Plan for Microsoft Purview compliance and risk management solutions – GCC deployments
This guidance is for IT pros who are driving deployments of Office 365 in US federal, state, local, tribal, or territorial government entities or other entities that handle data that is subject to government regulations and requirements, where the use of Microsoft 365 Government - GCC is appropriate to meet these requirements.
Note
If your organization has already met the Microsoft 365 Government - GCC eligibility requirements and applied for and been accepted into the program, you can skip steps 1 and 2 and go directly to step 3.
Step 1: Determine whether your organization needs Microsoft 365 Government - GCC and meets eligibility requirements
The Microsoft 365 Government - GCC environment complies with US government requirements for cloud services, including FedRAMP Moderate, and requirements for criminal justice and federal tax information systems (CJI and FTI data types).
In addition to enjoying the features and capabilities of Office 365, organizations benefit from the following features that are unique to Microsoft 365 Government - GCC:
Your organization’s customer content is logically segregated from customer content in the commercial Office 365 services from Microsoft.
Your organization’s customer content is stored within the United States.
Access to your organization’s customer content is restricted to screened Microsoft personnel.
Microsoft 365 Government - GCC complies with certifications and accreditations that are required for US public sector customers.
You can find more information about the Microsoft 365 Government - GCC offering for US Government customers at Office 365 Government plans, including eligibility requirements.
The Office 365 US Government service description describes the platform’s benefits, which are centered on meeting compliance requirements within the United States.
Tip
You might want to transfer the tables of information in the service description into an Excel workbook and add two columns: Relevant for my organization Y/N and Meets the needs of my organization Y/N. Then you can review this list with your colleagues to confirm that this service meets your organization’s needs.
Note
Microsoft 365 Government - GCC is only available in the United States. Non–US Government customers can choose from a number of Office 365 Government plans.
Decision points:
- Decide whether Microsoft 365 Government - GCC is appropriate for your organization.
- Confirm that your organization meets eligibility requirements.
Step 2: Apply for Microsoft 365 Government - GCC
Having decided that this service is right for your organization, start the process of applying for this service.
Step 3: Understand Microsoft 365 Government - GCC default security settings
We recommend that you take time to carefully review your admin and security settings before you modify them and consider the impact on compliance before you make any changes to the default security settings.
Decision point: Decide whether you’ll modify any of the default Microsoft 365 Government - GCC security settings, resolving to first understand the impact of any changes you might make.
Step 4: Understand which capabilities are currently unavailable or disabled by default in Microsoft 365 Government – GCC1
To accommodate the requirements of our government cloud customers, there are some differences between Microsoft 365 Government - GCC and enterprise plans. Refer to the following table to see which features are available. See here for the latest compliance product updates published on Microsoft 365 roadmap.
| Area | Feature | GCC Status |
|---|---|---|
| Data protection | ||
| Sensitive information types | Exact data match | Available |
| Named entities sensitive information types and policy authoring templates | In development | |
| Sensitivity labeling | Unified labeling client and scanner | Available |
| Application of a "default label" to an unlabeled file uploaded to a SharePoint Online document library | In development | |
| Apply default label policies to ensure documents being edited | In development | |
| Automatic classification and labeling for Exchange Online, SharePoint Online, and OneDrive for Business | Available | |
| Automatic classification and labeling for Office app (Word, Excel, PowerPoint, Outlook) across platforms (web, Android, iOS, Windows, and Mac) | Available | |
| Automatic classification and labeling for Office clients (Mobile) | On engineering backlog | |
| Automatic classification and labeling for Teams, Microsoft 365 Groups, and SharePoint sites | Available | |
| Auto-labeling policies support overwriting manual label and encrypting mail received from any organization | Available | |
| Co-authoring on Microsoft Purview Information Protection encryption documents | Available | |
| Enhanced simulations and location support for auto-labeling in SharePoint Online and OneDrive for Business | Available | |
| Extend built-in sensitivity labels to assets in Azure with Microsoft Azure Purview | In development | |
| Granular conditional access policies via "Sensitivity labels" for SharePoint Online sites | On engineering backlog | |
| Mandatory labels | Available | |
| Manual labels | Available | |
| New conditions for auto-labeling in Exchange Online | In development | |
| Analytics | Data classification analytics: Overview and Content Explorer | Available |
| Auditing and analytics in Office apps | Available | |
| Activity explorer includes Power BI sensitivity label data | Available | |
| Activity explorer built-in filters | Available | |
| Activity explorer user experience improvements | Available | |
| Activity explorer Power BI sensitivity label data | Available | |
| Activity explorer security reader role updated | Available | |
| Content explorer includes Teams data | In development | |
| Machine learning classifiers with auto labeling on Office apps/client side | Available | |
| Encryption | Microsoft Purview Message Encryption (E3) | Available |
| Microsoft Purview Advanced Message Encryption (E5) | Available | |
| Advanced Message Encryption: Extension of email revocation | Available | |
| Microsoft Purview Customer Key | Available | |
| Customer Key: Data-at-rest encryption for Microsoft 365 | Available | |
| Customer Key: SharePoint Online and OneDrive for Business | Available | |
| Bring Your Own Key (BYOK) for customer-managed key provisioning life cycle | Available | |
| Microsoft Purview Double Key Encryption | Available | |
| Exchange Online service encryption using Microsoft Managed keys | Available | |
| Microsoft Purview Data Loss Prevention | Alerts dashboard and alerting experience | Available |
| Data surfaced in Activity Explorer | Available | |
| Endpoint data loss prevention | Available | |
| Files (SPO/ODB) and email | Available | |
| Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) integration | Available | |
| On-premises scanner | Available | |
| Solution overview page | Available | |
| Teams chat and channel conversations | Available | |
| Data Lifecycle Management & Records Management | ||
| Microsoft Purview Data Lifecycle Management (formerly Information Governance) | Adaptive scopes for retention and labeling policies | Available |
| Apply retention label action at end of retention period | In development | |
| Apply default retention labels for SharePoint, OneDrive for Business libraries, folders, and document sets; Exchange inboxes; and Office 365 Groups | Available | |
| Configure option to block the ability to edit metadata for records | In development | |
| Disable unlocking of records | In development | |
| Email Archiving | Available | |
| Import PST | Available | |
| Manual non-record retention labels | Available | |
| Preservation lock | Available | |
| Retention improvements for SharePoint Online and OneDrive for Business | Available | |
| Retention label deletion behavior change in SharePoint | Available | |
| Retention policies to entire organization; specific locations or users; automatically based on specific condition (for example, keywords or sensitive information); and based on an event | Available | |
| Retention policies for Teams (chat) | Available | |
| Retention policies for Teams meeting recording | Available | |
| Retention policies for Teams private channels | Available | |
| Records management | Ability to delete a record label | Available |
| Allow record label to start "unlocked" for manual records declaration | In development | |
| Apply a record label manually | Available | |
| Apply default record labels for SharePoint, OneDrive for Business libraries, folders, and document sets; and Office 365 groups | Available | |
| Apply record policies automatically based on specific conditions (for example, keywords or sensitive information); and based on an event | Available | |
| Apply record policies automatically with trainable classifiers | In development | |
| Disable unlocking of records | Available | |
| Disposition review | Available | |
| File plan manager | Available | |
| Multi-stage disposition review | Rolling out | |
| Outlook client support for Records Management | Available | |
| Power Automate integration | On engineering backlog | |
| Proof of disposal | Available | |
| Records versioning | Available | |
| Regulatory records | Available | |
| Risk management | ||
| Microsoft Purview Customer Lockbox | Customer Lockbox | Available |
| Microsoft Purview Communication Compliance | Ability to set a retention period for a Communication Compliance policy | On engineering backlog |
| Access alerts; notice templates; communication policy dashboard | Available | |
| Analyze Teams chat data of users with on-prem mailbox | Available | |
| Automatically monitor all Teams a user is a member of | Available | |
| Conflict of interest template | Available | |
| Create customer policies, 3 pre-configured | Available | |
| Data loss prevention policy recommendation | Available | |
| Day zero insights | On engineering backlog | |
| Detect adult content | Available | |
| Detect customer complaints | In development | |
| Detects repeat code of conduct violation over time | Available | |
| Discrimination classifier | Available | |
| Escalate for investigation for eDiscovery (Premium) | Available | |
| Exchange and Teams support | Available | |
| Expanded Optical Character Recognition to support handwritten and printed text | In development | |
| Message details reports | On engineering backlog | |
| Modern attachments: Analyze linked content from SharePoint Online and OneDrive for Business | In development | |
| Policy health check and ability to pause policy | In development | |
| Power Automate integration | Public Preview | |
| Remove a Teams message from the Teams chat or channel | Available | |
| Sensitive information types per location report | In development | |
| Support for more granular permissions | Available | |
| Supports seven languages for the threat, targeted harassment, and profanities classifiers | Available | |
| Support for Teams, Exchange, and ability to remove Teams message | Available | |
| Tagging improvements | Available | |
| Teams conversation context | Available | |
| Translate content during investigation | Available | |
| Microsoft Purview Information barriers | Information barriers | Available |
| Admin experience: Segments and policies landing page | Rolling out | |
| Microsoft Purview Insider Risk Management | Ability to export alerts | Available |
| Activity explorer data surfaced | Available | |
| Analytics | Public Preview | |
| Case dashboard | Available | |
| Content Explorer enhancements | Available | |
| Data leaks by disgruntled users | In development | |
| Data theft by departing users | Available | |
| Data leaks by priority users | Public Preview | |
| Enhanced support for domains | In development | |
| Escalate for investigation for eDiscovery (Premium) | Available | |
| Export alerts enhancements | In development | |
| General data leaks | Available | |
| General security policy violations | In development | |
| Increased set of first party indicators | In development | |
| Indicators for security policy violation | In development | |
| Indicators for Microsoft Defender for Endpoint alerts | In development | |
| Indicators for Office (Teams, SharePoint sites, email messaging) | Available | |
| Indicators for Windows 10 endpoints activity | Available | |
| Intelligent support for domain settings | Available | |
| Microsoft Defender for Endpoint alerts | In development | |
| Microsoft Teams integration | Public Preview | |
| Native triggers (new signals, indicator selection, customization and Activity Explorer | Rolling out | |
| Office indicators for Teams, SharePoint sites, email messaging | Available | |
| Policy customization, policy health check and enhanced policy creation wizard | Available | |
| Policy templates for data leaks by disgruntled users | Public Preview | |
| Policy templates for data leaks by priority users | Public Preview | |
| Policy templates for general security policy violations | In development | |
| Policy templates for security policy violations by priority users, departing users, disgruntled users | In development | |
| Power Automate integration | Public Preview | |
| Priority user groups | Public Preview | |
| Recognizes device indicators | Public Preview | |
| Security policy violations by departing users | In development | |
| Security policy violations by disgruntled users | In development | |
| Security policy violations by priority users | In development | |
| ServiceNow template for Power Automate | Public Preview | |
| Supports native triggers for Microsoft Entra account deletion | Available | |
| Triage and investigation improvements | In development | |
| User activity reports | Public Preview | |
| “Watch the watchers” audit trail | Available | |
| eDiscovery (Standard) | Auditing | Available |
| Case management | Available | |
| Compliance boundaries for OneDrive for Business | Available | |
| Export | Available | |
| In-place preservation | Available | |
| Native export | Available | |
| RMS decryption | Available | |
| Search | Available | |
| Microsoft Purview Compliance Portal expanded support to search and export items in SharePoint and OneDrive for Business Recycle bin | Available | |
| eDiscovery (Premium) | Advanced processing | Available |
| Case limits enhancements | In development | |
| Collect and review encrypted content in SharePoint and/or OneDrive for Business | Available | |
| Collection of Teams conversation as transcript | In development | |
| Communications templates and issuing officer settings | Rolling out | |
| Custodian to workload mapping | Available | |
| Custodian communications | Available | |
| Dashboard | Available | |
| Data purge capabilities for Microsoft Teams | In development | |
| Deep crawling/indexing | Available | |
| Double byte character support (Chinese, Japanese, Korean) | Available | |
| Email threading | Available | |
| Enhanced import custodians wizard experience | Rolling out | |
| Export (download, export, add to another view set) | Available | |
| Filtering | Available | |
| Historical versions | In development | |
| Hold optimizations | In development | |
| Hold reports | In development | |
| Identify Teams as data sources | In development | |
| Legal hold for Teams private channels messages | Available | |
| Compliance Portal expanded support to search and export items in SharePoint and OneDrive for Business Recycle Bin | In development | |
| Near duplicate identification | Available | |
| New predictive coding module | On engineering backlog | |
| Non-custodial data sources | Available | |
| Non-Office 365 ingestion | Available | |
| Predictive coding | Available | |
| Processed export with load file | Available | |
| Redactions | Available | |
| Review sets | Available | |
| Review data (query data, smart tags, dashboard) and annotate (redact) | Available | |
| Search Term report | Available | |
| Single item error remediation | Available | |
| Support PST export | Available | |
| Supporting linked content from OneDrive and SharePoint Online (modern attachments) | Available | |
| Support Teams reactions | In development | |
| Tagging | Available | |
| Tenant reports | Available | |
| Themes | Available | |
| Viewers | Available | |
| Audit (Standard) | Audit (Standard) | Available |
| Audit (Premium) | Access to crucial events (for example, MailItemsAccessed) | Available |
| Audit retention dashboard | Available | |
| Audit search enhancements | On engineering backlog | |
| Increased bandwidth to management activity API | Available | |
| Legal hold for Teams private channels messages | Available | |
| Log retention (1 year) | Available | |
| Longer term retention on audit logs (10 years) | Available | |
| Mail forward and mail send events | Available | |
| Microsoft Defender portal and Compliance Portal | Available | |
| Search term events in Exchange Online and SharePoint Online | Available | |
| Compliance posture | ||
| Compliance Management | Compliance Portal | Available |
| Microsoft Purview Compliance Manager | Available | |
| Compliance manager: Alerts and notifications | In development | |
| Compliance manager: Continuous compliance assessments | Rolling out | |
| Compliance manager: Out-of-the-box assessments for non-Microsoft 365 assets | Available | |
| Compliance manager: Recommended engine for bulk assessment creation | In development | |
| Double byte character support | Available | |
| Microsoft Defender for Cloud Apps | Available | |
| Ecosystem | ||
| Microsoft Purview Data connectors | First-party data connectors: HR | Available |
| First-party data connectors: HR 1.2 | In development | |
| First-party data connectors: Physical badging | Available | |
| Graph APIs for eDiscovery (Premium) | In development | |
| Graph APIs for Records Management | In development | |
| Graph APIs for Teams export data | In development | |
| Third-party data connectors (17a-4 and CellTrust Connectors) | Available | |
| Third-party data connectors (Telemessage) | Available | |
| Third-party data connectors (Veritas) | In development | |
| Privacy | ||
| Privacy management | Microsoft Priva Privacy Risk Management | In development |
| Microsoft Priva Subject Rights Requests | In development |
1 Identified status is subject to change as project plans and priorities are reevaluated.
Decision point: Decide whether the compliance features meet your organization’s needs.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for