The Problem

CMMC Brought You to GCC High. Now What?

Defense contractors are arriving in GCC High from two directions. The first is CMMC and evolving contract requirements, which are bringing organizations into GCC High for the first time. For them, the tenant needs to be stood up, licenses selected, data migrated, voice architecture designed, and the platform built out from scratch while maintaining operations. The second is time: organizations that have been in GCC High for years, where the tenant exists, the licenses are paid, Teams handles calls, and almost nothing else was ever addressed.

For established GCC High tenants, the gaps are predictable. Data still lives on-premises or in a commercial Microsoft 365 tenant, outside the CMMC boundary and outside retention policy reach. Voice is still on a legacy PBX or a SIP solution that was never evaluated against compliance requirements. The license tier that made sense at deployment no longer reflects what the organization actually uses. Exchange Server or file servers are still running alongside the cloud environment because a conversion plan was never developed.

GCC High is also not the same platform it was two or three years ago. Microsoft continues to expand feature availability, update the licensing structure, and add compliance capabilities that did not exist at initial deployment. An organization that stood up GCC High in 2021 or 2022 and has not revisited its configuration may be missing compliance tools that are now available and paying for capabilities it is not using. A periodic review of what the platform now supports is worth doing regardless of how long the tenant has been active.

GCC High differs from commercial Microsoft 365 in ways that matter: feature availability lags, Graph API endpoints differ, Calling Plans are unavailable, guest access is more restricted, and some integrations that work in commercial do not exist in GCC High. Getting the platform right requires knowing those differences before committing to an architecture. This work reflects production GCC High deployment and management under active DCSA and CMMC scrutiny.

Capability Areas
MIGRATE Commercial → GCC High · Cross-Tenant Identity · Mailbox & Data
LICENSE SKU Rationalization · E3/E5 · Add-Ons · Teams Phone
ON-PREM Exchange · AD DS · File Servers · Skype for Business
VOICE Direct Routing · SBC · E911 · Compliance Recording
PLATFORM Teams · SharePoint · Viva · Compliance · Power Platform
Capability 01

Tenant Migration: Commercial M365 to GCC High

Moving from a commercial Microsoft 365 tenant to GCC High is not a simple license reassignment. It is a cross-tenant migration that touches identity, mailboxes, SharePoint data, Teams configuration, and application integrations, each with distinct tooling requirements and limitations.

Identity migration involves cross-tenant Entra ID configuration, user matching, and on-premises Active Directory as the source of truth through AD Connect where applicable. Mailbox migration uses Microsoft's native cross-tenant migration (CTMM) or third-party tools such as BitTitan MigrationWiz or Quest Migration Manager, depending on scale and cutover strategy. SharePoint and OneDrive data requires a separate migration stream using tools like AvePoint Fly, ShareGate, or Microsoft's SharePoint Migration Tool (SPMT).

One constraint that frequently surprises organizations: there is no native migration path for Teams chat history into a GCC High tenant. Teams channel content (posts, files) can be migrated via third-party tools with varying fidelity. Teams direct message history does not migrate. This needs to be addressed in your communication and retention strategy before the cutover date, not discovered during it.

We develop migration runbooks that cover every workload, sequence the migration to minimize productivity disruption, and document the boundary state at each phase for CMMC continuity. Staged migrations, where some users cut over while others remain on the source tenant, require careful DNS, mail routing, and access management to avoid compliance gaps during the transition window.

Migration Workstreams
IDENTITY
Entra ID cross-tenant config, user matching, AD Connect sync
MAILBOXES
Cross-tenant migration (CTMM), MigrationWiz, or Quest — batch or cutover
SHAREPOINT / ONEDRIVE
AvePoint Fly, ShareGate, or SPMT — site and document library migration
TEAMS
Channel content via third-party tools; chat history does not migrate natively
APPLICATIONS
App re-registration in GCC High Entra ID, service principal mapping
Capability 02

Licensing Review and SKU Rationalization

GCC High licensing is parallel to commercial M365 but not identical. The SKU names overlap, the feature sets differ, and the add-on catalog is smaller. Most defense contractors are either over-licensed (paying for capabilities they don't use) or under-licensed (missing the add-ons that would close their CMMC compliance gaps).

The core tiers in GCC High follow the same E3/E5 structure as commercial, with F1 and F3 SKUs for frontline workers. Microsoft 365 E3 GCC High covers Exchange Online, SharePoint, Teams, and basic compliance tooling. Microsoft 365 E5 GCC High adds Defender for Office 365 Plan 2, advanced eDiscovery, and enhanced compliance features. Where it gets complicated is the add-on layer.

Microsoft 365 E5 Compliance (available as an add-on to E3 in GCC High) unlocks the capabilities that matter most for CMMC assessors: advanced DLP, information protection (sensitivity labels with automatic classification), communication compliance, insider risk management, and advanced eDiscovery. Many organizations have E3 and discover during a CMMC gap assessment that the compliance controls they assumed were included are not; they require E5 Compliance. Discovering this at assessment time is expensive.

Teams Voice requires the Teams Phone Standard add-on license (included in some E5 bundles, add-on for E3). The Microsoft 365 Business Basic license your organization may have started with does not include the platform features required for a production communications and compliance deployment at CMMC scale. We map your current license assignment against actual usage, workforce segment, and compliance requirements, and produce a licensing recommendation with line-item cost impact.

Key License Decisions
E3 vs E5
E5 adds Defender P2, advanced eDiscovery, and Purview — evaluate whether add-ons are cheaper
E5 COMPLIANCE ADD-ON
Advanced DLP, auto-labeling, communication compliance, insider risk — required for many CMMC controls
E5 SECURITY ADD-ON
Defender for Endpoint P2, Defender for Identity, Microsoft Sentinel integration
TEAMS PHONE STANDARD
Required for Direct Routing voice — add-on for E3, included in some E5 configurations
F1 / F3 FRONTLINE
Right-tier frontline workers to avoid paying E3 rates for personnel with no desktop workload
Capability 03

On-Premises to Cloud Conversion Strategy

Many defense contractors have a GCC High tenant and on-premises infrastructure running side by side: Exchange Server, Active Directory Domain Services, file servers, and in some cases Skype for Business. The on-premises workloads predate the GCC High requirement and were never formally migrated. That creates compliance exposure, unnecessary infrastructure cost, and the management overhead of running two environments indefinitely.

Exchange Server to Exchange Online: The recommended path uses a hybrid deployment. Exchange Hybrid Configuration Wizard establishes coexistence between on-premises Exchange and Exchange Online GCC High, enabling staged mailbox migration while maintaining mail flow continuity. Full decommission of on-premises Exchange follows after all mailboxes are migrated and validated. For smaller organizations, a cutover migration with a maintenance window is simpler.

Active Directory Domain Services to Entra ID: Most GCC High organizations should run Microsoft Entra Connect (formerly Azure AD Connect) to sync their on-premises AD DS to Entra ID GCC High, maintaining the on-premises AD as authoritative during the transition. Cloud-only Entra ID is achievable for new tenants or organizations with small, technically homogeneous workforces. Hybrid identity is the more common and safer path. Conditional Access policies and MFA enforcement are configured in Entra ID regardless of which identity model you use.

File Servers and NAS to SharePoint/OneDrive: Network file shares are migrated to SharePoint Online document libraries or OneDrive for Business depending on the access pattern (team collaboration vs. individual storage). This requires a content inventory, CUI classification of existing data, and a migration tool deployment (SPMT, AvePoint, or ShareGate). File server decommission proceeds after validation and a defined retention window.

Skype for Business to Teams: If your organization still runs Skype for Business Server, the migration to Teams requires both the platform transition and a voice architecture decision. Skype for Business Server provides PSTN connectivity via your existing telephony infrastructure. That connectivity does not automatically transfer to Teams. It requires Direct Routing. The Skype to Teams upgrade path and the voice architecture decision must be planned together, not sequentially.

On-Prem Workloads
EXCHANGE SERVER
Hybrid → staged migration → Exchange Online GCC High → decommission
ACTIVE DIRECTORY
Entra Connect sync to GCC High Entra ID; hybrid identity or cloud-only
FILE SERVERS / NAS
SharePoint Online document libraries + OneDrive; CUI classification required
SKYPE FOR BUSINESS
Teams upgrade + Direct Routing voice architecture — must be planned together
CMMC BOUNDARY
SSP amendment required for each cloud workload added to the authorization boundary
Capability 04

Teams Voice in GCC High

Microsoft Calling Plans — the simplest way to add PSTN telephony to Teams in a commercial tenant, are not available in GCC High. Every GCC High organization that wants Teams-native voice must implement Direct Routing or Operator Connect. Most organizations don't know this until they're mid-deployment.

Voice is frequently the most deferred workload in GCC High environments. Some organizations remain on legacy PBX systems that predate the GCC High requirement entirely. Others are running SIP trunk or hosted VoIP solutions that were adequate for a commercial environment but were never evaluated against the security requirements that apply inside a CMMC boundary. In both cases the organization is typically paying for telephony infrastructure and Microsoft 365 licenses with voice capability it is not using, while running redundant services where neither is fully operational. A voice architecture decision that was deferred at GCC High deployment is still a decision that needs to be made; it does not resolve itself.

Direct Routing connects your existing telephony infrastructure to Teams Phone using a certified Session Border Controller (SBC). The SBC sits between your PSTN carrier (or existing PBX) and Teams, handling SIP signaling translation. Microsoft maintains a list of certified SBC devices and firmware versions for GCC High; only certified hardware is supported. Commonly deployed SBCs in defense contractor environments include the AudioCodes Mediant series, Ribbon SBC 1000/2000/SWe Lite, and Oracle Acme Packet. SBC sizing depends on concurrent call capacity requirements and redundancy design (active-active vs. active-passive).

Operator Connect is available in GCC High but with significantly more limited carrier participation than commercial. Not all Operator Connect partners support GCC High tenants. Before designing around Operator Connect, the carrier's GCC High support must be confirmed. This is a common gap in vendor proposals not written specifically for the government cloud.

E911 compliance is a legal requirement, not a configuration option. Teams Phone in GCC High must be configured to meet Kari's Law (direct 911 dialing without prefix) and Ray Baum's Act (dispatchable location transmitted with 911 calls). This requires configuring emergency addresses in the Teams admin center, assigning them to users and network sites, and validating that your SBC properly passes E911 location information to the PSTN.

Compliance recording for regulated communications must use a Microsoft-certified compliance recording partner integrated with Teams. Not all compliance recording vendors have GCC High-certified integrations. NICE, Verint, and Dubber each have GCC High-compatible offerings, but configuration and certification status should be verified at project initiation, as GCC High availability can lag commercial certification.

Teams Voice Architecture
CALLING PLANS
Not available in GCC High — Direct Routing or Operator Connect required
DIRECT ROUTING
Certified SBC required — AudioCodes Mediant, Ribbon SBC, Oracle Acme Packet
OPERATOR CONNECT
Limited GCC High carrier participation — verify before designing around it
E911
Kari's Law + Ray Baum's Act — emergency address config and dispatchable location
COMPLIANCE RECORDING
GCC High-certified partners only — NICE, Verint, Dubber (verify current status)
Capability 05

Employee Engagement and Platform Architecture

Once the migration is complete, the licenses are right-sized, and voice is operational, the platform layer — the employee experience, internal communications architecture, and governance model — still needs to be built. Most GCC High tenants run Teams for calls and calls only. The rest of the Microsoft 365 stack is largely untouched.

Teams governance — channel naming conventions, team lifecycle management, retention policies, guest access controls, and Teams admin policies — needs to be designed to match your workforce structure and compliance requirements. Without governance, Teams sprawl creates unmanaged channels, inconsistent retention, and a data map that no longer reflects where your communications actually live.

SharePoint as an intranet platform requires intentional architecture: hub site design, document library structure, CUI-aware folder taxonomy, metadata schema, and site provisioning templates. Built correctly, it becomes the authoritative home for internal communications and controlled documents. Built ad hoc, it becomes a second file server that's harder to audit than the first one.

Employee engagement in GCC High is harder than in commercial M365, and it's important to set that expectation accurately. The Viva suite in GCC High is significantly more limited than commercial — Viva Engage has reduced functionality, Viva Connections has feature gaps, and the advanced Viva apps (Learning, Insights, Topics) are either unavailable or lag commercial release by a year or more. Third-party employee engagement tools that integrate cleanly with commercial M365 typically require custom API integration work to function in GCC High, if they can be made to work at all. The practical foundation for internal communications in GCC High is SharePoint news and structured Teams channels — not the rich Viva suite experience that commercial M365 enables. Communication compliance policies, DLP rules, and sensitivity label taxonomy across Exchange Online, Teams, and SharePoint provide the compliance infrastructure that CMMC assessors will examine. Power Platform use cases require assessment against the GCC High connector catalog before any workflow build begins.

Platform Coverage
TEAMS
Governance · Policies · Retention · Compliance Recording · Guest Access
SHAREPOINT
Intranet Architecture · Document Libraries · CUI-Aware Taxonomy
VIVA (LIMITED)
Viva Engage (reduced) · Feature lag vs. commercial · No third-party integrations without API work
COMPLIANCE
Retention Policies · DLP · Sensitivity Labels · eDiscovery
POWER
Power Automate · Power Apps · GCC High Connector Assessment
What We Deliver

Across All Five Capability Areas

Migration Planning & Runbook

Phased migration plan covering identity, mailboxes, SharePoint data, Teams configuration, and application re-registration. Per-workload runbooks with rollback procedures and validation checkpoints. Dependency sequencing to prevent compliance gaps during cutover.

Licensing Review & Optimization

Current license inventory mapped against actual usage, platform requirements, and CMMC control needs. Written recommendation with license tier changes, add-on additions or removals, and line-item cost impact. Frontline vs. enterprise tier right-sizing for your workforce segments.

On-Premises Conversion Strategy

Workload-by-workload conversion plan for Exchange Server, Active Directory, file servers, and Skype for Business. Hybrid coexistence design where applicable. Decommission sequencing and timeline with dependencies called out.

Direct Routing Architecture

SBC selection and sizing guidance, PSTN carrier connectivity design, call routing plan, failover and redundancy configuration, and Teams admin center voice policy configuration. Integration with existing telephony infrastructure where required.

E911 Compliance Configuration

Emergency address registration, network site and subnet mapping, user and device emergency location assignment, and validation that dispatchable location information is correctly passed through the SBC to the PSTN. Documentation for Kari's Law and Ray Baum's Act compliance.

Compliance Recording Integration

Partner selection guidance for GCC High-certified compliance recording vendors, policy-based recording configuration in Teams admin center, storage and retention integration with Microsoft Purview, and validation testing before go-live.

Teams Governance & SharePoint Architecture

Channel governance model, naming conventions, lifecycle policies, and Teams admin policies. SharePoint intranet hub design, document library structure, CUI-aware metadata taxonomy, and site provisioning templates for consistent deployment.

Communication Compliance & DLP

Retention policies, DLP rules, sensitivity label taxonomy, communication compliance policies, and eDiscovery readiness configuration across Exchange Online, Teams, and SharePoint. SSP amendment documentation for CMMC compliance posture updates.

Power Platform Assessment

Evaluation of Power Automate and Power Apps use cases against the GCC High connector catalog before any workflow build begins. Not all connectors available in commercial M365 exist in GCC High; scoping this before development prevents rework and unsupported integrations.

Engagement Process

How We Work

  1. 01

    Discovery & Assessment

    We conduct a structured review of your current environment — GCC High tenant configuration, on-premises infrastructure inventory, current licensing, voice architecture, and CMMC boundary documentation. We map what you have against what your workforce needs and where your compliance posture has gaps. Deliverable: written findings with prioritized remediation roadmap across all five capability areas.

  2. 02

    Architecture & Planning

    We design the target state architecture for each workload in scope — migration sequencing, voice design, licensing structure, platform governance, and compliance configuration. Every decision is documented with rationale. Your team has full visibility throughout and receives complete documentation at project close — no black-box deliverables, no institutional knowledge held hostage.

  3. 03

    Build, Migration & Ongoing Advisory

    We execute against the plan — migration runbooks, SBC configuration, platform build, and compliance settings deployment. Post-migration, we provide ongoing advisory as Microsoft releases GCC High feature updates, your workforce changes, or your compliance posture evolves. Platform without adoption is shelfware; we build the change management and communications strategy alongside the technical work.

Engagement Types

Scoped to Your Starting Point

GCC High Environment Assessment

Current-state audit of your GCC High tenant, on-premises infrastructure, licensing, and voice architecture. Written findings across all five capability areas with a prioritized remediation roadmap. Right-sized for organizations that need to know where they stand before committing to a build program.

Contact for Scope

Migration & Platform Build

End-to-end migration execution and platform deployment — commercial-to-GCC High tenant migration, on-premises workload conversion, Direct Routing voice architecture, licensing optimization, and platform governance build. Scoped to your environment size and starting point. Includes complete documentation and knowledge transfer.

Contact for Scope

Compliance & Governance Package

Focused engagement on the compliance and governance layer: retention policies, DLP, sensitivity labels, communication compliance, E911 configuration, and eDiscovery readiness. Scoped for organizations with infrastructure already in GCC High that need to close CMMC compliance gaps at the platform layer.

Contact for Scope
Contact for Scope & Pricing
Common Questions

GCC High Platform FAQ

Can Teams chat history be migrated when moving from a commercial tenant to GCC High?
No, not natively. Microsoft does not provide a native migration path for Teams private chat (1:1 and group chat) history into a GCC High tenant. Teams channel posts and file attachments can be migrated using third-party tools such as AvePoint Fly or Mover with varying fidelity, but Teams chat messages are not migratable through any supported mechanism. This needs to be communicated to your organization before the migration cutover — employees should be advised to retain any critical information from chat history before the source tenant is decommissioned. Retention policy design must account for the fact that historical chat content will not be present in the destination tenant.
Are Microsoft Calling Plans available in GCC High?
No. Microsoft Calling Plans — Microsoft's own PSTN carrier service — are not available for GCC High tenants. Every GCC High organization that wants Teams-native telephony must implement Direct Routing (connecting your own SBC and PSTN carrier to Teams Phone) or Operator Connect (a managed carrier integration). Operator Connect has limited GCC High carrier participation — not all Operator Connect providers support GCC High tenants, and this must be verified before selecting a carrier. Direct Routing with a certified SBC is the most reliable path for GCC High voice.
Which Session Border Controllers (SBCs) are certified for Teams Direct Routing in GCC High?
Microsoft maintains a list of certified SBC devices and firmware versions for Teams Direct Routing, with a subset of those certifications applicable to GCC High tenants. Commonly deployed and GCC High-compatible SBCs include the AudioCodes Mediant series (Mediant 500, 800, 2600, 4000), Ribbon SBC (SBC 1000, 2000, SWe Lite), and Oracle Acme Packet. SBC selection should be driven by concurrent call capacity requirements, redundancy design (active-active vs. active-passive), and whether the device needs to integrate with an existing on-premises PBX or PSTN connection. Before procurement, verify the specific firmware version against the current Microsoft certification list — certification status can change between firmware releases.
How long does a commercial Microsoft 365 to GCC High tenant migration typically take?
It depends heavily on the number of users, data volume, and how many workloads are in scope. A straightforward identity and mailbox migration for a 200-person organization typically takes 8–14 weeks from kickoff to final cutover, including planning, tooling setup, pilot migration, and staged production migration. Adding SharePoint/OneDrive data migration, on-premises workload decommission, and voice cutover extends the timeline. Organizations underestimate the planning phase — getting the pre-migration checklist complete (Entra ID domain registration, MX record cutover planning, service account mapping) before the first mailbox batch runs is what determines whether the migration goes cleanly or not.
What is the difference between Microsoft 365 E3 and E5 in GCC High, and which do we need for CMMC?
Microsoft 365 E3 GCC High includes Exchange Online, SharePoint Online, Teams, Microsoft Intune, and Defender for Office 365 Plan 1. It covers most baseline CMMC Level 2 requirements at the platform layer. Microsoft 365 E5 GCC High adds Defender for Office 365 Plan 2, Defender for Identity, advanced eDiscovery, and a broader Purview compliance suite. For organizations with CMMC Level 2 requirements, the most important add-on is frequently the Microsoft 365 E5 Compliance SKU (available as an add-on to E3 in GCC High), which unlocks advanced DLP with auto-classification, sensitivity label auto-labeling, communication compliance, and insider risk management — capabilities that map directly to CMMC control families and that many assessors will probe. Paying for full E5 when E3 plus E5 Compliance is sufficient is a common over-licensing scenario we identify during licensing reviews.
How does E911 compliance work in Teams for a GCC High tenant?
Teams Phone in GCC High must comply with two federal requirements: Kari's Law (users can dial 911 directly without a prefix code) and Ray Baum's Act (a dispatchable location must be transmitted with every 911 call so first responders know where to respond). In Teams, this is implemented by configuring emergency addresses in the Teams admin center, creating network sites with subnet mappings to those addresses, and assigning emergency locations to users. When a user dials 911, Teams uses the network location to determine the dispatchable address and passes it through the SBC to the PSTN carrier. Configuration validation — confirming that location information is actually being transmitted correctly — should be done in coordination with your PSTN carrier before go-live, as errors in E911 configuration can have legal consequences.
Can we use Power Automate and Power Apps in GCC High?
Yes, Power Platform is available in GCC High, but the connector catalog differs significantly from commercial. Many connectors available in commercial Azure are absent or restricted in GCC High — particularly connectors to third-party SaaS platforms and some Microsoft connectors that depend on services not available at the GCC High tier. Before building workflows that depend on specific connectors, the connector availability needs to be confirmed against the current GCC High connector list. We assess each proposed use case against actual GCC High availability before any build work begins — discovering a connector gap after a workflow is designed for it is an expensive detour.
Get Started

Your GCC High Tenant Can Do More Than You're Using It For

We have run these platforms in production inside a CMMC-scoped GCC High environment. We know what the migration requires, where the licensing gaps are, how to architect Teams Voice without Calling Plans, and what your CMMC assessor will ask about the platform configuration. Start with an assessment.

Schedule a Call
Related Services

Adjacent Capabilities

AI in GCC High

Azure OpenAI, RAG architecture, and enterprise AI assistants deployed inside your CMMC boundary — production-tested, SSP-documented.

Learn more →

CMMC Compliance

Gap assessments, SSP development, and C3PAO assessment preparation built around NIST SP 800-171 Rev 3 and 32 CFR Part 170.

Learn more →

Fractional vCISO

Ongoing security program leadership — strategy, compliance management, vendor evaluations, and board reporting on retainer.

Learn more →