISO 27001 standards and provide comprehensive data processing provisions to UK customers, incorporating EU Model Clauses – Europe’s data protection regulations.  Microsoft is the first – and so far only – company to receive this approval, which followed an extensive review by the Article 29 Working Party.  You can read more in Microsoft’s Official Blog on this topic.

My organisation already uses Microsoft Azure and Microsoft Office 365. What does the accreditation mean for me?

Adding the “OFFICIAL” accreditation provides additional peace of mind for public sector organisations, and the citizens they serve.  It will deliver confidence that information will continue to stay within the parameters defined by CESG.

I want my organisation’s IT needs to be met by a small- or medium-sized enterprise. What does this accreditation mean for SMEs?

The Microsoft Office 365 and Microsoft Azure platforms create a great opportunity for Microsoft’s SME Partner community, of which over 150 are already assured on the G-Cloud CloudStore marketplace.  These skilled and experienced partners can provide specialist cloud consultancy services or develop cost effective innovative apps for government users or citizen-facing services that exploit the scalability and reliability of a world-class cloud platform.  A great example is the Environment Agency’s FloodAlerts application,  hosted by Azure, and developed by UK SME Shoothill Ltd. This really put Azure to the test during the recent winter floods when millions of citizens were checking river levels. Learn more about the Environment Agency's story.

I’m interested in cloud tools, but I want to learn more before I make decisions.

This free ebook on getting started with cloud tools was written especially with the public sector in mind. It answers many common questions and provides concrete first steps to getting started with your journey to the cloud.

Comments (23)

  1. Phil says:

    This is good news!  

    How do you control access to Office 365 from non corporate  devices?  I.E if it is not a device configured as per End User Device Guidance just someone's home PC.

  2. Phil,

    Great question! At present you have to restrict access by IP. You can find a guide to doing this in different scenarios here: technet.microsoft.com/…/hh526961(v=ws.10).aspx

  3. Julian Campbell (MOD) says:


    I assume that since OFFICIAL SENSITIVE is part of OFFICIAL I could safely process and store information classified as OFFICIAL SENSITIVE within o365 and Azure?

  4. Hi Julian,

    I can think of no higher authority to point to than the official classification guidelines, specifically:

    ‘A limited subset of OFFICIAL information could have more damaging consequences (for individuals, an organisation or government generally) if it were lost, stolen or published in the media. This subset of information should still be managed within the ‘OFFICIAL’ classification tier, but may attract additional measures (generally procedural or personnel) to reinforce the ‘need to know’. In such cases where there is a clear and justifiable requirement to reinforce the ‘need to know', assets should be conspicuously marked: ‘OFFICIAL–SENSITIVE’


    Hope that's helpful to you.


  5. John says:

    How do you deal with housing the data in Ireland (outside of the UK). Also, will you be offering this service over the PSN?

  6. Robert Towney says:

    Hello, great article, but I can't fine on the Cloudstore any reference to this.

    Are you sure it has gone through PGA accreditation, because it is not listed as being.

    Hope to hear back from you soon,



  7. Hi John,

    That's a great question. Thanks for writing. I've got your answer below — excuse the formal language but these things require precise wording.


    Off-shoring of OFFICIAL information is permitted, however organisations should be aware of the following:

    • There are certain information types (e.g. information relating to national security or sensitive international issues) where off-shoring may not be a suitable option

    • Personal data held off-shore should be kept within the EEA, Safe Harbor or the limited number of countries with positive findings of adequacy from the European Commission. Organisations may conduct their own assessments of adequacy, however this approach carries the inherent risk that in the event of a breach, the Information Commissioner may not agree with their findings.

    • It is important that you can satisfy your security requirements in the locations chosen to off-shore to. The local political, legislative or cultural environment may make satisfaction of your normal security requirements challenging.

    • The Office of the Government SIRO will review and advise on off-shoring proposals for HMG information.

    The above guidance can be found at the following source:  http://www.gov.uk/…/FAQ2_-_Managing_Information_Risk_at_OFFICIAL_v2_-_March_2014.pdf

  8. Hi Robert,

    Thanks for asking. Yes, we're completely sure about the PGA accreditation. Sorry that Cloudstore page hasn't been updated yet. Hopefully the Cloudstore site will reflect the change soon, but we have no control over the updating of government websites.


  9. Tim Lewis York says:

    Good news.

    How does Office 365 interact with the Public Sector Network? In particular, can Exchange Online be configured to route via the PSN Secure Mail Gateway, or would this require a hybrid environment?

  10. Jason Ewbank says:

    Hello everyone,

    Just to add Microsoft Azure is the way to go in terms of Office 365. IAM Cloud has a solution that means there is no ADFS required and no single point of failure. Currently 2.3 million identities worldwide and Microsoft themselves are promoting the IAM Cloud platform solution as well. To learn more please visit http://www.iamcloud.com and if people need to know more please contact me on

    Jason Ewbank

    Senior Partner Manager

    Phone: +44 118 324 0000 or +1 914 495 1298

    DDI: +44 118 324 1002

    Mobile: +44 7881 309571



  11. Hi Tim Lewis York,

    Office 365 is not a PSN service; it runs over the Internet. Most customers use a hybrid environment solution to get around this, routing their e-mail via on-premise Exchange servers first, then out to Office 365. Hope that's helpful!


  12. Peter says:

    Working in Local Govt we are being asked to collaborate with other authorities such as the NHS and Police on Social Care initiatives, MASH, Troubled Families etc.

    Please can you confirm that DWP,the Home Office and the Dept of Health have agreed that OFFICIAL (SENSITIVE) data such as Medical Records Benefits information and information sourced from the Police can be shared on this platform.

  13. Hi Peter,

    Thanks for writing. The service is PGA accredited to hold OFFICIAL data, OFFICIAL – SENSITIVE is a handling caveat within OFFICIAL.


  14. Graham Sheppard says:

    CESG has published a set of guidance centred on 14 Cloud Security Principles – How many of these, and which ones, have Microsoft aligned to?

  15. Hi Graham,

    In many, if not most cases, we align to the cloud security principles; as these were largely what was tested before as part of the accreditation process via the PGA.

  16. djrodb says:


    Could you email me please. I'd like to ask you a sensative question offline surrounding Office 365 uptake in a certain UK sector. rodblackie at gmail com

    I can share my work details with you during our correspondence.



  17. RussSp says:


    As regards the questions regarding OFFICIAL-SENSITIVE data, your 18/07/14 post seems to imply that as OFFICIAL-SENSITIVE is a 'handling caveat' of the SENSITIVE classification, that it would therefore be permissible to use this service for storing OS data.  However, I have been advised locally that Office365 is accedited to IL2(OFFICIAL), whereas use for OFFICIAL-SENSITIVE data requires IL3 accreditation.

    Please can you clarify?



  18. Hi Russ,

    You can store Official-Sensitive data on Azure/Office 365 with a few technical handling caveats, as I mentioned. You can't really map the new 3-tiered security system (OFFICIAL, SECRET and TOP SECRET) to the old Impact Level (IL) system. If you'd like to have a longer conversation about the correct ways to make sure your data is stored properly in the cloud, you can e-mail ukps@microsoft.com and we can put you in touch with an expert.

  19. Stuart Mckean says:


    We are a company that uses 365 as a buisness, ordered online direct via Microsoft. How do we transfer (as such) to the official version?



  20. Jenny Clayten says:

    Sorry to harp on about the OFFICIAL-SENSITIVE thing but I have heard that O365 is only cleared for OS if the servers used are only those in Dublin and the Netherlands. Is there anything formal from the Cabinet Office to this effect.

  21. Lester W says:

    Does this mean Azure can store IL3 data? Or is it still just IL2?

  22. Hi Lester — As of last April, the old Impact Level security system was replaced by the new security designations (OFFICIAL, SECRET, TOP SECRET). The government's official guidance on the matter is that old IL system levels do not map directly to the new ones: http://www.gov.uk/…/Government-Security-Classifications-April-2014.pdf

    We can currently say that our system can be used for both OFFICIAL and OFFICIAL-SENSITIVE communications and we lead the market on complying with the government's 14 security points:


    And of course, our protections are getting better all the time. We recently received accreditation to the ISO/IEC 27018 standard — and we're the first cloud service to receive that certification:


    Hope that helps!


  23. Paul Anderson says:

    Hi Jessie,

    Would it be possible to provide or publish a copy of your Accreditation Certificate.



Skip to main content