Microsoft Defender for Identity for US Government offerings

The Microsoft Defender for Identity GCC High offering uses the same underlying technologies and capabilities as the commercial workspace for Defender for Identity.

Get started with US Government offerings

The Defender for Identity GCC, GCC High, and Department of Defense (DoD) offerings are built on the Microsoft Azure Government Cloud and are designed to inter-operate with Microsoft 365 GCC, GCC High, and DoD. Use Defender for Identity public documentation as a starting point for deploying and operating the service.

Licensing requirements

Defender for Identity for US Government customers requires one of the following Microsoft volume licensing offers:

Microsoft 365 GCC G5 Microsoft 365 E5 for GCC High Microsoft 365 G5 for DOD
Microsoft 365 G5 Security GCC Microsoft 365 G5 Security for GCC High Microsoft 365 G5 Security for DOD
Standalone Defender for Identity licenses Standalone Defender for Identity licenses Standalone Defender for Identity licenses


To access Microsoft Defender for Identity for US Government offerings, use the appropriate addresses in this table:

US Government offering Microsoft Defender portal Sensor (agent) endpoint
DoD <your-workspace-name>
GCC-H <your-workspace-name>
GCC <your-workspace-name>

You can also use the IP address ranges in our Azure service tag (AzureAdvancedThreatProtection) to enable access to Defender for Identity. For more information about service tags, see Virtual network service tags or download the Azure IP Ranges and Service Tags – US Government Cloud file.

Required connectivity settings

Use this link to configure the minimum internal ports necessary that the Defender for Identity sensor requires.

How to migrate from commercial to GCC


The following steps should only be taken after you have initiated the transition of Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps

  1. Go to the Azure portal > Microsoft Entra ID > Groups
  2. Rename the following three groups (where workspaceName is the name of your workspace), by adding to them a " - commercial" suffix:
    • "Azure ATP workspaceName Administrators" --> "Azure ATP workspaceName Administrators - commercial"
    • "Azure ATP workspaceName Viewers" --> "Azure ATP workspaceName Viewers - commercial"
    • "Azure ATP workspaceName Users" --> "Azure ATP workspaceName Users - commercial"
  3. In the Microsoft Defender portal, go to the Settings -> Identities section to create a new workspace for Defender for Identity
  4. Configure a Directory Service account
  5. Download the new sensor agent package and copy the workspace key
  6. Make sure sensors have access to * (directly or through proxy)
  7. Uninstall existing sensor agents from the domain controllers, AD FS servers, and AD CS servers
  8. Reinstall sensors with the new workspace key
  9. Migrate any settings after the initial sync (use the portal in a separate browser session to compare)
  10. Eventually, delete the previous workspace (historical data will be lost)


No data is migrated from the commercial service.

Feature parity with the commercial environment

Unless otherwise specified, new feature releases, including preview features, documented in What's new with Defender for Identity, will be available in GCC, GCC High, and DoD environments within 90 days of release in the Defender for Identity commercial environment. Preview features may not be supported in the GCC, GCC High, and DoD environments.

Next steps