Exchange Online for US government environments
This article provides an overview of feature differences between the US government cloud and the commercial cloud as listed in the Exchange Online service description. Exchange Online is available for the Government Community Cloud (GCC), GCC High, and Department of Defense (DoD) environments.
For more information about the government cloud, including eligibility and purchasing, see Microsoft 365 Government - how to buy. To compare Office 365 Government plans, see Office 365 Government plans.
To learn about required endpoints when managing network connectivity, see the Office 365 U.S. Government GCC High endpoints or Office 365 U.S. Government DoD endpoints.
In addition to enjoying the features and capabilities of Office 365, organizations benefit from the following features unique to the US government cloud environments:
Your organization’s customer content is logically segregated from customer content in the commercial Office 365 services.
Your organization’s customer content is stored at rest within the United States.
Access to your organization’s customer content is restricted to screened Microsoft personnel.
The government cloud environments comply with certifications and accreditations often required for US Public Sector customers.
It is our general intent to deliver all Exchange commercial features and functionality to the government cloud environment. That said, some features aren't available because of the requirements of government cloud customers. Other features are coming to the government environments but aren't yet available. Refer to the following sections to learn about feature availability in the government cloud environments.
Exchange Online features
The following table outlines whether specified Exchange Online features are available within the GCC, GCC High, and DoD environments. When there are nuances regarding the statement of support (or lack thereof), additional context is provided.
| Feature | GCC | GCC High | DoD | Key considerations |
|---|---|---|---|---|
| Planning and deployment | ||||
| Hybrid deployment supported | Yes | Yes | Yes | For coexistence with Exchange Server on-premises, Microsoft requires installing at least one Exchange Server 2013 Client Access Server (or Exchange Server 2016.). Exchange Server 2010 and earlier aren't supported. |
| IMAP migration supported | Yes | Yes | Yes | |
| Cutover migration supported | Yes | Yes | Yes | |
| Staged migration supported | Yes | Yes | Yes | GSuite migration isn't supported for GCC High and DoD. For more information, see Perform a GSuite migration. |
| Permissions | GCC | GCC High | DoD | Key considerations |
| Role-based permissions | Yes | Yes | Yes | |
| Role groups | Yes | Yes | Yes | |
| Role assignment policies | Yes | Yes | Yes | |
| Message policy and compliance | GCC | GCC High | DoD | Key considerations |
| Archiving Exchange Online-based mailboxes | Yes | Yes | Yes | |
| Cloud-based archiving of on-premises mailboxes | Yes | Yes | Yes | |
| Messaging Records Management (MRM) | Yes | Yes | Yes | |
| Manual retention policies, labels, and tags | Yes | Yes | Yes | |
| Encryption of data at rest (BitLocker) | Yes | Yes | Yes | |
| IRM using Azure Information Protection | Yes | Yes | Yes | For more information regarding limitations of AIP in GCC High and DoD, see Azure Information Protection Premium Government Service Description. Azure Information Protection isn't included in G1/F3, but it can be purchased as a separate add-on and will enable the supported Information Rights Management (IRM) features. Some Azure Information Protection features require a subscription to Office 365 ProPlus, which isn't included with Office 365 Government G1 or Office 365 Government F3. |
| IRM using Windows Server AD RMS | Yes | Yes | Yes | Windows Server AD RMS is an on-premises server that must be purchased and managed separately to enable the supported IRM features. |
| Microsoft Purview Advanced Message Encryption | Yes | Yes | Yes | See Message Encryption behavior across GCC High/DoD boundary in this article and in the article Compare versions of message encryption. Unique characteristics of Message Encryption in a GCC High deployment, which document behavioral nuances of Message Encryption when sending messages between GCC High/DoD and non-GCC High/DoD users. |
| Microsoft Purview Customer Key | Yes | Yes | Yes | Requires G5 service plan. |
| S/MIME | Yes | Yes | Yes | |
| In-Place Hold and Litigation Hold | Yes | Yes | Yes | Requires G3 or G5 service plan. |
| In-Place eDiscovery | Yes | Yes | Yes | |
| Mail flow rules | Yes | Yes | Yes | |
| Microsoft Purview Data Loss Prevention | Yes | Yes | Yes | Requires G3 or G5 service plan. |
| Journaling | Yes | Yes | Yes | |
| Anti-spam and anti-malware protection | GCC | GCC High | DoD | Key considerations |
| Built-in anti-spam protection | Yes | Yes | Yes | |
| Customize anti-spam policies | Yes | Yes | Yes | |
| Built-in anti-malware protection | Yes | Yes | Yes | |
| Customize anti-malware policies | Yes | Yes | Yes | |
| Quarantine - administrator management | Yes | Yes | Yes | |
| Quarantine - end-user self-management | Yes | Yes | Yes | |
| Microsoft Defender for Office 365 | Yes | Yes | Yes | Requires G5 Service plan (or purchase of add-on). Anti-phishing for user and domain impersonation and spoof intelligence aren't yet available in GCC High and DoD. |
| Mail flow | GCC | GCC High | DoD | Key considerations |
| Custom routing of outbound mail | Yes | Yes | Yes | |
| Secure messaging with a trusted partner | Yes | Yes | Yes | |
| Conditional mail routing | Yes | Yes | Yes | |
| Adding a partner to an inbound safe list | Yes | Yes | Yes | |
| Hybrid email routing | Yes | Yes | Yes | |
| Recipients | GCC | GCC High | DoD | Key considerations |
| Capacity alerts | Yes | Yes | Yes | |
| Clutter | Yes | Yes | Yes | |
| MailTips | Yes | Yes | Yes | |
| Delegate access | Yes | Yes | Yes | |
| Inbox rules | Yes | Yes | Yes | |
| Connected accounts | Yes | No | No | This feature isn't supported in GCC High or DoD due to restrictions on outbound connections to third-party services. For more information about features impacted, see Connectivity with third-party services in this article. |
| Inactive mailboxes | Yes | Yes | Yes | Requires G3 or G5 service plan. |
| Offline address book | Yes | Yes | Yes | |
| Address book policies | Yes | Yes | Yes | |
| Hierarchical address book | Yes | Yes | Yes | |
| Address lists and global address list | Yes | Yes | Yes | |
| Office 365 Groups | Yes | Yes | Yes | Guest access to Office 365 groups isn't supported in GCC High and DoD environments. For more information, see Azure Government Security + Identity. |
| Distribution Groups | Yes | Yes | Yes | |
| External contacts (global) | Yes | Yes | Yes | Subject to org-relationship collaboration limitations in GCC High and DoD environments. |
| Contact linking with social networks | Yes | No | No | This feature isn't supported in GCC High or DoD. |
| Resource mailboxes | Yes | Yes | Yes | |
| Conference room management | Yes | Yes | Yes | |
| Out-of-office replies | Yes | Yes | Yes | |
| Internet Calendar sharing | Yes | No | No | In GCC High, Internet Calendar publishing/sharing works for inbound connection to calendars shared by GCC High users, but not for GCC High users connecting outbound to a shared calendar outside of GCC High. In DoD–Internet Calendar sharing isn't supported due to the requirement for inbound/outbound connection allow listing in that environment. |
| Reporting features and troubleshooting tools | GCC | GCC High | DoD | Key considerations |
| Microsoft 365 Admin Center Activity Reports | Yes | Yes | Yes | |
| Microsoft Graph Reports (GA release) | Yes | Yes | Yes | |
| Message trace | Yes | Yes | Yes | |
| Auditing reports | Yes | Yes | No | Refer to the platform features section of the Office 365 US Government service description for updates/current availability. |
| Unified Messaging reports | Yes | No | No | |
| Sharing and collaboration | GCC | GCC High | DoD | Key considerations |
| Federated sharing (including calendar publishing) | Yes | Yes | Yes | Limitations exist in both GCC High and DoD. See Free/Busy federation in this article. |
| Site mailboxes | Yes | Yes | Yes | |
| Public folders | Yes | Yes | Yes | |
| Clients and mobile devices | GCC | GCC High | DoD | Key considerations |
| To Do on the Web | Yes | Yes | Yes | |
| Outlook for Windows | Yes | Yes | Yes | To meet GCC High and DoD compliance requirements, you must be running at least version 1803 of Office 365 ProPlus. Office 365 ProPlus isn't included with G1 or F3. |
| Outlook on the web1 | Yes | Yes | Yes | Desktop Email Notifications are not supported for GCC. |
| Outlook for Mac | Yes | Yes | Yes | To meet GCC High and DoD compliance requirements, you must be running at least version 1803 of Office 365 ProPlus. Office 365 ProPlus isn't included with G1 or F3. |
| Outlook for iOS and Android | Yes | Yes | Yes | |
| Exchange ActiveSync | Yes | Yes | Yes | |
| Basic Mobility and Security for Microsoft 365 | Yes | No | No | |
| POP and IMAP | Yes | Yes | Yes | |
| SMTP | Yes | Yes | Yes | |
| EWS application support2 | Yes | Yes | Yes | |
| Voice message services | GCC | GCC High | DoD | Key considerations |
| Voice mail | No | No | No | Integration of on-premises IP-PBX systems with Exchange Online Unified Messaging isn't supported. |
| Integration between voice mail and third-party FAX | No | No | No | Integration of on-premises IP-PBX systems with Exchange Online Unified Messaging isn't supported. |
| Third-party voice mail interoperability | No | No | No | Integration of on-premises IP-PBX systems with Exchange Online Unified Messaging isn't supported. |
| Skype for Business integration | Yes | Yes | Yes | |
| High availability and business continuity | GCC | GCC High | DoD | Key considerations |
| Mailbox replication at datacenters | Yes | Yes | Yes | |
| Deleted mailbox recovery | Yes | Yes | Yes | |
| Deleted item recovery | Yes | Yes | Yes | |
| Single item recovery | Yes | Yes | Yes | |
| Interoperability, connectivity, and compatibility | GCC | GCC High | DoD | Key considerations |
| Presence in OWA and Outlook | Yes | Yes | Yes | |
| SharePoint interoperability | Yes | Yes | Yes | |
| EWS connectivity support | Yes | Yes | Yes | |
| SMTP relay support | Yes | Yes | Yes | |
| Exchange Online setup and administration | GCC | GCC High | DoD | Key considerations |
| Microsoft Office 365 portal access | Yes | Yes | No | Refer to the platform features section of the Office 365 US Government service description for updates/current availability. |
| Microsoft 365 admin center access | Yes | Yes | No | Refer to the platform features section of the Office 365 US Government service description for updates/current availability. |
| Exchange admin center access | Yes | Yes | Yes | |
| Remote Windows PowerShell access | Yes | Yes | Yes | |
| ActiveSync policies for mobile devices | Yes | Yes | Yes | |
| Usage reporting | Yes | Yes | No | Refer to the platform features section of the Office 365 US Government service description for updates/current availability. |
| Extending the service - customization, add-ins, and resources | GCC | GCC High | DoD | Key considerations |
| Outlook add-ins and Outlook MAPI | Yes | Yes | Yes | Only some OWA and Outlook add-ins are available in GCC High and DoD. See Add-ins in Outlook and Outlook Web App in this article. |
1 Outlook on the Web can be used in scenarios when Outlook for Windows is unable to display the IRM protected messages due to cross-boundaries restrictions (GCC High / Non-GCC High scenarios).
2 Only egress to specific address spaces the customer can prove they own are allowed, so this precludes third-party services and broad IP ranges used by mobile devices.
Feature nuances within GCC High and DoD environments
Connectivity with third-party services
Both GCC High and DoD environments are restricted environments that require explicit approval and configuration of outbound connections. Additionally, Microsoft can't accommodate requests to allow outbound access from these environments to commercial cloud services (Commercial Office 365, Google GSuite, Amazon Web Services, and so on).
Due to these restrictions, features that rely on this outbound connectivity from the GCC High/DoD environments are generally not supported, including:
Connected accounts - Users can't add/sync accounts (Google, POP/IMAP, and so on).
Support for third-party file storage providers - Only the user’s OneDrive for Business account within GCC High/DoD can be accessed from within the various Outlook clients for the purpose of attaching/sharing files. Third-party storage accounts (Dropbox, Box, Google Drive) can't be added.
Connectivity with social networks, such as Facebook or LinkedIn.
Microsoft Entra ID B2B collaboration
Microsoft Entra ID B2B collaboration is currently supported only between organizations that are both within Azure US Government cloud and that both support B2B collaboration
Additionally, B2B users as guests in Office 365 groups aren't supported in GCC High and DoD environments.
For more information and the latest updates, see Azure Government Security + Identity.
Message Encryption behavior across GCC High/DoD boundary
If you plan to use Message Encryption in a GCC High environment, be aware of these unique characteristics about the recipient experience:
When sending encrypted email from GCC High or DoD to recipients in the same environment:
- Senders can manually encrypt emails in Outlook for PC and Mac and Outlook on the web, or organizations can set up a policy to encrypt emails using Exchange mail flow rules.
- Recipients inside GCC High/DoD receive the same inline reading experience in Outlook for PC and Mac and Outlook on the web as all other Office 365 users.
When sending encrypted email from GCC High to recipients outside of that environment (including DoD, GCC and Commercial):
- Senders inside GCC High can send encrypted email outside of the GCC High boundary.
- All recipients outside GCC High, including DoD, commercial Office 365 users, Outlook.com users, and other users of other email providers, receive a notification mail. This notification mail redirects the recipient to the encrypted message portal where the recipient can read and reply to messages.
- Sharing of documents and downloaded email attachments with users in the commercial cloud is currently not available. Encrypted attachments can only be previewed in the encrypted message portal.
Free/Busy federation
Federated sharing, including free/busy information, is currently subject to several important limitations in the DoD environments.
In the GCC High environment:
- Federation trust (including bidirectional free/busy sharing) is supported between tenants within GCC High, to tenants in GCC and commercial clouds, and through hybrid coexistence (Exchange 2013 or later).
In the DoD environment:
- Federation trust (including free/busy sharing) is currently supported only between tenants within the DoD environment. It isn't supported between DoD tenants and GCC, GCC High, or commercial tenants.
Client configuration
Additional steps are involved in deploying and configuring Office ProPlus (including Outlook). For a detailed description of these steps, see Guidance for deploying Microsoft 365 Apps for enterprise in a GCC High or DoD environment.
Outlook for iOS and Android is also available for GCC High and DoD environments. To learn more about feature limitations and management in those environments, see Using Outlook for iOS and Android in the Government Community Cloud.
Add-ins in Outlook and Outlook Web App
Only some OWA and Outlook add-ins are available in GCC High and DoD. My Templates and Suggested Meetings are available and expected to function. Only the five default OWA add-ins are supported. Integration with third-party applications is possible, however, those integrations aren't covered by Microsoft compliance promises for GCC High or DoD. Customers should familiarize themselves with third-party data handling practices and compliance promises before configuring the add-on for their organization.
Feature nuances within GCC environments for Microsoft To Do
| Feature | Description | WW | Availability in GCC |
|---|---|---|---|
| Platforms supported | Web, Android, iOS, Mac, Windows | All | Web, iOS, and Android |
| M365 hub supports | Integrations with Outlook, Teams, Planner | All | Outlook, Planner (Teams to be available with Teams tasks app) |
| Wunderlist Migration | Allow wunderlist users to migrate data to To Do on the Web | Yes | No |
| Push Notifications | Send Push notifications to end users for reminders etc. | Yes | No |
| Helpshift support | Use helpshift interface to create support request | Yes | No |
| My Day | Plan your day | Yes | Yes |
| Planned List | See all tasks with a due date | Yes | Yes |
| Assigned to You List | All tasks assigned to you in a shared list, Planner, or WXP (future) | Yes | Yes |
| Flagged Email | See emails flagged in outlook as tasks | Yes | Yes |
| Multi Account Support | Use home and office account in one pane | Yes | Yes |
| List sharing | Share lists with colleagues in the same organization | Yes | Yes |
| Cross tenant sharing | Share task list outside your organization | Yes | No |
| Reminders and recurrence | Set reminders for your task | Yes | Yes |
*Any other features not mentioned are available in both environments.