Most defense contractors who handle Controlled Unclassified Information know they need a government-rated cloud environment. What they underestimate is how much configuration sits between "we bought GCC High licenses" and "our CUI enclave is assessment-ready." Azure Government and M365 GCC High provide the foundation, but the CMMC-compliant architecture requires deliberate tenant design, conditional access policy layering, data loss prevention tuning, and audit logging that maps cleanly to NIST SP 800-171 control families. This post walks through the technical decisions that separate a compliant enclave from a government-licensed tenant that still fails an assessment.
Why GCC High, Not Standard Azure Government
Microsoft operates multiple government cloud tiers, and the distinction matters for CMMC. Standard Azure Government meets FedRAMP High, which covers many federal workloads. But for CUI subject to DFARS 252.204-7012 and CMMC Level 2, GCC High is the appropriate tier. The reason is data residency and personnel screening: GCC High environments are operated exclusively by screened U.S. persons, and the data never leaves U.S. sovereign boundaries. Standard Azure Government does not guarantee the same level of personnel isolation.
M365 GCC High extends this isolation to productivity workloads: Exchange Online, SharePoint, OneDrive, and Teams all operate within the GCC High boundary. This is critical because CUI does not stay in databases and file shares. It lives in email threads, Teams chats, and shared documents. If your productivity suite is not inside the GCC High boundary, you have a CUI spillage problem that no amount of endpoint controls can fix.
Microsoft Government Cloud Tiers for CMMC
Tenant Architecture: Isolation by Design
The first architectural decision is whether to use a dedicated GCC High tenant or attempt to segment CUI within a broader tenant. For CMMC, the answer is almost always a dedicated tenant. A separate GCC High tenant creates a clean authorization boundary that maps directly to your System Security Plan. Trying to carve out a CUI enclave within a commercial tenant using information barriers and sensitivity labels introduces complexity that assessors will scrutinize heavily, and the risk of CUI leaking outside the boundary is difficult to eliminate.
Your GCC High tenant should be provisioned with a clear naming convention that distinguishes it from any commercial tenants your organization operates. All user accounts that access CUI must be provisioned in this tenant. Do not rely on B2B guest access from a commercial tenant into GCC High. Guest access patterns create audit gaps and complicate the access control narrative in your SSP.
Conditional Access: The Policy Backbone
Conditional Access Policies (CAPs) in Entra ID are the enforcement mechanism for multiple NIST 800-171 control families, including Access Control (AC), Identification and Authentication (IA), and System and Communications Protection (SC). A CMMC-compliant CAP configuration typically includes the following baseline policies:
Baseline Conditional Access Policies for CMMC
Require MFA for All Users
Maps to IA controls 3.5.3 and 3.5.4. Phishing-resistant MFA (FIDO2 or certificate-based) is strongly preferred over SMS or app-based push.
Block Legacy Authentication
Legacy protocols like POP3, IMAP, and SMTP AUTH bypass MFA entirely. Blocking them is non-negotiable for AC-17 and IA controls.
Require Compliant Device
Intune device compliance policies enforce endpoint configuration baselines. This maps to CM and SC control families.
Block Access from Non-US Locations
Named locations in Entra ID allow geofencing. While not a standalone control, it supports AC and PE control narratives.
Session Controls for Sensitive Apps
Sign-in frequency and persistent browser session controls limit exposure from unattended sessions, supporting AC-11 and AC-12.
Data Loss Prevention and Purview Configuration
Microsoft Purview provides the DLP and sensitivity labeling capabilities that map to the Media Protection (MP) and System and Communications Protection (SC) control families. For CMMC, you need sensitivity labels that identify CUI and apply encryption, watermarking, and access restrictions automatically. The label taxonomy should align with the CUI Registry categories relevant to your contracts.
DLP policies should be configured across Exchange, SharePoint, OneDrive, and Teams to detect and block CUI from leaving the GCC High boundary. Common patterns include blocking external sharing of labeled documents, preventing CUI from being forwarded to non-GCC-High recipients, and alerting on bulk downloads of labeled content. Each DLP policy action generates an audit event that serves as evidence for MP and SC controls during assessment.
Common Pitfall: Label Adoption
Deploying sensitivity labels without user training leads to one of two problems: users label nothing (leaving CUI unprotected) or users label everything as CUI (creating noise that obscures real risk). Invest in role-based training that teaches users to recognize CUI categories specific to your contracts. Assessors will ask about your labeling adoption rates.
Defender for Cloud and Endpoint Protection
Microsoft Defender for Cloud provides the security monitoring and threat detection layer that maps to the Audit and Accountability (AU), Incident Response (IR), and Risk Assessment (RA) control families. In a GCC High environment, Defender for Cloud should be configured with the NIST SP 800-171 regulatory compliance initiative enabled. This gives you a built-in dashboard that maps your security posture to specific NIST controls, which is useful both for internal tracking and for demonstrating progress to assessors.
Defender for Endpoint should be deployed to all devices that access the GCC High tenant. The integration between Intune compliance policies and Defender risk scores creates a feedback loop: if Defender detects a threat on a device, the device falls out of compliance, and Conditional Access blocks its access to CUI resources automatically. This automated response chain is exactly the kind of evidence that demonstrates mature implementation of IR and SI controls.
Audit Logging: The Evidence Foundation
Every configuration described above generates audit logs, but logs are only useful for CMMC if they are retained, protected, and reviewable. The Unified Audit Log in M365 GCC High captures user and admin activity across all workloads. For CMMC, you need to ensure the following:
Audit Logging Requirements for CMMC
| Requirement | Configuration | NIST Control |
|---|---|---|
| Log retention minimum | 365 days online, archive beyond | AU-11, 3.3.1 |
| Tamper protection | Export to immutable storage (Azure Blob with WORM) | AU-9, 3.3.8 |
| Log review process | Sentinel analytics rules with scheduled review | AU-6, 3.3.5 |
| Time synchronization | NTP via Azure infrastructure (automatic in GCC High) | AU-8, 3.3.7 |
Microsoft Sentinel, deployed in the GCC High region, provides the SIEM capability that ties logging to incident response. Sentinel workbooks can be configured to generate the specific reports assessors expect: failed login attempts, privilege escalation events, CUI access patterns, and policy violation trends. The key is configuring these before the assessment, not scrambling to build queries when the C3PAO asks for evidence.
Where PolicyCortex Fits In
Configuring all of the above manually is possible but error-prone and difficult to maintain. PolicyCortex integrates with Azure Government and GCC High to automate the configuration baseline, continuously validate that settings have not drifted, and collect evidence artifacts mapped to each NIST 800-171 control. Instead of manually exporting Conditional Access policy screenshots before an assessment, PolicyCortex maintains a living evidence repository that updates as your environment changes.
PolicyCortex + GCC High Integration
Configuration Baseline Enforcement
PolicyCortex deploys and monitors the full Conditional Access, DLP, and Defender configuration set as policy-as-code, ensuring no drift from the CMMC-required baseline.
Continuous Evidence Collection
Every policy state change, compliance check, and audit event is captured and mapped to the relevant NIST 800-171 control, building your evidence package in real time.
SSP Synchronization
Your System Security Plan stays synchronized with your actual GCC High configuration. When a setting changes, the SSP narrative updates to reflect reality.
The Bottom Line
Azure Government and M365 GCC High give you the right foundation for a CMMC-compliant CUI environment. But the foundation is not the building. Tenant isolation, Conditional Access layering, Purview DLP, Defender integration, and audit logging all require deliberate configuration that maps to specific NIST 800-171 controls. Buying the licenses is step one. Configuring them for assessment readiness is where the real work begins.
If you are standing up a GCC High environment for CMMC, start with the tenant architecture and Conditional Access baseline. Layer in DLP and Defender next. Build your logging and evidence collection pipeline last, because it depends on everything else being in place. And if you want to compress that timeline, PolicyCortex can automate the configuration, monitoring, and evidence collection across the entire stack.
Need Help Configuring GCC High for CMMC?
AeoliTech builds CMMC-compliant CUI enclaves in Azure Government and GCC High. Schedule a technical consultation to review your tenant architecture.
Schedule a Technical ConsultationLeonard Esere
Founder & CEO, AeoliTech
Leonard has guided dozens of defense contractors through CMMC preparation, drawing on deep experience with NIST frameworks at MITRE and LANL. He leads AeoliTech's mission to make compliance achievable through policy-as-code automation.