Microsoft GCC High: What It Is, Who Needs It & How to Set It Up (2026)
If you work in the defense industrial base and someone tells you that you need “GCC High,” they’re probably right. But the explanation you’ll get from Microsoft’s website reads like it was written by a compliance attorney who got paid by the word.
Here’s GCC High in plain English: it’s Microsoft’s cloud environment built specifically for organizations that handle data regulated by ITAR, EAR, or DoD requirements. It’s physically and logically separated from Microsoft’s commercial cloud. It’s operated exclusively by screened US persons. And it’s where your data has to live if it’s subject to export controls.
If you’re a defense contractor handling CUI that includes technical data, engineering drawings, or anything on the US Munitions List — GCC High isn’t a nice-to-have. It’s a regulatory requirement.
GCC vs. GCC High vs. DoD
Microsoft operates three government cloud environments. They are not the same thing, and picking the wrong one creates problems that are expensive to fix.
| Commercial | GCC | GCC High | DoD | |
|---|---|---|---|---|
| FedRAMP Authorization | No | High | High + DoD IL4/IL5 | DoD IL5/IL6 |
| Data Residency | Global | US only | US only | US only |
| Network Isolation | Shared | Logically separated | Physically separated | Physically separated |
| Operated By | Microsoft global | Screened US persons | Screened US persons | Screened US persons |
| Login Endpoint | login.microsoftonline.com | login.microsoftonline.com | login.microsoftonline.us | login.microsoftonline.us |
| SharePoint Domain | .sharepoint.com | .sharepoint.com | .sharepoint.us | .sharepoint.us |
| ITAR/EAR Data | Not permitted | Not permitted | Permitted | Permitted |
| Who It’s For | Everyone else | State/local gov, contractors (non-ITAR) | Defense contractors, ITAR orgs | DoD agencies |
The critical distinction between GCC and GCC High is the ITAR line. Microsoft’s own terms of service prohibit storing ITAR or EAR-regulated data in Commercial and GCC environments. This isn’t a gray area — it’s in the documentation. We wrote a detailed comparison of GCC vs. GCC High that covers the ITAR problem most articles skip.
DoD is the highest tier and is reserved for the Department of Defense itself. If you’re a contractor, you’re looking at GCC or GCC High — not DoD.
Who Needs GCC High?
Not every defense contractor needs GCC High. But more do than realize it.
You need GCC High if:
- Your contracts involve ITAR-controlled technical data (defense articles, technical data packages, anything on the USML)
- You handle CUI that’s also export-controlled under EAR
- Your DoD contracts require compliance with DFARS 252.204-7012 and the CUI you handle includes Controlled Technical Information
- A prime contractor or government customer has told you that GCC High is required for data exchange
- You need to meet DoD IL4 or IL5 requirements
GCC is sufficient if:
- Your CUI is not export-controlled — personnel records, financial data, non-technical contract information
- None of your contracts involve ITAR or EAR markings
- Your export control team has confirmed that no data you handle falls under export restrictions
Here’s the reality for most defense contractors: if you’re handling technical data — engineering drawings, specifications, test results, design documents — that data is almost always export-controlled. CTI (Controlled Technical Information) is the most common CUI category in the defense supply chain, and CTI is virtually always ITAR or EAR.
We’ve seen contractors pass CMMC audits in GCC only to discover they had an ITAR violation sitting in their tenant. The CMMC assessor didn’t catch it because that’s not what they’re assessing. But DDTC or BIS might.
GCC High Services Available
GCC High isn’t a single product. It’s a cloud environment that hosts multiple Microsoft services, each with its own feature set and licensing.
Microsoft 365 GCC High
The core productivity suite: Exchange Online, SharePoint Online, OneDrive for Business, Teams, and the Office apps. This is what most contractors think of when they hear “GCC High.”
In late 2025, Microsoft made Business Premium available in GCC High — a significant development for smaller contractors. Previously, the minimum entry point was E3 at roughly $57/user/month. Business Premium runs about $36/user/month and includes Entra ID P1, Intune, Defender for Office 365, and the core Microsoft 365 apps. For a 50-person company, that’s the difference between $34,200/year and $21,600/year in licensing alone.
We covered this in detail when it was announced: GCC High Business Premium.
Azure Government / GCC High
Azure Government is the IaaS/PaaS counterpart. If you need virtual machines, databases, storage accounts, or custom applications in a compliant environment, this is where they live. Azure Government meets FedRAMP High and DoD IL4/IL5.
Key differences from commercial Azure:
- Different portal URL (portal.azure.us)
- Different API endpoints
- Smaller set of available services (not every Azure service is available in Azure Government)
- Separate Azure AD / Entra ID instance from commercial
Copilot in GCC High
This is the section that doesn’t exist in any other guide yet, because the landscape is still evolving.
Microsoft 365 Copilot is available in GCC High as of early 2026, but with caveats. The rollout has been phased, and not every Copilot feature that exists in Commercial is available in GCC High yet.
What’s available:
- Copilot in Word, Excel, PowerPoint, Outlook, and Teams — The core productivity features are live in GCC High
- Copilot Chat (formerly Bing Chat Enterprise) — Available with commercial data protection boundaries
What to watch:
- Feature parity lag — New Copilot capabilities ship to Commercial first. GCC High typically follows weeks to months later. Some features may take longer.
- Copilot Studio — Availability in GCC High is on a delayed timeline. Check the Microsoft 365 roadmap for current status.
- Third-party Copilot plugins — Limited in GCC High compared to Commercial, since plugins need to be built against government endpoints.
- Data residency — Copilot in GCC High processes data within the GCC High boundary. Your prompts and responses don’t leave the environment. This is the entire point for defense contractors.
If AI-powered productivity tools are part of your strategy, GCC High no longer means you miss out. But check feature availability before you promise anything to your users.
GCC High Requirements and Eligibility
You can’t just buy GCC High. Microsoft requires eligibility validation before provisioning a tenant.
Eligible organizations include:
- US federal, state, local, and tribal government entities
- Defense contractors with DoD contracts requiring IL4/IL5 data handling
- Organizations subject to ITAR that need to store regulated data in Microsoft cloud services
- Organizations processing CUI that is export-controlled
The validation process:
- Your organization submits a request through Microsoft or a Cloud Solution Provider (CSP) partner
- Microsoft validates your eligibility — this typically requires showing proof of government contracts, CAGE code, or other evidence of DIB membership
- Once approved, Microsoft provisions your GCC High tenant
- Provisioning takes 1-3 weeks (this step catches people off guard)
You need a minimum of 500 licenses for a direct Microsoft agreement. Smaller organizations can access GCC High through a CSP partner, which is how most small defense contractors get in.
How to Migrate to GCC High
Migration to GCC High is not a toggle you flip. It’s a project — one that involves standing up a new tenant, moving all your data, reconfiguring every integration, and retraining your users. There is no in-place upgrade from Commercial or GCC to GCC High.
The Migration Path
1. Assessment and planning (2-4 weeks)
Inventory everything: mailboxes, SharePoint sites, OneDrive data, Teams channels, custom applications, third-party integrations, DNS records, conditional access policies, Intune configurations. Anything that touches Microsoft 365 needs to be cataloged and mapped to the new environment.
If you’re coming from on-premises Active Directory, the complexity goes up. We’ve written about the on-prem AD to Entra ID migration path separately.
2. Tenant provisioning (1-3 weeks)
Microsoft needs to validate your eligibility and provision the GCC High tenant. This isn’t instant. Start this process before you think you need to.
3. Configuration and policy setup (2-4 weeks)
Rebuild your security configuration in the new tenant: conditional access policies, Intune device management profiles, data loss prevention rules, retention policies, mail flow rules. None of these migrate automatically. You’re building them from scratch in the new environment.
4. Data migration (2-6 weeks)
Move mailboxes, SharePoint data, and OneDrive files. The timeline depends on data volume. A 30-person company with standard workloads is on the shorter end. A company with 50TB of SharePoint data and custom workflows is on the longer end.
5. User cutover and training (1-2 weeks)
Switch DNS records, update client configurations, and train users on what changed. The biggest user-facing difference: login endpoints change from .com to .us, and some features they’re used to may work differently or be temporarily unavailable.
6. Post-migration stabilization (2-4 weeks)
Fix what breaks. There’s always something — a PowerShell script pointing at the wrong endpoint, a third-party app that doesn’t support government URLs, a conditional access policy that needs adjustment. Budget time for this.
Total Timeline
| Phase | Duration |
|---|---|
| Assessment & planning | 2-4 weeks |
| Tenant provisioning | 1-3 weeks |
| Configuration & policies | 2-4 weeks |
| Data migration | 2-6 weeks |
| User cutover & training | 1-2 weeks |
| Post-migration stabilization | 2-4 weeks |
| Total | 10-23 weeks |
If you’re facing a CMMC deadline tied to a contract, start early. The timeline from “we need GCC High” to “our users are working in GCC High” is measured in months, not weeks.
GCC High Costs and Licensing
Licensing is the question everyone asks first. Here’s the current landscape for GCC High.
Per-User Licensing
| Plan | Approx. Monthly Cost/User | What’s Included |
|---|---|---|
| Business Premium | ~$36 | Office apps, Exchange, SharePoint, Teams, Entra ID P1, Intune, Defender for Office 365 |
| E3 | ~$57 | Everything in Business Premium + advanced compliance, larger mailbox, more storage |
| E5 | ~$75 | Everything in E3 + Defender for Endpoint, advanced analytics, audio conferencing |
| E5 Security add-on | ~$12 | Adds E5 security features to E3 (Defender for Endpoint, Cloud App Security) |
Business Premium is the sweet spot for most small defense contractors. It includes everything you need for CMMC compliance — Intune for device management, Defender for threat protection, Entra ID P1 for conditional access — at a price that doesn’t require a second mortgage.
Total Cost of Ownership
Licensing is just one piece. Here’s the realistic picture for a small defense contractor (25-75 employees):
| Cost Category | Range |
|---|---|
| Annual licensing | $10,800 - $51,300 |
| Migration & implementation | $50,000 - $150,000 (one-time) |
| Ongoing managed services (optional) | $2,000 - $8,000/month |
| User training | $2,000 - $5,000 (one-time) |
The migration cost is the variable that scares people, and it’s the one that’s hardest to estimate without knowing your environment. A clean Commercial-to-GCC-High migration with 30 users and standard workloads is on the lower end. A 200-person company with hybrid Exchange, custom SharePoint workflows, and legacy VPN is on the higher end.
GCC High and CMMC Compliance
GCC High doesn’t give you CMMC automatically. But it solves a significant chunk of the problem.
What GCC High handles for you:
- FedRAMP High authorization (you inherit Microsoft’s cloud controls)
- Data residency in the US
- Encryption at rest and in transit (FIPS 140-2 validated)
- Physical security of datacenters
- Audit logging infrastructure
- Many of the System and Communications Protection (SC) and System and Information Integrity (SI) controls
What you still own:
- Access control policies and enforcement
- Multi-factor authentication configuration
- Security awareness training
- Incident response planning and execution
- System Security Plan documentation
- Configuration management
- Vulnerability scanning and remediation
- Everything in the “people and process” domains
Think of it this way: GCC High gives you a compliant foundation. You still have to build the house. Most of the 110 NIST 800-171 controls require action on your part — policies you write, configurations you set, processes you follow. GCC High makes the infrastructure piece easier, but it doesn’t replace the work.
For a complete view of what CMMC requires, see our CMMC compliance checklist. For cost planning, see the full cost breakdown.
The Feature Gaps You’ll Hit
GCC High is not feature-identical to Commercial. Microsoft ships features to Commercial first, then GCC, then GCC High. The gap is usually weeks to months, but some features take longer.
If you’re an IT admin coming from Commercial, here’s what changes on day one:
PowerShell is different. Every module requires a government-specific environment flag:
Connect-MgGraph -Environment USGovConnect-ExchangeOnline -ExchangeEnvironmentName O365USGovGCCHighConnect-PnPOnline -AzureEnvironment USGovernmentHigh
Every PowerShell guide on the internet is written for Commercial. You’ll spend time finding these flags. We wrote guides for Connect-MgGraph, Connect-ExchangeOnline, and PnP PowerShell that cover the GCC High flags specifically.
App registrations use different endpoints. Your authority URL is login.microsoftonline.us, not .com. Graph API calls go to graph.microsoft.us. Get these wrong and authentication silently fails.
Third-party integrations may not work. Not every SaaS vendor has built their OAuth flow against government endpoints. Check before you buy.
Some Entra ID P2 features may have functional differences. PIM and access reviews work but may lag behind Commercial in feature updates.
Power Platform connectors have a smaller catalog. If you rely heavily on Power Automate or Power Apps with third-party connectors, check availability first.
None of these are dealbreakers. They’re operational realities that your IT team needs to know about before migration day, not after.
Frequently Asked Questions
What is GCC High?
GCC High is Microsoft’s cloud environment for organizations handling data regulated by ITAR, EAR, or DoD Impact Level 4/5 requirements. It’s physically and logically separated from commercial Microsoft infrastructure and operated exclusively by screened US persons.
What’s the difference between GCC and GCC High?
GCC is logically separated from Commercial and meets FedRAMP High. GCC High is physically separated and additionally meets DoD IL4/IL5 and permits ITAR/EAR-regulated data. If your CUI includes export-controlled technical data, you need GCC High. We have a full comparison.
How much does GCC High cost?
Licensing starts at roughly $36/user/month with Business Premium. For a 50-person company, that’s about $21,600/year. Migration costs range from $50,000 to $150,000 depending on complexity. See the cost section above for the full breakdown.
Does GCC High satisfy CMMC requirements?
GCC High provides a compliant cloud foundation that satisfies many infrastructure-related CMMC controls through Microsoft’s FedRAMP authorization. But CMMC certification requires you to implement all 110 NIST 800-171 controls — most of which involve your policies, configurations, and processes, not just the cloud platform.
Is Copilot available in GCC High?
Yes, as of early 2026. Microsoft 365 Copilot core features (Word, Excel, PowerPoint, Outlook, Teams) are available in GCC High. Some advanced features and Copilot Studio capabilities are on a delayed timeline compared to Commercial.
How long does it take to migrate to GCC High?
Plan for 10-23 weeks from start to finish. Tenant provisioning alone takes 1-3 weeks because Microsoft must validate your eligibility. Data migration and configuration rebuilds make up the bulk of the timeline.
Can I migrate from GCC to GCC High?
Yes, but it’s essentially a full migration — not an upgrade. You stand up a new GCC High tenant, rebuild your configurations, and move all data. The process is similar to migrating from Commercial to GCC High.
Do I need 500 licenses for GCC High?
Microsoft requires a 500-license minimum for direct agreements. Smaller organizations can access GCC High through a Cloud Solution Provider (CSP) partner, which is how most small defense contractors get their tenant.
If you need help determining whether GCC High is right for your organization — or you’re ready to start a migration — reach out. We’ll give you a straight answer based on your contracts, your data, and your growth plans, whether that’s GCC High migration, a CMMC enclave, or the honest assessment that GCC is fine for your situation.