Microsoft Sovereign Private Cloud: Run Azure, Microsoft 365 & AI Fully Disconnected On‑Premises

Keep data, workloads and operations entirely within your own boundaries: Effective February 24, 2026, organizations can run Azure infrastructure, Microsoft 365 server workloads and even large AI models fully on-premises.

This is relevant for governments, regulated industries, defense, critical infrastructure and all organizations that require strict digital sovereignty, local governance and uninterrupted operations.


Azure, Microsoft 365 & AI: Fully local

Unlike standard cloud deployments (where control planes, identity services, telemetry, updates and AI workloads rely on Azure datacenters), the Microsoft Sovereign Cloud brings these capabilities inside the organization’s own operational boundary. Customers can now run the same core components used in the public cloud, but locally, sealed off from external networks (on-premises).

Microsoft’s latest expansion includes three major components:

 

Azure Local disconnected operations (now available)

  • Azure Local now supports fully disconnected operations.
  • This lets organizations run mission critical workloads with Azure governance, RBAC and policies locally.
  • Workloads continue operating even when connectivity must be restricted or intentionally isolated.
  • Azure Local scales from small deployments to large environments supporting data intensive workloads and AI. It maintains a unified operational model inside the customer’s sovereign boundary.
  • Licensing:
    • Azure services are licensed through your existing Microsoft agreements, such as Enterprise Agreement (EA) or Microsoft Products and Services Agreement (MPSA).
    • Azure Arc is used to manage and govern these services locally. It enables policy enforcement, automation, and monitoring.
    • Some Azure Arc-enabled tools—like Azure Monitor and Microsoft Defender for Cloud—may require additional licensing, depending on usage.
    • Azure Local must be deployed using validated reference architectures to ensure compliance and eligibility for support.

 

Microsoft 365 Local disconnected (now available)

  • Microsoft 365 Local disconnected brings core collaboration workloads directly into sovereign private cloud environments:
    • Exchange Server
    • SharePoint Server
    • Skype for Business Server
  • Supported through at least 2035, these workloads allow teams to communicate and collaborate entirely inside the local boundary
  • It gives full control over data residency, access and compliance.
  • Even when the environment must operate offline, full productivity remains available.
  • Licensing:
    • Microsoft 365 Local supports the Subscription Edition (SE) versions of:
      • Exchange Server SE
      • SharePoint Server SE
      • Skype for Business Server SE
    • These SE versions are licensed under the Modern Lifecycle Policy, which ensures regular updates and long-term support. Microsoft has committed to supporting these products through at least 2035.
      Microsoft 365 Local is not a cloud subscription like Microsoft 365 E3 or E5. Instead, it is a server-based deployment that runs locally, with licensing based on core-based or user-based models, depending on the product.

 

Foundry Local (available to qualified customers)

  • Foundry Local now let’s organizations run large AI models directly on their own hardware, with no need for cloud services. Organizations can:
    • Run AI tasks locally, without sending any data to the cloud
    • Process sensitive documents, images or video fully on-premises
    • Connect AI workloads with Azure Local and Microsoft 365 Local
    • Keep all data, identities and operations inside the secure environment
  • What does “qualified customers” mean for Foundry Local?
    • Foundry Local is currently limited to organizations that meet Microsoft’s qualification criteria, typically those with high‑security, regulated or sovereign requirements. This ensures that sensitive AI workloads run in environments with the right operational and security maturity. Most public-sector entities, defense, critical infrastructure and regulated enterprises will qualify.
  • Licensing:
    • Licensing is custom and contract‑based – there is no public SKU or pricing available.
    • Pricing depends on AI model packs, GPU class, support level, and isolation mode.
    • Requires customer-owned NVIDIA or AMD GPUs (no MAIA support).
    • Runs multimodal LLMs fully on-premises, disconnected from Azure.

 

Comparing Microsoft Sovereign Private Cloud to standard cloud and storage models

In traditional cloud setups:

  • Data is stored in Azure or Microsoft 365 datacenters
  • AI workloads rely on cloud GPUs and Azure AI models
  • Microsoft provides governance and policy enforcement from the cloud
  • Productivity workloads run in Microsoft 365 regions
  • Connectivity is assumed and required for operation

Microsoft Sovereign Cloud changes this paradigm by enabling:

  • Local data storage with no external dependencies
  • Local compute and AI inference on customer-controlled hardware
  • Local governance and identity enforcement without cloud identity calls
  • Local operational continuity even if networks are severed
  • Local productivity through Microsoft 365 server workloads inside the boundary

This approach aligns with strict sovereignty needs where data and operations must never leave the country, the facility or the secure operational zone.

 

Dependencies and limitations

Even with its advantages, Microsoft’s Sovereign Cloud has constraints that organizations must account for:

  • Not all Azure services are available in local deployments
  • Microsoft 365 Local lacks some cloud-only features such as real-time cloud collaboration and AI-driven Microsoft 365 cloud services
  • Foundry Local supports only specific AI models and requires customer qualification
  • Telemetry-based and cloud-assisted features may be reduced or unavailable in offline mode

These limitations are inherent to any system that must operate in a sealed, isolated environment.

 

Backup, disaster recovery and data protection

If you are planning a fully sovereign deployment, you need sovereign data protection strategies:
  • Backups must remain inside the sovereign boundary unless regulations allow multi-site replication
  • Disaster Recovery (DR) requires either a second sovereign site or physically isolated infrastructure
  • Customers may require third-party sovereign-compliant backup solutions
  • Long-term retention strategies must rely on local storage rather than cloud archive tiers
Backup and DR design is one of the most critical components of sovereign cloud planning, which is why you should prioritize this.

 

Deployment notes

Choose the right starting setup

A simple but solid baseline starts at three nodes, each with 24 cores, 96 GB RAM, a 2 TB NVMe data drive and a separate boot disk. Most organizations scale from here.

Prepare for fully offline operation

Disconnected environments must manage their own updates:

  • Local update repositories
  • Strict maintenance windows
  • Acceptance that update cycles lag behind public cloud

Validate AI hardware early

Ensure:

  • GPU availability and compatibility
  • Adequate power and cooling
  • That your Foundry Local model set is supported (large model packs still restricted to qualified customers)

Establish governance from the start

Use Azure-style RBAC, policies and ARM templates immediately to keep governance consistent online and offline.

Understand the wider landscape

Alternative sovereign solutions exist, but Microsoft’s key differentiator is its unified sovereign stack: Azure Local + Microsoft 365 Local + Foundry Local under one sovereignty posture, including full offline capability.

 

Q&A

How difficult is it to maintain a fully disconnected environment?

Running disconnected infrastructure requires more planning than traditional cloud. You need local update repositories, defined maintenance windows, monitoring tools that work offline and a clear process for lifecycle management. It’s fully doable, but it requires disciplined operations and clear ownership.

How do identity and access work without cloud identity services?

Azure Local and Microsoft 365 Local rely on identity services hosted inside the sovereign environment: RBAC, local identity providers and policy enforcement run on-premises. This keeps authentication functional even when completely isolated from the internet.

Can organizations still integrate with the public cloud if needed?

Yes. Microsoft Sovereign Cloud supports fully disconnected, partially connected and fully connected modes. Organizations can choose the level of connectivity per workload. You can operate offline when necessary and reconnect when regulations or mission requirements permit.

What does support look like in a fully disconnected setup?

Microsoft provides supported update paths for Azure Local and Microsoft 365 Local, even when systems run behind strict network isolation. Updates are imported manually into the environment, and support teams can work with diagnostic bundles that you export and share securely. No external live connections are required.

Will Microsoft 365 Local replace Microsoft 365 cloud?

No. Microsoft 365 Local is not a replacement for the cloud service. It is a parallel, sovereign version for organizations that cannot use cloud-hosted productivity due to regulatory or national‑security constraints. This is a development that started especially due to recent EU regulations.

How does this compare to competing sovereign cloud offerings?

The biggest differentiator is the unified stack: Azure Local, Microsoft 365 Local and Foundry Local all operate under one consistent governance model, one security posture and one operational approach. This reduces fragmentation and simplifies compliance compared to piecing together multiple vendor solutions.

Is Microsoft Sovereign Cloud way more expensive?

Yes, fully local sovereign cloud is more expensive than public cloud. Often significantly so. But for organizations with strict sovereignty needs, the cost is expected, justified and in many cases already part of their operating model. The real value is independence, compliance, continuity and control.

Is Azure Local scalable?

Yes, Azure Local is built to scale. You can start with three nodes and grow to large clusters capable of running data‑intensive workloads and advanced AI models. The operational model stays consistent as you scale.

Is this relevant for small or mid-sized organizations?

Usually no, unless you are in a very specific situation. Microsoft’s fully sovereign stack (Azure Local, Microsoft 365 Local, Foundry Local) is not designed for the average SMB or mid‑market company. It is built for environments that must guarantee that data, identities, workloads and AI models never leave the premises, including during outages, geopolitical events or legal requests. That level of control comes with high cost, high operational responsibility and high complexity. Most small and mid‑sized organizations simply don’t need that.

two consultants looking into the camera

 

More information

Announcement: https://blogs.microsoft.com/blog/2026/02/24/microsoft-sovereign-cloud-adds-governance-productivity-and-support-for-large-ai-models-securely-running-even-when-completely-disconnected/.

Disconnected operations for Azure Local: https://learn.microsoft.com/en-us/azure/azure-local/manage/disconnected-operations-overview.

Microsoft Sovereign Cloud: https://www.microsoft.com/en-us/sovereignty.

Microsoft Digital Sovereignty Summit (Virtual Experience) – Wednesday, 25 March 2026, 9:30 am – 3:30 pm (GMT+01:00) – Register here: https://msevents.microsoft.com/event?id=1813231283.

What is Microsoft 365 Local: https://learn.microsoft.com/en-us/azure/azure-local/concepts/microsoft-365-local-overview.

Azure Local billing: https://learn.microsoft.com/en-us/azure/azure-local/concepts/billing.

Azure Local pricing: https://azure.microsoft.com/en-us/pricing/details/azure-local/.

Questions about licensing?
Our experts have answers.

Call us
Email us

Share article

Related articles