Exchange Online for US government environments
This article provides an overview of feature differences between the US government cloud and the commercial cloud as listed in the Exchange Online service description. Exchange Online is available for the Government Community Cloud (GCC), GCC High, and Department of Defense (DoD) environments.
For more information about the government cloud, including eligibility and purchasing, see Microsoft 365 Government - how to buy. To compare Office 365 Government plans, see Office 365 Government plans.
In addition to enjoying the features and capabilities of Office 365, organizations benefit from the following features unique to the US government cloud environments:
Your organization’s customer content is logically segregated from customer content in the commercial Office 365 services.
Your organization’s customer content is stored at rest within the United States.
Access to your organization’s customer content is restricted to screened Microsoft personnel.
The government cloud environments comply with certifications and accreditations often required for US Public Sector customers.
It is our general intent to deliver all Exchange commercial features and functionality to the government cloud environment. That said, some features are not available because of the requirements of government cloud customers. Other features are coming to the government environments but are not yet available. Refer to the following sections to learn about feature availability in the government cloud environments.
Exchange Online features
The following table outlines whether specified Exchange Online features are available within the GCC, GCC High, and DoD environments. When there are nuances regarding the statement of support (or lack thereof) additional context is provided.
|Feature area||GCC||GCC High||DoD||Key considerations|
|Planning and deployment|
|Hybrid deployment supported||Yes||Yes||Yes||For co-existence with Exchange Server on-premises, Microsoft requires installing at least one Exchange Server 2013 Client Access Server (or Exchange Server 2016.). Exchange Server 2010 and earlier are not supported.|
|IMAP migration supported||Yes||Yes||Yes|
|Cutover migration supported||Yes||Yes||Yes|
|Staged migration supported||Yes||Yes||Yes||GSuite migration is not supported for GCC High and DoD. For more information, see Perform a GSuite migration.|
|Permissions||GCC||GCC High||DoD||Key considerations|
|Role assignment policies||Yes||Yes||Yes|
|Message policy and compliance||GCC||GCC High||DoD||Key considerations|
|Archiving Exchange Online-based mailboxes||Yes||Yes||Yes|
|Cloud-based archiving of on-premises mailboxes||Yes||Yes||Yes|
|Messaging Records Management (MRM)||Yes||Yes||Yes|
|Manual retention policies, labels, and tags||Yes||Yes||Yes|
|Encryption of data at rest (BitLocker)||Yes||Yes||Yes|
|IRM using Azure Information Protection||Yes||Yes||Yes||For more information regarding limitations of AIP in GCC High and DoD, see Azure Information Protection Premium Government Service Description.
Azure Information Protection is not included in G1/F3, but it can be purchased as a separate add-on and will enable the supported Information Rights Management (IRM) features. Some Azure Information Protection features require a subscription to Office 365 ProPlus, which is not included with Office 365 Government G1 or Office 365 Government F3.
|IRM using Windows Server AD RMS||Yes||Yes||Yes||Windows Server AD RMS is an on-premises server that must be purchased and managed separately to enable the supported IRM features.|
|Office 365 Message Encryption||Yes||Yes||Yes||See Office 365 Message Encryption behavior across GCC High/DoD boundary in this article and Unique characteristics of Office 365 Message Encryption in a GCC High deployment, which document behavioral nuances of Office 365 Message Encryption when sending messages between GCC High/DoD and non GCC High/DoD users.|
|Customer Key||Yes||Yes||Yes||Requires G5 service plan.|
|In-Place Hold and Litigation Hold||Yes||Yes||Yes||Requires G3 or G5 service plan.|
|Mail flow rules||Yes||Yes||Yes|
|Data loss prevention||Yes||Yes||Yes||Requires G3 or G5 service plan.|
|Anti-spam and anti-malware protection||GCC||GCC High||DoD||Key considerations|
|Built-in anti-spam protection||Yes||Yes||Yes|
|Customize anti-spam policies||Yes||Yes||Yes|
|Built-in anti-malware protection||Yes||Yes||Yes|
|Customize anti-malware policies||Yes||Yes||Yes|
|Quarantine - administrator management||Yes||Yes||Yes|
|Quarantine - end-user self-management||Yes||Yes||Yes|
|Advanced Threat Protection||Yes||Yes||Yes||Requires G5 Service plan (or purchase of add-on).
Anti-phishing for user and domain impersonation and spoof intelligence are not yet available in GCC High and DoD.
|Mail flow||GCC||GCC High||DoD||Key considerations|
|Custom routing of outbound mail||Yes||Yes||Yes|
|Secure messaging with a trusted partner||Yes||Yes||Yes|
|Conditional mail routing||Yes||Yes||Yes|
|Adding a partner to an inbound safe list||Yes||Yes||Yes|
|Hybrid email routing||Yes||Yes||Yes|
|Recipients||GCC||GCC High||DoD||Key considerations|
|Connected accounts||Yes||No||No||This feature is not supported in GCC High or DoD due to restrictions on outbound connections to third-party services. For more information about features impacted, see Connectivity with third-party services in this article.|
|Inactive mailboxes||Yes||Yes||Yes||Requires G3 or G5 service plan.|
|Offline address book||Yes||Yes||Yes|
|Address book policies||Yes||Yes||Yes|
|Hierarchical address book||Yes||Yes||Yes|
|Address lists and global address list||Yes||Yes||Yes|
|Office 365 Groups||Yes||Yes||Yes||Guest access to Office 365 groups is not supported in GCC High and DoD environments. For more information, see Azure Government Security + Identity.|
|External contacts (global)||Yes||Yes||Yes||Subject to org-relationship collaboration limitations in GCC High and DoD environments.|
|Contact linking with social networks||Yes||No||No||This feature is not supported in GCC High or DoD.|
|Conference room management||Yes||Yes||Yes|
|Internet Calendar sharing||Yes||No||No||In GCC High, Internet Calendar publishing/sharing works for inbound connection to calendars shared by GCC High users, but not for GCC High users connecting outbound to a shared calendar outside of GCC High.
In DoD–Internet Calendar sharing is not supported due to the requirement for inbound/outbound connection allow listing in that environment.
|Reporting features and troubleshooting tools||GCC||GCC High||DoD||Key considerations|
|Microsoft 365 admin center reports||Yes||Yes||No||Reports not available for DoD. Refer to the platform features section of the Office 365 US Government service description for updates/current availability.|
|Web Services reports||Yes||Yes||No||Reports not available for DoD. Refer to the platform features section of the Office 365 US Government service description for updates/current availability.|
|Auditing reports||Yes||Yes||No||Reports not available for DoD. Refer to the platform features section of the Office 365 US Government service description for updates/current availability.|
|Unified Messaging reports||Yes||No||No|
|Sharing and collaboration||GCC||GCC High||DoD||Key considerations|
|Federated sharing (including calendar publishing)||Yes||Yes||Yes||Limitations exist in both GCC High and DoD. See Free/Busy federation in this article.|
|Clients and mobile devices||GCC||GCC High||DoD||Key considerations|
|Outlook for Windows||Yes||Yes||Yes||To meet GCC High and DoD compliance requirements, you must be running at least version 1803 of Office 365 ProPlus. Office 365 ProPlus is not included with G1 or F3.|
|Outlook on the web||Yes||Yes||Yes|
|Outlook for Mac||Yes||Yes||Yes||To meet GCC High and DoD compliance requirements, you must be running at least version 1803 of Office 365 ProPlus. Office 365 ProPlus is not included with G1 or F3.|
|Outlook for iOS and Android||Yes||Yes||Yes|
|Mobile Device Management for Office 365||Yes||Yes||Yes|
|POP and IMAP||Yes||Yes||Yes|
|EWS application support||Yes||Yes||Yes|
|Voice message services||GCC||GCC High||DoD||Key considerations|
|Voice mail||No||No||No||Integration of on-premises IP-PBX systems with Exchange Online Unified Messaging is not supported.|
|Integration between voice mail and third-party FAX||No||No||No||Integration of on-premises IP-PBX systems with Exchange Online Unified Messaging is not supported.|
|Third-party voice mail interoperability||No||No||No||Integration of on-premises IP-PBX systems with Exchange Online Unified Messaging is not supported.|
|Skype for Business integration||Yes||Yes||Yes|
|High availability and business continuity||GCC||GCC High||DoD||Key considerations|
|Mailbox replication at datacenters||Yes||Yes||Yes|
|Deleted mailbox recovery||Yes||Yes||Yes|
|Deleted item recovery||Yes||Yes||Yes|
|Single item recovery||Yes||Yes||Yes|
|Interoperability, connectivity, and compatibility||GCC||GCC High||DoD||Key considerations|
|Presence in OWA and Outlook||Yes||Yes||Yes|
|EWS connectivity support||Yes||Yes||Yes|
|SMTP relay support||Yes||Yes||Yes|
|Exchange Online setup and administration||GCC||GCC High||DoD||Key considerations|
|Microsoft Office 365 portal access||Yes||Yes||No|
|Microsoft 365 admin center access||Yes||Yes||No|
|Exchange admin center access||Yes||Yes||Yes|
|Remote Windows PowerShell access||Yes||Yes||Yes|
|ActiveSync policies for mobile devices||Yes||Yes||Yes|
|Extending the service - customization, add-ins, and resources||GCC||GCC High||DoD||Key considerations|
|Outlook add-ins and Outlook MAPI||Yes||Yes||Yes||Only some OWA and Outlook add-ins are available in GCC High and DoD. See Add-ins in Outlook and Outlook Web App in this article.|
Feature nuances within GCC High and DoD environment
Connectivity with third-party services
Both GCC High and DoD environments are restricted environments that require explicit approval and configuration of outbound connections. Additionally, Microsoft cannot accommodate requests to allow outbound access from these environments to commercial cloud services (Commercial Office 365, Google GSuite, Amazon Web Services, and so on).
Due to these restrictions, features that rely on this outbound connectivity from the GCC High/DoD environments are generally not supported, including:
Connected Accounts—Users cannot add/sync accounts (Google, POP/IMAP, and so on).
Support for third-party file storage providers—only the user’s OneDrive for business account within GCC High/DoD can be accessed from within the various Outlook clients for the purpose of attaching/sharing files. Third-party storage accounts (Dropbox, Box, Google Drive) cannot be added.
Connectivity with social networks, such as Facebook or LinkedIn.
Azure Active Directory B2B collaboration
Azure Active Directory B2B collaboration is currently supported only between organizations that are both within Azure US Government cloud and that both support B2B collaboration
Additionally, B2B users as guests in Office 365 groups are not supported in GCC High and DoD environments.
For more details and the latest updates, see Azure Government Security + Identity.
Office 365 Message Encryption behavior across GCC High/DoD boundary
If you to use Office 365 Message Encryption in a GCC High environment, be aware of these unique characteristics about the recipient experience:
When sending encrypted email from GCC High or DoD to recipients in the same environment:
Senders can manually encrypt emails in Outlook for PC and Mac and Outlook on the web, or organizations can set up a policy to encrypt emails using Exchange mail flow rules.
Recipients inside GCC High/DoD receive the same inline reading experience in Outlook for PC and Mac and Outlook on the web as all other Office 365 users.
When sending encrypted email from GCC High or DoD to recipients outside of that environment (including GCC and Commercial):
Senders inside GCC High/DoD can send encrypted email outside of the GCC High/DoD boundary.
All recipients outside GCC High/DoD, including commercial Office 365 users, Outlook.com users, and other users of other email providers, receive a wrapper mail. This wrapper mail redirects the recipient to the OME Portal where the recipient can read and reply to message.
For more details and the latest updates, see Compare versions of OME.
Federated sharing, including free/busy information, is currently subject to several important limitations in the GCC High and DoD environments.
In the GCC High environment:
Federation trust (including bidirectional free/busy sharing) is supported between tenants within GCC High and through hybrid coexistence (Exchange 2013 or later).
Federated sharing is not supported between tenants in GCC High and GCC or Office 365 commercial. Outbound connections from the GCC High environment to commercial clouds (including GCC and Office 365 commercial) are not allowed at this time. As a result, GCC High users are not able to make the required outbound request to GCC/commercial to access shared calendar information.
In the DoD environment:
- Federation trust (including free/busy sharing) is currently supported only between tenants within the DoD environment. It is not supported between DoD tenants and GCC or commercial tenants.
Additional steps are involved in deploying and configuring Office ProPlus (including Outlook). For a detailed description of these steps, see Guidance for deploying Microsoft 365 Apps for enterprise in a GCC High or DoD environment .
Outlook for iOS and Android is also available for GCC High and DoD environments. To learn more about feature limitations and management in those environments, see Using Outlook for iOS and Android in the Government Community Cloud.
Add-ins in Outlook and Outlook Web App
Only some OWA and Outlook add-ins are available in GCC High and DoD. My Templates and Suggested Meetings are available and expected to function. Only the five default OWA add-ins are supported. Integration with third-party applications is possible, however, those integrations are not covered by Microsoft compliance promises for GCC High or DoD. Customers should familiarize themselves with third-party data handling practices and compliance promises before configuring the add-on for their organization.