Share
Report
26Architecture Overview
-
SharePoint Online
-
Customer-specific SharePoint sites
-
SharePoint lists used as the primary data stor
-
-
Power Apps (SharePoint-integrated customized forms only)
-
Forms created using Integrate → Power Apps → Customize Form
-
Only SharePoint is used as the data source
-
Built using Power Fx (low-code only)
-
No PCF controls
-
No external data sources
-
No Dataverse, SQL, or third-party service
-
-
Power Automate
-
Used for automatic provisioning of:
-
SharePoint sites
-
SharePoint list
-
-
Uses:
-
Standard connectors
-
Premium connectors
-
-
No custom connectors
-
No Azure Functions
-
Uses SharePoint and Power BI APIs
-
Very minimal expressions / low-code logic
-
-
Power BI
-
Reports embedded inside SharePoint pages
-
Data source is only SharePoint
-
There are:
-
✅ Premium connectors used
-
❌ No custom connectors
-
❌ No third-party integrations
-
❌ No external Azure services
My Questions:
-
From a platform compliance perspective, once this solution is deployed into a GCC High tenant, is this architecture considered GCC High compliant, given that it uses:
-
SharePoint Online (GCC High)
-
Power Apps (SharePoint-integrated forms)
-
Power Automate (Standard + Premium connectors)
-
Power BI (GCC High)
-
-
Does the use of Premium connectors (without any custom connectors) introduce:
-
Any additional compliance burden in GCC High?
-
Any FedRAMP High or DoD SRG impact?
-
-
Given that the solution was originally developed in a commercial (non-GCC) tenant and later migrated to GCC High:
-
Does this create any compliance, security, or ATO risks?
-
Does it require additional validation or security controls during authorization?
-
-
Even if all services used are GCC High supported, is a formal ATO (Authority to Operate) still mandatory at the application/solution level?
-
In real-world government implementations:
-
Is the ATO inherited from Microsoft’s GCC High platform, or
-
Is a separate ATO always required for each custom-built business application?
-
-
Are there any known compliance risks or design limitations when combining:
-
Power Apps customized forms
-
Power Automate premium connectors
-
Power BI embedded in SharePoint
within a GCC High tenant?
-
Any authoritative guidance, real-world experience, or Microsoft documentation references would be greatly appreciated.
All responses (
Answers (
