Microsoft Azure deployment guidance

Service description

Microsoft Azure represents a number of cloud services, most of which are Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) providing virtual computers and storage in the cloud, among other services.  This service is much like Amazon Web Services, but has a different pricing structure and provides additional tools that provide integration advantages for Microsoft environments.

The UC has a HIPAA business associate agreement with Microsoft for Azure. Azure has a unique price structure requiring a campus to set a monetary commitment prior to the beginning of their annual enrollment period.  See the cost section for more details.

Important notes

  • Microsoft requires an annual minimum pre-payment to establish an account.
  • Azure requires location-wide coordination due to the administrative structure.
  • Each location must establish a process to establish accounts to its users.   
  • Each account holder (there can be many accounts on a campus) must specify the region (e.g. U.S., EU, etc.) where the compute and storage should be located.  Microsoft will not move the data from the region selected.

Sensitive data guidance

Green: Permitted
Yellow: Consult
Red: Not permitted
Data Type Data Use Guidance Comments
Credit Card (PCI-DSS) Not permitted No PCI addendum to agreement.
Export Control Consult Consult with location export control officer.
Electronic Protected Health Information (ePHI) subject to HIPAA Consult HIPAA BAA in place, consult with data proprietor and appropriate UC location (e.g. privacy official, information security, compliance officer). View a list of Azure services covered by the BAA.
Human Subject Research Consult Consult with data proprietor and UC location office of research.
Intellectual Property Consult Consult with data proprietor and appropriate UC location authority (e.g. tech transfer, office of research, campus counsel).
IT Security Information
(e.g. administrative passwords, network diagrams)
Permitted When appropriately configured.
Other Sensitive Institutional Info
(e.g. Fundraising, Attorney/Client Privileges)
Consult Consult with data proprietor and appropriate UC location authority (e.g. privacy official, development office, campus counsel, information security officer).
Personally Identifiable Information (PII)
Tied to state notification breach laws, Login credentials, SSN, Drivers license
Consult Consult with data proprietor and appropriate UC location authority (e.g. privacy official, campus counsel, information security officer).
Public Information Permitted
Research Data
AnimalGeneral (non-Humanoid Subject Research)
Permitted Consult with data proprietor and UC location office of research.
Student Education Records (FERPA) Permitted Excluding student health records.

UC location responsibilities

These are the contractual responsibilities of each UC location as they establish the service. These responsibilities must be met for the contract to remain in effect.

  • Each location must specify a subscription term for Azure, between 12-36 months, which serves as its enrollment period. The per unit costs for each account at your location is fixed during the enrollment period. 
  • Each location must specify a pre-paid balance to be used over each annual term. An invoice for the entire amount will be given at the beginning of the period.
  • As the account uses Azure services, the cost will be deducted from the committed funds each month. If there is any unused portion leftover at the end of the period, it will be forfeit.
  • After the expiration or termination of services, the campus must remove its data or contact Microsoft to hold it for 90 days.
  • Each UC user must specify the region where data should be hosted (e.g. United States).

Vendor responsibilities

  • Available 24/7 with limited exceptions for planned downtime. View Azure Status Dashboard.
  • Microsoft may only use your data to provide the service. They are not allowed to mine UC data.
  • Microsoft will not transfer UC data outside the region specified by the UC user (e.g. United States), but may transfer it within the US for backup or support purposes.
  • Microsoft will “promptly notify” the UC of any security incidents that cause unlawful access to UC data.

Procurement Services contacts

View a ist of contacts for each campus.

Costs

  • Azure account holders must determine their annual pre-paid commitment amount before their enrollment period that sets the campus-wide target spend level for Azure.
  • Consult with location procurement or Microsoft representative for pricing.
  • The pre-paid commitment is invoiced at the beginning of the period.
  • After each annual pre-paid balance is exhausted, accounts will switch to automatic quarterly billing based upon actual usage. 
  • If the entire pre-paid commitment is not spent at the end of the period, it is forfeited.
  • Pricing will not increase during a term, but may decrease. To achieve a longer term price cap, give due consideration to establishing a 36 month term.
  • An extension order must be placed prior to the expiration of the initial 12-36 month term.
  • Department must pro-actively deactivate use of the services in order to stop incurring charges.   

Link to contract

You can view a copy of the agreements in the Contracts Database. Please contact your local procurement department for login credentials.

UC location links and contacts for this service

Visit the website or contact the individuals below for more information about this service at your location.

Location Contact Guidance
UC Davis
UC Riverside
UC Merced UC Merced Procurement
UC Berkeley
UC Santa Cruz
UC Santa Barbara
UCLA
UC San Diego Cloud and Web Services (cws@ucsd.edu)
UC Irvine
UC San Francisco
Lawrence Berkeley National Labs
Division of Ag & Natural Resources Gabriel Youtsey