Exchange Online for US government environments

This article provides an overview of feature differences between the US government cloud and the commercial cloud as listed in the Exchange Online service description. Exchange Online is available for the Government Community Cloud (GCC), GCC High, and Department of Defense (DoD) environments.

For more information about the government cloud, including eligibility and purchasing, see Microsoft 365 Government - how to buy. To compare Office 365 Government plans, see Office 365 Government plans.

To learn about required endpoints when managing network connectivity, see the Office 365 U.S. Government GCC High endpoints or Office 365 U.S. Government DoD endpoints.

In addition to enjoying the features and capabilities of Office 365, organizations benefit from the following features unique to the US government cloud environments:

  • Your organization’s customer content is logically segregated from customer content in the commercial Office 365 services.

  • Your organization’s customer content is stored at rest within the United States.

  • Access to your organization’s customer content is restricted to screened Microsoft personnel.

  • The government cloud environments comply with certifications and accreditations often required for US Public Sector customers.

It is our general intent to deliver all Exchange commercial features and functionality to the government cloud environment. That said, some features are not available because of the requirements of government cloud customers. Other features are coming to the government environments but are not yet available. Refer to the following sections to learn about feature availability in the government cloud environments.

Exchange Online features

The following table outlines whether specified Exchange Online features are available within the GCC, GCC High, and DoD environments. When there are nuances regarding the statement of support (or lack thereof) additional context is provided.

Feature area GCC GCC High DoD Key considerations
Planning and deployment
Hybrid deployment supported Yes Yes Yes For co-existence with Exchange Server on-premises, Microsoft requires installing at least one Exchange Server 2013 Client Access Server (or Exchange Server 2016.). Exchange Server 2010 and earlier are not supported.
IMAP migration supported Yes Yes Yes
Cutover migration supported Yes Yes Yes
Staged migration supported Yes Yes Yes GSuite migration is not supported for GCC High and DoD. For more information, see Perform a GSuite migration.
Permissions GCC GCC High DoD Key considerations
Role-based permissions Yes Yes Yes
Role groups Yes Yes Yes
Role assignment policies Yes Yes Yes
Message policy and compliance GCC GCC High DoD Key considerations
Archiving Exchange Online-based mailboxes Yes Yes Yes
Cloud-based archiving of on-premises mailboxes Yes Yes Yes
Messaging Records Management (MRM) Yes Yes Yes
Manual retention policies, labels, and tags Yes Yes Yes
Encryption of data at rest (BitLocker) Yes Yes Yes
IRM using Azure Information Protection Yes Yes Yes For more information regarding limitations of AIP in GCC High and DoD, see Azure Information Protection Premium Government Service Description.

Azure Information Protection is not included in G1/F3, but it can be purchased as a separate add-on and will enable the supported Information Rights Management (IRM) features. Some Azure Information Protection features require a subscription to Office 365 ProPlus, which is not included with Office 365 Government G1 or Office 365 Government F3.
IRM using Windows Server AD RMS Yes Yes Yes Windows Server AD RMS is an on-premises server that must be purchased and managed separately to enable the supported IRM features.
Office 365 Message Encryption Yes Yes Yes See Office 365 Message Encryption behavior across GCC High/DoD boundary in this article and Unique characteristics of Office 365 Message Encryption in a GCC High deployment, which document behavioral nuances of Office 365 Message Encryption when sending messages between GCC High/DoD and non GCC High/DoD users.
Customer Key Yes Yes Yes Requires G5 service plan.
S/MIME Yes Yes Yes
In-Place Hold and Litigation Hold Yes Yes Yes Requires G3 or G5 service plan.
In-Place eDiscovery Yes Yes Yes
Mail flow rules Yes Yes Yes
Data loss prevention Yes Yes Yes Requires G3 or G5 service plan.
Journaling Yes Yes Yes
Anti-spam and anti-malware protection GCC GCC High DoD Key considerations
Built-in anti-spam protection Yes Yes Yes
Customize anti-spam policies Yes Yes Yes
Built-in anti-malware protection Yes Yes Yes
Customize anti-malware policies Yes Yes Yes
Quarantine - administrator management Yes Yes Yes
Quarantine - end-user self-management Yes Yes Yes
Advanced Threat Protection Yes Yes Yes Requires G5 Service plan (or purchase of add-on).

Anti-phishing for user and domain impersonation and spoof intelligence are not yet available in GCC High and DoD.
Mail flow GCC GCC High DoD Key considerations
Custom routing of outbound mail Yes Yes Yes
Secure messaging with a trusted partner Yes Yes Yes
Conditional mail routing Yes Yes Yes
Adding a partner to an inbound safe list Yes Yes Yes
Hybrid email routing Yes Yes Yes
Recipients GCC GCC High DoD Key considerations
Capacity alerts Yes Yes Yes
Clutter Yes Yes Yes
MailTips Yes Yes Yes
Delegate access Yes Yes Yes
Inbox rules Yes Yes Yes
Connected accounts Yes No No This feature is not supported in GCC High or DoD due to restrictions on outbound connections to third-party services. For more information about features impacted, see Connectivity with third-party services in this article.
Inactive mailboxes Yes Yes Yes Requires G3 or G5 service plan.
Offline address book Yes Yes Yes
Address book policies Yes Yes Yes
Hierarchical address book Yes Yes Yes
Address lists and global address list Yes Yes Yes
Office 365 Groups Yes Yes Yes Guest access to Office 365 groups is not supported in GCC High and DoD environments. For more information, see Azure Government Security + Identity.
Distribution Groups Yes Yes Yes
External contacts (global) Yes Yes Yes Subject to org-relationship collaboration limitations in GCC High and DoD environments.
Contact linking with social networks Yes No No This feature is not supported in GCC High or DoD.
Resource mailboxes Yes Yes Yes
Conference room management Yes Yes Yes
Out-of-office replies Yes Yes Yes
Internet Calendar sharing Yes No No In GCC High, Internet Calendar publishing/sharing works for inbound connection to calendars shared by GCC High users, but not for GCC High users connecting outbound to a shared calendar outside of GCC High.

In DoD–Internet Calendar sharing is not supported due to the requirement for inbound/outbound connection allow listing in that environment.
Reporting features and troubleshooting tools GCC GCC High DoD Key considerations
Microsoft 365 admin center reports Yes Yes No Reports not available for DoD. Refer to the platform features section of the Office 365 US Government service description for updates/current availability.
Web Services reports Yes Yes No Reports not available for DoD. Refer to the platform features section of the Office 365 US Government service description for updates/current availability.
Message trace Yes Yes Yes
Auditing reports Yes Yes No Reports not available for DoD. Refer to the platform features section of the Office 365 US Government service description for updates/current availability.
Unified Messaging reports Yes No No
Sharing and collaboration GCC GCC High DoD Key considerations
Federated sharing (including calendar publishing) Yes Yes Yes Limitations exist in both GCC High and DoD. See Free/Busy federation in this article.
Site mailboxes Yes Yes Yes
Public folders Yes Yes Yes
Clients and mobile devices GCC GCC High DoD Key considerations
Outlook for Windows Yes Yes Yes To meet GCC High and DoD compliance requirements, you must be running at least version 1803 of Office 365 ProPlus. Office 365 ProPlus is not included with G1 or F3.
Outlook on the web Yes Yes Yes
Outlook for Mac Yes Yes Yes To meet GCC High and DoD compliance requirements, you must be running at least version 1803 of Office 365 ProPlus. Office 365 ProPlus is not included with G1 or F3.
Outlook for iOS and Android Yes Yes Yes
Exchange ActiveSync Yes Yes Yes
Mobile Device Management for Office 365 Yes Yes Yes
POP and IMAP Yes Yes Yes
SMTP Yes Yes Yes
EWS application support Yes Yes Yes
Voice message services GCC GCC High DoD Key considerations
Voice mail No No No Integration of on-premises IP-PBX systems with Exchange Online Unified Messaging is not supported.
Integration between voice mail and third-party FAX No No No Integration of on-premises IP-PBX systems with Exchange Online Unified Messaging is not supported.
Third-party voice mail interoperability No No No Integration of on-premises IP-PBX systems with Exchange Online Unified Messaging is not supported.
Skype for Business integration Yes Yes Yes
High availability and business continuity GCC GCC High DoD Key considerations
Mailbox replication at datacenters Yes Yes Yes
Deleted mailbox recovery Yes Yes Yes
Deleted item recovery Yes Yes Yes
Single item recovery Yes Yes Yes
Interoperability, connectivity, and compatibility GCC GCC High DoD Key considerations
Presence in OWA and Outlook Yes Yes Yes
SharePoint interoperability Yes Yes Yes
EWS connectivity support Yes Yes Yes
SMTP relay support Yes Yes Yes
Exchange Online setup and administration GCC GCC High DoD Key considerations
Microsoft Office 365 portal access Yes Yes No Reports not available for DoD. Refer to the platform features section of the Office 365 US Government service description for updates/current availability.
Microsoft 365 admin center access Yes Yes No Reports not available for DoD. Refer to the platform features section of the Office 365 US Government service description for updates/current availability.
Exchange admin center access Yes Yes Yes
Remote Windows PowerShell access Yes Yes Yes
ActiveSync policies for mobile devices Yes Yes Yes
Usage reporting Yes Yes No Reports not available for DoD. Refer to the platform features section of the Office 365 US Government service description for updates/current availability.
Extending the service - customization, add-ins, and resources GCC GCC High DoD Key considerations
Outlook add-ins and Outlook MAPI Yes Yes Yes Only some OWA and Outlook add-ins are available in GCC High and DoD. See Add-ins in Outlook and Outlook Web App in this article.

Feature nuances within GCC High and DoD environment

Connectivity with third-party services  

Both GCC High and DoD environments are restricted environments that require explicit approval and configuration of outbound connections. Additionally, Microsoft cannot accommodate requests to allow outbound access from these environments to commercial cloud services (Commercial Office 365, Google GSuite, Amazon Web Services, and so on).     

Due to these restrictions, features that rely on this outbound connectivity from the GCC High/DoD environments are generally not supported, including: 

  • Connected Accounts—Users cannot add/sync accounts (Google, POP/IMAP, and so on). 

  • Support for third-party file storage providers—only the user’s OneDrive for business account within GCC High/DoD can be accessed from within the various Outlook clients for the purpose of attaching/sharing files. Third-party storage accounts (Dropbox, Box, Google Drive) cannot be added. 

  • Connectivity with social networks, such as Facebook or LinkedIn. 

Azure Active Directory B2B collaboration 

Azure Active Directory B2B collaboration is currently supported only between organizations that are both within Azure US Government cloud and that both support B2B collaboration

Additionally, B2B users as guests in Office 365 groups are not supported in GCC High and DoD environments. 

For more details and the latest updates, see Azure Government Security + Identity

Office 365 Message Encryption behavior across GCC High/DoD boundary 

If you to use Office 365 Message Encryption in a GCC High environment, be aware of these unique characteristics about the recipient experience:  

  • When sending encrypted email from GCC High or DoD to recipients in the same environment:

    • Senders can manually encrypt emails in Outlook for PC and Mac and Outlook on the web, or organizations can set up a policy to encrypt emails using Exchange mail flow rules. 

    • Recipients inside GCC High/DoD receive the same inline reading experience in Outlook for PC and Mac and Outlook on the web as all other Office 365 users. 

  • When sending encrypted email from GCC High or DoD to recipients outside of that environment (including GCC and Commercial):

    • Senders inside GCC High/DoD can send encrypted email outside of the GCC High/DoD boundary. 

    • All recipients outside GCC High/DoD, including commercial Office 365 users, Outlook.com users, and other users of other email providers, receive a wrapper mail. This wrapper mail redirects the recipient to the OME Portal where the recipient can read and reply to message. 

For more details and the latest updates, see Compare versions of OME.

Free/Busy federation

Federated sharing, including free/busy information, is currently subject to several important limitations in the GCC High and DoD environments.

In the GCC High environment:

  • Federation trust (including bidirectional free/busy sharing) is supported between tenants within GCC High and through hybrid coexistence (Exchange 2013 or later).

  • Federated sharing is not supported between tenants in GCC High and GCC or Office 365 commercial. Outbound connections from the GCC High environment to commercial clouds (including GCC and Office 365 commercial) are not allowed at this time. As a result, GCC High users are not able to make the required outbound request to GCC/commercial to access shared calendar information.

In the DoD environment:

  • Federation trust (including free/busy sharing) is currently supported only between tenants within the DoD environment. It is not supported between DoD tenants and GCC or commercial tenants.

Client configuration 

Additional steps are involved in deploying and configuring Office ProPlus (including Outlook). For a detailed description of these steps, see Guidance for deploying Microsoft 365 Apps for enterprise in a GCC High or DoD environment .

Outlook for iOS and Android is also available for GCC High and DoD environments. To learn more about feature limitations and management in those environments, see Using Outlook for iOS and Android in the Government Community Cloud.

Add-ins in Outlook and Outlook Web App  

Only some OWA and Outlook add-ins are available in GCC High and DoD. My Templates and Suggested Meetings are available and expected to function. Only the five default OWA add-ins are supported. Integration with third-party applications is possible, however, those integrations are not covered by Microsoft compliance promises for GCC High or DoD. Customers should familiarize themselves with third-party data handling practices and compliance promises before configuring the add-on for their organization.