Microsoft Defender for Identity for US Government offerings

The Microsoft Defender for Identity GCC High offering uses the same underlying technologies and capabilities as the commercial instance of Defender for Identity.

Get started with US Government offerings

The Defender for Identity GCC, GCC High, and Department of Defense (DoD) offerings are built on the Microsoft Azure Government Cloud and are designed to inter-operate with Microsoft 365 GCC, GCC High, and DoD. Use Defender for Identity public documentation as a starting point for deploying and operating the service.

Licensing requirements

Defender for Identity for US Government customers requires one of the following Microsoft volume licensing offers:

Microsoft 365 GCC G5 Microsoft 365 E5 for GCC High Microsoft 365 G5 for DOD
Microsoft 365 G5 Security GCC Microsoft 365 G5 Security for GCC High Microsoft 365 G5 Security for DOD
Standalone Defender for Identity licenses Standalone Defender for Identity licenses Standalone Defender for Identity licenses


To access Microsoft Defender for Identity for US Government offerings, use the appropriate addresses in this table:

US Government offering Portal Workspace Agent endpoint
DoD <workspacename> <your-instance-name>
GCC-H <workspacename> <your-instance-name>
GCC <workspacename> <your-instance-name>

You can also use the IP address ranges in our Azure service tag (AzureAdvancedThreatProtection) to enable access to Defender for Identity. For more information about service tags, see Virtual network service tags or download the Azure IP Ranges and Service Tags – US Government Cloud file.

Required connectivity settings

Use this link to configure the minimum internal ports necessary that the Defender for Identity sensor requires.

How to migrate from commercial to GCC

  1. Go to the Azure Portal > Azure Active Directory > Groups
  2. Rename the following three groups (where instanceName is the name of your workspace), by adding to them a " - commercial" suffix:
  • "Azure ATP instanceName Administrators" --> "Azure ATP instanceName Administrators - commercial"
  • "Azure ATP instanceName Viewers" --> "Azure ATP instanceName Viewers - commercial"
  • "Azure ATP instanceName Users" --> "Azure ATP instanceName Users - commercial"
  1. Go to the GCC portal for Defender for Identity:
  2. Create a new instance of Defender for Identity
  3. Configure a Directory Service account
  4. Download the new sensor agent package and copy the workspace key
  5. Make sure sensors have access to * (directly or through proxy)
  6. Uninstall existing sensor agents from the domain controllers
  7. Reinstall sensors with the new workspace key
  8. Migrate any settings after the initial sync (use the two portals to compare)
  9. Eventually, delete the previous workspace (historical data will be lost)


No data is migrated from the commercial service.

If you also have Microsoft Defender for Cloud Apps deployed, it should be migrated before you start the Defender for Identity migration.

Feature parity with the commercial environment

Unless otherwise specified, new feature releases, including preview features, documented in What's new with Defender for Identity, will be available in GCC, GCC High, and DoD environments within 90 days of release in the Defender for Identity commercial environment. Preview features may not be supported in the GCC, GCC High, and DoD environments.

Next steps