Tenant Migration · Licensing · On-Premises to Cloud · Teams Voice · Employee Engagement
Defense contractors are arriving in GCC High from two directions. The first is CMMC and evolving contract requirements, which are bringing organizations into GCC High for the first time. For them, the tenant needs to be stood up, licenses selected, data migrated, voice architecture designed, and the platform built out from scratch while maintaining operations. The second is time: organizations that have been in GCC High for years, where the tenant exists, the licenses are paid, Teams handles calls, and almost nothing else was ever addressed.
For established GCC High tenants, the gaps are predictable. Data still lives on-premises or in a commercial Microsoft 365 tenant, outside the CMMC boundary and outside retention policy reach. Voice is still on a legacy PBX or a SIP solution that was never evaluated against compliance requirements. The license tier that made sense at deployment no longer reflects what the organization actually uses. Exchange Server or file servers are still running alongside the cloud environment because a conversion plan was never developed.
GCC High is also not the same platform it was two or three years ago. Microsoft continues to expand feature availability, update the licensing structure, and add compliance capabilities that did not exist at initial deployment. An organization that stood up GCC High in 2021 or 2022 and has not revisited its configuration may be missing compliance tools that are now available and paying for capabilities it is not using. A periodic review of what the platform now supports is worth doing regardless of how long the tenant has been active.
GCC High differs from commercial Microsoft 365 in ways that matter: feature availability lags, Graph API endpoints differ, Calling Plans are unavailable, guest access is more restricted, and some integrations that work in commercial do not exist in GCC High. Getting the platform right requires knowing those differences before committing to an architecture. This work reflects production GCC High deployment and management under active DCSA and CMMC scrutiny.
Moving from a commercial Microsoft 365 tenant to GCC High is not a simple license reassignment. It is a cross-tenant migration that touches identity, mailboxes, SharePoint data, Teams configuration, and application integrations, each with distinct tooling requirements and limitations.
Identity migration involves cross-tenant Entra ID configuration, user matching, and on-premises Active Directory as the source of truth through AD Connect where applicable. Mailbox migration uses Microsoft's native cross-tenant migration (CTMM) or third-party tools such as BitTitan MigrationWiz or Quest Migration Manager, depending on scale and cutover strategy. SharePoint and OneDrive data requires a separate migration stream using tools like AvePoint Fly, ShareGate, or Microsoft's SharePoint Migration Tool (SPMT).
One constraint that frequently surprises organizations: there is no native migration path for Teams chat history into a GCC High tenant. Teams channel content (posts, files) can be migrated via third-party tools with varying fidelity. Teams direct message history does not migrate. This needs to be addressed in your communication and retention strategy before the cutover date, not discovered during it.
We develop migration runbooks that cover every workload, sequence the migration to minimize productivity disruption, and document the boundary state at each phase for CMMC continuity. Staged migrations, where some users cut over while others remain on the source tenant, require careful DNS, mail routing, and access management to avoid compliance gaps during the transition window.
GCC High licensing is parallel to commercial M365 but not identical. The SKU names overlap, the feature sets differ, and the add-on catalog is smaller. Most defense contractors are either over-licensed (paying for capabilities they don't use) or under-licensed (missing the add-ons that would close their CMMC compliance gaps).
The core tiers in GCC High follow the same E3/E5 structure as commercial, with F1 and F3 SKUs for frontline workers. Microsoft 365 E3 GCC High covers Exchange Online, SharePoint, Teams, and basic compliance tooling. Microsoft 365 E5 GCC High adds Defender for Office 365 Plan 2, advanced eDiscovery, and enhanced compliance features. Where it gets complicated is the add-on layer.
Microsoft 365 E5 Compliance (available as an add-on to E3 in GCC High) unlocks the capabilities that matter most for CMMC assessors: advanced DLP, information protection (sensitivity labels with automatic classification), communication compliance, insider risk management, and advanced eDiscovery. Many organizations have E3 and discover during a CMMC gap assessment that the compliance controls they assumed were included are not; they require E5 Compliance. Discovering this at assessment time is expensive.
Teams Voice requires the Teams Phone Standard add-on license (included in some E5 bundles, add-on for E3). The Microsoft 365 Business Basic license your organization may have started with does not include the platform features required for a production communications and compliance deployment at CMMC scale. We map your current license assignment against actual usage, workforce segment, and compliance requirements, and produce a licensing recommendation with line-item cost impact.
Many defense contractors have a GCC High tenant and on-premises infrastructure running side by side: Exchange Server, Active Directory Domain Services, file servers, and in some cases Skype for Business. The on-premises workloads predate the GCC High requirement and were never formally migrated. That creates compliance exposure, unnecessary infrastructure cost, and the management overhead of running two environments indefinitely.
Exchange Server to Exchange Online: The recommended path uses a hybrid deployment. Exchange Hybrid Configuration Wizard establishes coexistence between on-premises Exchange and Exchange Online GCC High, enabling staged mailbox migration while maintaining mail flow continuity. Full decommission of on-premises Exchange follows after all mailboxes are migrated and validated. For smaller organizations, a cutover migration with a maintenance window is simpler.
Active Directory Domain Services to Entra ID: Most GCC High organizations should run Microsoft Entra Connect (formerly Azure AD Connect) to sync their on-premises AD DS to Entra ID GCC High, maintaining the on-premises AD as authoritative during the transition. Cloud-only Entra ID is achievable for new tenants or organizations with small, technically homogeneous workforces. Hybrid identity is the more common and safer path. Conditional Access policies and MFA enforcement are configured in Entra ID regardless of which identity model you use.
File Servers and NAS to SharePoint/OneDrive: Network file shares are migrated to SharePoint Online document libraries or OneDrive for Business depending on the access pattern (team collaboration vs. individual storage). This requires a content inventory, CUI classification of existing data, and a migration tool deployment (SPMT, AvePoint, or ShareGate). File server decommission proceeds after validation and a defined retention window.
Skype for Business to Teams: If your organization still runs Skype for Business Server, the migration to Teams requires both the platform transition and a voice architecture decision. Skype for Business Server provides PSTN connectivity via your existing telephony infrastructure. That connectivity does not automatically transfer to Teams. It requires Direct Routing. The Skype to Teams upgrade path and the voice architecture decision must be planned together, not sequentially.
Microsoft Calling Plans — the simplest way to add PSTN telephony to Teams in a commercial tenant, are not available in GCC High. Every GCC High organization that wants Teams-native voice must implement Direct Routing or Operator Connect. Most organizations don't know this until they're mid-deployment.
Voice is frequently the most deferred workload in GCC High environments. Some organizations remain on legacy PBX systems that predate the GCC High requirement entirely. Others are running SIP trunk or hosted VoIP solutions that were adequate for a commercial environment but were never evaluated against the security requirements that apply inside a CMMC boundary. In both cases the organization is typically paying for telephony infrastructure and Microsoft 365 licenses with voice capability it is not using, while running redundant services where neither is fully operational. A voice architecture decision that was deferred at GCC High deployment is still a decision that needs to be made; it does not resolve itself.
Direct Routing connects your existing telephony infrastructure to Teams Phone using a certified Session Border Controller (SBC). The SBC sits between your PSTN carrier (or existing PBX) and Teams, handling SIP signaling translation. Microsoft maintains a list of certified SBC devices and firmware versions for GCC High; only certified hardware is supported. Commonly deployed SBCs in defense contractor environments include the AudioCodes Mediant series, Ribbon SBC 1000/2000/SWe Lite, and Oracle Acme Packet. SBC sizing depends on concurrent call capacity requirements and redundancy design (active-active vs. active-passive).
Operator Connect is available in GCC High but with significantly more limited carrier participation than commercial. Not all Operator Connect partners support GCC High tenants. Before designing around Operator Connect, the carrier's GCC High support must be confirmed. This is a common gap in vendor proposals not written specifically for the government cloud.
E911 compliance is a legal requirement, not a configuration option. Teams Phone in GCC High must be configured to meet Kari's Law (direct 911 dialing without prefix) and Ray Baum's Act (dispatchable location transmitted with 911 calls). This requires configuring emergency addresses in the Teams admin center, assigning them to users and network sites, and validating that your SBC properly passes E911 location information to the PSTN.
Compliance recording for regulated communications must use a Microsoft-certified compliance recording partner integrated with Teams. Not all compliance recording vendors have GCC High-certified integrations. NICE, Verint, and Dubber each have GCC High-compatible offerings, but configuration and certification status should be verified at project initiation, as GCC High availability can lag commercial certification.
Once the migration is complete, the licenses are right-sized, and voice is operational, the platform layer — the employee experience, internal communications architecture, and governance model — still needs to be built. Most GCC High tenants run Teams for calls and calls only. The rest of the Microsoft 365 stack is largely untouched.
Teams governance — channel naming conventions, team lifecycle management, retention policies, guest access controls, and Teams admin policies — needs to be designed to match your workforce structure and compliance requirements. Without governance, Teams sprawl creates unmanaged channels, inconsistent retention, and a data map that no longer reflects where your communications actually live.
SharePoint as an intranet platform requires intentional architecture: hub site design, document library structure, CUI-aware folder taxonomy, metadata schema, and site provisioning templates. Built correctly, it becomes the authoritative home for internal communications and controlled documents. Built ad hoc, it becomes a second file server that's harder to audit than the first one.
Employee engagement in GCC High is harder than in commercial M365, and it's important to set that expectation accurately. The Viva suite in GCC High is significantly more limited than commercial — Viva Engage has reduced functionality, Viva Connections has feature gaps, and the advanced Viva apps (Learning, Insights, Topics) are either unavailable or lag commercial release by a year or more. Third-party employee engagement tools that integrate cleanly with commercial M365 typically require custom API integration work to function in GCC High, if they can be made to work at all. The practical foundation for internal communications in GCC High is SharePoint news and structured Teams channels — not the rich Viva suite experience that commercial M365 enables. Communication compliance policies, DLP rules, and sensitivity label taxonomy across Exchange Online, Teams, and SharePoint provide the compliance infrastructure that CMMC assessors will examine. Power Platform use cases require assessment against the GCC High connector catalog before any workflow build begins.
Phased migration plan covering identity, mailboxes, SharePoint data, Teams configuration, and application re-registration. Per-workload runbooks with rollback procedures and validation checkpoints. Dependency sequencing to prevent compliance gaps during cutover.
Current license inventory mapped against actual usage, platform requirements, and CMMC control needs. Written recommendation with license tier changes, add-on additions or removals, and line-item cost impact. Frontline vs. enterprise tier right-sizing for your workforce segments.
Workload-by-workload conversion plan for Exchange Server, Active Directory, file servers, and Skype for Business. Hybrid coexistence design where applicable. Decommission sequencing and timeline with dependencies called out.
SBC selection and sizing guidance, PSTN carrier connectivity design, call routing plan, failover and redundancy configuration, and Teams admin center voice policy configuration. Integration with existing telephony infrastructure where required.
Emergency address registration, network site and subnet mapping, user and device emergency location assignment, and validation that dispatchable location information is correctly passed through the SBC to the PSTN. Documentation for Kari's Law and Ray Baum's Act compliance.
Partner selection guidance for GCC High-certified compliance recording vendors, policy-based recording configuration in Teams admin center, storage and retention integration with Microsoft Purview, and validation testing before go-live.
Channel governance model, naming conventions, lifecycle policies, and Teams admin policies. SharePoint intranet hub design, document library structure, CUI-aware metadata taxonomy, and site provisioning templates for consistent deployment.
Retention policies, DLP rules, sensitivity label taxonomy, communication compliance policies, and eDiscovery readiness configuration across Exchange Online, Teams, and SharePoint. SSP amendment documentation for CMMC compliance posture updates.
Evaluation of Power Automate and Power Apps use cases against the GCC High connector catalog before any workflow build begins. Not all connectors available in commercial M365 exist in GCC High; scoping this before development prevents rework and unsupported integrations.
We conduct a structured review of your current environment — GCC High tenant configuration, on-premises infrastructure inventory, current licensing, voice architecture, and CMMC boundary documentation. We map what you have against what your workforce needs and where your compliance posture has gaps. Deliverable: written findings with prioritized remediation roadmap across all five capability areas.
We design the target state architecture for each workload in scope — migration sequencing, voice design, licensing structure, platform governance, and compliance configuration. Every decision is documented with rationale. Your team has full visibility throughout and receives complete documentation at project close — no black-box deliverables, no institutional knowledge held hostage.
We execute against the plan — migration runbooks, SBC configuration, platform build, and compliance settings deployment. Post-migration, we provide ongoing advisory as Microsoft releases GCC High feature updates, your workforce changes, or your compliance posture evolves. Platform without adoption is shelfware; we build the change management and communications strategy alongside the technical work.
Current-state audit of your GCC High tenant, on-premises infrastructure, licensing, and voice architecture. Written findings across all five capability areas with a prioritized remediation roadmap. Right-sized for organizations that need to know where they stand before committing to a build program.
Contact for ScopeEnd-to-end migration execution and platform deployment — commercial-to-GCC High tenant migration, on-premises workload conversion, Direct Routing voice architecture, licensing optimization, and platform governance build. Scoped to your environment size and starting point. Includes complete documentation and knowledge transfer.
Contact for ScopeFocused engagement on the compliance and governance layer: retention policies, DLP, sensitivity labels, communication compliance, E911 configuration, and eDiscovery readiness. Scoped for organizations with infrastructure already in GCC High that need to close CMMC compliance gaps at the platform layer.
Contact for ScopeWe have run these platforms in production inside a CMMC-scoped GCC High environment. We know what the migration requires, where the licensing gaps are, how to architect Teams Voice without Calling Plans, and what your CMMC assessor will ask about the platform configuration. Start with an assessment.
Schedule a CallAzure OpenAI, RAG architecture, and enterprise AI assistants deployed inside your CMMC boundary — production-tested, SSP-documented.
Learn more →Gap assessments, SSP development, and C3PAO assessment preparation built around NIST SP 800-171 Rev 3 and 32 CFR Part 170.
Learn more →Ongoing security program leadership — strategy, compliance management, vendor evaluations, and board reporting on retainer.
Learn more →