What Is Microsoft GCC High? Architecture, Licensing, and Use Cases

Defense contractors often ask us whether they truly need GCC High or whether standard Microsoft 365 can meet their compliance requirements. The answer is straightforward: if your contracts involve CUI, ITAR data, or DFARS 7012 clauses, commercial M365 will not satisfy your obligations — and an assessor will flag it immediately.

Microsoft GCC High (Government Community Cloud High) is a dedicated Microsoft 365 environment built specifically for defense contractors and organizations handling the most sensitive unclassified government data. Unlike standard Microsoft 365 or even the basic GCC environment, GCC High operates on physically separated infrastructure, is administered exclusively by screened U.S. persons, and meets FedRAMP High baseline requirements along with DoD Security Requirements Guide (SRG) Impact Levels 4 and 5.

This guide explains what GCC High is, how its architecture differs from other Microsoft cloud environments, the licensing model and costs, the migration path from commercial M365, and the specific compliance use cases that require it.

GCC High Architecture

The defining characteristic of GCC High is its physical and logical separation from all other Microsoft cloud environments. This is not a configuration difference or a policy overlay — it is a fundamentally different infrastructure deployment.

Physical Separation

GCC High runs in dedicated datacenters or physically isolated sections within Microsoft's U.S. datacenter facilities. Key architectural elements include:

• Dedicated compute and storage — GCC High workloads run on hardware that is not shared with commercial, GCC, or DoD tenants
• Separate network infrastructure — Network paths for GCC High traffic are isolated from other Microsoft cloud environments
• U.S.-only data residency — All customer data, metadata, and system-generated data remains within the continental United States
• Isolated backup and disaster recovery — Backup infrastructure and disaster recovery sites are also physically separated and U.S.-based

Separate Identity Infrastructure

GCC High uses an entirely separate Azure Active Directory instance with its own domain: login.microsoftonline.us (as opposed to login.microsoftonline.com for commercial and standard GCC). This means:

• GCC High accounts cannot authenticate against commercial Azure AD and vice versa
• Federated identity configurations (ADFS, third-party IdPs) must be configured specifically for the GCC High AAD instance
• Guest access and B2B collaboration between GCC High and commercial tenants has significant limitations
• Applications that rely on Microsoft Graph API must use the GCC High-specific endpoint (graph.microsoft.us)

Personnel Controls

Every person with administrative access to GCC High infrastructure — including Microsoft operations staff — must be:

• A U.S. person (U.S. citizen or lawful permanent resident) as defined under ITAR regulations
• Subject to enhanced background investigation beyond standard Microsoft employment screening
• Operating from within the United States

These personnel controls are not optional compliance recommendations. They are foundational to GCC High's authorization under FedRAMP High and its approval for ITAR-controlled data.

Compliance Standards Met by GCC High

GCC High's architecture enables it to meet a range of compliance standards that are impossible to satisfy in commercial or standard GCC environments.

Standard	Requirement	How GCC High Meets It
FedRAMP High	~421 NIST 800-53 controls	Physically separated infrastructure with enhanced controls across all families
DoD SRG IL4	CUI protection in DoD cloud	Data residency, personnel screening, encryption, and access controls
DoD SRG IL5	Higher-sensitivity CUI and mission data	Additional controls beyond IL4 for more sensitive unclassified data
ITAR	U.S. person access only for controlled data	All infrastructure personnel are screened U.S. persons; no foreign national access
EAR	Export control compliance	Same U.S. person and data residency controls as ITAR
DFARS 252.204-7012	Adequate security for CUI	Meets cloud service provider requirements under DFARS 7012

For a comprehensive overview of FedRAMP authorization levels, see our FedRAMP authorization guide.

Licensing Model

GCC High licensing follows the standard Microsoft 365 tier structure but with government-specific designations and higher price points.

Available License Tiers

• Microsoft 365 Government G3 — Core productivity suite with basic security features
• Microsoft 365 Government G5 — Full suite including advanced security, compliance, and analytics
• Office 365 Government E1/E3/E5 — Office-only licenses without Windows or EMS components
• Enterprise Mobility + Security Government — Intune, Azure AD Premium, Azure Information Protection
• Microsoft Defender for Office 365 — Advanced threat protection add-on
• Azure Government (paired) — Azure cloud services in the corresponding GCC High Azure environment

Pricing Considerations

GCC High licensing typically carries a 30-50% premium over commercial M365 equivalents. Microsoft does not publicly list exact GCC High pricing — it is available through volume licensing agreements and Microsoft partners. Organizations should obtain a direct quote from Microsoft or an authorized licensing partner for current per-user pricing based on their specific license tier and volume.

Minimum Commitments

GCC High may require minimum user counts or spending commitments depending on your licensing agreement. Organizations with fewer than 50 users sometimes face challenges obtaining GCC High licenses directly and may need to work through a Cloud Solution Provider (CSP) partner specializing in government cloud.

Migration Path from Commercial M365

Migrating from commercial M365 to GCC High is one of the most common and most underestimated projects defense contractors undertake.

Why Migration Is Complex

Because GCC High operates on entirely separate infrastructure with a separate Azure AD instance, there is no in-place upgrade path. You cannot simply "flip a switch" to move your existing tenant from commercial to GCC High. The migration is effectively a move from one Microsoft ecosystem to a completely different one that happens to run the same software.

Migration Steps

1. Planning and Assessment (2-4 weeks)

• Inventory all M365 services in use (Exchange, SharePoint, Teams, OneDrive, Power Platform)
• Catalog all third-party integrations and verify GCC High compatibility
• Document custom configurations, DLP policies, conditional access rules, and retention policies
• Identify data volumes for mailbox, SharePoint, and OneDrive migration sizing

2. GCC High Tenant Provisioning (1-2 weeks)

• Obtain GCC High licensing through Microsoft or a government-authorized partner
• Provision the new GCC High tenant
• Configure DNS records for the new environment
• Set up Azure AD Connect to the GCC High AAD instance

3. Identity Migration (1-2 weeks)

• Create user accounts in GCC High Azure AD
• Configure federation with your on-premises identity provider (if applicable)
• Set up MFA policies and conditional access rules in the new tenant
• Migrate Azure AD groups, dynamic groups, and administrative units

4. Data Migration (2-8 weeks depending on volume)

• Migrate Exchange Online mailboxes using third-party migration tools (BitTitan MigrationWiz, Quest, or similar)
• Migrate SharePoint Online sites, document libraries, and permissions
• Migrate OneDrive for Business files
• Migrate Teams channels, chat history (where possible), and Teams configurations
• Migrate Power Platform solutions (Power Apps, Power Automate flows)

5. Security and Compliance Reconfiguration (1-2 weeks)

• Recreate DLP policies, sensitivity labels, and retention policies
• Configure Microsoft Defender for Office 365 settings
• Set up audit logging and eDiscovery configurations
• Re-enroll devices in GCC High Intune

6. Testing and Cutover (1-2 weeks)

• Conduct user acceptance testing across all workloads
• Verify all integrations function correctly against GCC High endpoints
• Execute cutover, including DNS changes for mail flow
• Decommission commercial tenant after verification period

Migration Timeline

Organization Size	Estimated Duration	Key Complexity Drivers
Under 100 users	2-3 months	Simpler data volumes, fewer customizations
100-500 users	3-6 months	Larger data migration, more integrations
500-2,000 users	6-9 months	Complex SharePoint environments, custom apps
2,000+ users	9-12+ months	Enterprise-scale data, extensive customizations

Specific Use Cases for GCC High

ITAR-Controlled Technical Data

ITAR restricts access to defense-related technical data to U.S. persons. If your organization handles ITAR-controlled information in email, SharePoint, Teams, or OneDrive, the cloud infrastructure hosting that data must guarantee that only U.S. persons can access it at every level — including the cloud provider's operations staff. GCC High's screened-personnel model and physical separation satisfy this requirement. Commercial M365 and standard GCC do not.

DFARS 7012 Compliance

DFARS clause 252.204-7012 requires defense contractors to provide "adequate security" for CUI and to use cloud service providers that meet FedRAMP Moderate (at minimum) for CUI in cloud environments. In practice, most organizations and assessors interpret this as requiring FedRAMP High for M365 environments handling CUI, which means GCC High. Additionally, DFARS 7012 requires incident reporting to the DoD within 72 hours and preservation of forensic images — capabilities that GCC High supports through its integration with DoD reporting mechanisms.

CMMC Level 2 Certification

Organizations pursuing CMMC Level 2 certification must implement all 110 NIST 800-171 controls for systems processing CUI. If Microsoft 365 is within your CUI boundary — meaning you use it to email, store, or collaborate on CUI — the underlying cloud infrastructure must support the required control implementations. GCC High provides the infrastructure-level controls (data residency, access restrictions, encryption, logging) that enable your organization to meet NIST 800-171 requirements for cloud-hosted data.

Export-Controlled Research

Universities and research institutions handling export-controlled data under EAR (Export Administration Regulations) face similar requirements to ITAR. GCC High provides the U.S. person access controls and data residency guarantees needed for EAR compliance when using Microsoft collaboration tools for research activities.

Common Questions About GCC High

Do I Need GCC High for All Users?

Not necessarily. If only a subset of your organization handles CUI or ITAR data, you may be able to license GCC High for those users while keeping others on commercial or standard GCC. However, this split-environment approach introduces complexity in managing two separate tenants and ensuring that CUI does not inadvertently flow to the non-GCC High environment. In our experience, most organizations find that a single GCC High tenant for the entire organization is simpler and more defensible during assessments.

What About Azure Government?

GCC High for M365 pairs with Azure Government for cloud infrastructure. If your applications run on Azure, you will need Azure Government subscriptions that correspond to your GCC High M365 environment. Azure Government operates under the same FedRAMP High authorization and personnel screening requirements.

Can I Collaborate with External Organizations?

GCC High supports external collaboration, but with restrictions. Collaboration between GCC High tenants works similarly to commercial M365. Collaboration between GCC High and commercial tenants is limited — features like shared channels in Teams and seamless B2B guest access have restrictions. Plan for these limitations if your workflows require frequent collaboration with partners who are not on GCC High.

For a detailed comparison of GCC vs GCC High to determine which environment is right for your organization, see our GCC vs GCC High comparison guide.