Skip to main content
The Department of Defense (DoD) cloud is designed exclusively for US Department of Defense agencies, military branches, and defense contractors. It provides the highest level of security and compliance, supporting Impact Level 4 (IL4) and Impact Level 5 (IL5) workloads with DISA authorization.

Cloud Endpoints

The DoD cloud uses dedicated military-grade endpoints with heightened security controls:
ServiceEndpoint
Graph APIhttps://dod-graph.microsoft.us/beta
Authority Hosthttps://login.microsoftonline.us
OAuth 2.0 Authorizationhttps://login.microsoftonline.us/{tenant}/oauth2/v2.0/authorize
OAuth 2.0 Tokenhttps://login.microsoftonline.us/{tenant}/oauth2/v2.0/token
Graph Scopeshttps://dod-graph.microsoft.us/.default

Implementation Details

From CloudEndpoints.cs: 
CloudEnvironment.DoD => 
  ("https://dod-graph.microsoft.us/beta", AzureAuthorityHosts.AzureGovernment)
The authority host constant AzureAuthorityHosts.AzureGovernment maps to:
  • Authority URI: https://login.microsoftonline.us
DoD-specific Graph endpoint. Unlike GCC-High which uses graph.microsoft.us, DoD uses the dedicated dod-graph.microsoft.us endpoint. Using the wrong endpoint will result in authentication and authorization failures.

Compliance & Certifications

DoD cloud provides the highest level of compliance and security certifications:
CertificationStatus
DISA IL5Authorized
DISA IL4Authorized
FedRAMP HighAuthorized
DoD SRG IL5Compliant
DFARSCompliant
ITARCompliant
CJISCompliant
IRS 1075Compliant
NIST 800-171Compliant
FIPS 140-2Validated

Data Residency & Isolation

  • Physical location: US DoD datacenters with DISA authorization
  • Personnel: All personnel are US citizens with Secret or Top Secret clearances
  • Isolation: Physically and logically isolated from all other clouds including GCC-High
  • Encryption: FIPS 140-2 validated encryption at rest and in transit
  • Network: Isolated network infrastructure with no connectivity to public cloud

App Registration

Prerequisites

  • Global Administrator or Application Administrator role in Entra ID
  • DoD tenant
  • Access to the Azure Government Portal: https://portal.azure.us
  • DoD email address and credentials
DoD tenants only. App registrations for DoD must be created in a DoD tenant at portal.azure.us. Commercial portal (portal.azure.com) cannot be used.

Registration Steps

1. Create App Registration

  1. Sign in to the Azure Government Portal with your DoD credentials
  2. Navigate to Entra ID > App registrations > New registration
  3. Configure the registration:
    • Name: Intune Commander - DoD (or your preferred name)
    • Supported account types: Accounts in this organizational directory only (single tenant)
    • Redirect URI:
      • Platform: Mobile and desktop applications
      • URI: http://localhost:45132
    • Click Register

2. Note Registration Details

After registration, copy the following values:
  • Application (client) ID - Found on the Overview page
  • Directory (tenant) ID - Found on the Overview page
DoD app registration IDs are completely separate from Commercial, GCC, and GCC-High. You must create a new app registration specifically for your DoD tenant.

3. Configure API Permissions

Navigate to API permissions and add the following Microsoft Graph Application permissions: Device Management 
DeviceManagementConfiguration.ReadWrite.All
DeviceManagementApps.ReadWrite.All
DeviceManagementServiceConfig.ReadWrite.All
DeviceManagementManagedDevices.Read.All
DeviceManagementRBAC.ReadWrite.All
DeviceManagementScripts.ReadWrite.All
Conditional Access & Identity 
Policy.ReadWrite.ConditionalAccess
Policy.Read.All
Agreement.ReadWrite.All
Organization & Branding 
Organization.Read.All
OrganizationalBranding.ReadWrite.All
Groups 
Group.Read.All
GroupMember.Read.All
Windows 365 (Optional) 
CloudPC.ReadWrite.All
Not all Microsoft Graph permissions may be available in the DoD cloud. Windows 365 permissions, in particular, require Windows 365 Government licensing.
  1. Still on the API permissions page
  2. Click Grant admin consent for [Your Organization]
  3. Click Yes to confirm
  4. Verify all permissions show a green checkmark in the Status column
Consent propagation in DoD: Admin consent may take 30-60 minutes to fully propagate through the DoD cloud infrastructure. Plan accordingly for initial setup.

5. (Optional) Configure Client Secret

For unattended/service principal authentication:
  1. Navigate to Certificates & secrets
  2. Click New client secret
  3. Add a description: Intune Commander Service Principal
  4. Select expiration: 12 months (recommended)
  5. Click Add
  6. Immediately copy the secret value - it will not be shown again
Classified data handling: Client secrets for DoD apps must be stored according to your organization’s classified and CUI data handling procedures. Depending on your environment’s classification level, secrets may require storage in FIPS 140-2 validated systems or SCIF environments.

Authentication Methods

Interactive Browser (Default)

Configuration:
  • Auth Method: Interactive
  • Client Secret: (leave blank)
Behavior:
  • Opens browser window to login.microsoftonline.us
  • Supports MFA, CAC/PIV authentication, and all Entra ID features
  • Token cached locally for persistent sessions
  • Automatically uses DoD Graph endpoint (dod-graph.microsoft.us)
Azure.Identity Implementation: 
var credential = new InteractiveBrowserCredential(
    new InteractiveBrowserCredentialOptions
    {
        TenantId = profile.TenantId,
        ClientId = profile.ClientId,
        AuthorityHost = new Uri("https://login.microsoftonline.us"),
        RedirectUri = new Uri("http://localhost:45132")
    }
);

Client Secret (Service Principal)

Configuration:
  • Auth Method: ClientSecret
  • Client Secret: (paste the secret value)
Behavior:
  • No user interaction required
  • Authenticates as the application identity
  • Secrets encrypted and stored according to local security requirements
  • Automatically uses DoD Graph endpoint
Azure.Identity Implementation: 
var credential = new ClientSecretCredential(
    profile.TenantId,
    profile.ClientId,
    profile.ClientSecret,
    new ClientSecretCredentialOptions
    {
        AuthorityHost = new Uri("https://login.microsoftonline.us")
    }
);

Profile Configuration

Creating a Profile

From the Login Screen:
  1. Launch Intune Commander
  2. Fill in the profile details:
    • Profile Name: DoD-Production or [Branch]-DoD-[Environment]
    • Tenant ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (from portal.azure.us)
    • Client ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (from portal.azure.us)
    • Cloud: DoD (critical—select this, not GCCHigh, GCC, or Commercial)
    • Auth Method: Interactive or ClientSecret
    • Client Secret: (if using ClientSecret auth method)
  3. Click Save Profile

JSON Profile Format

[
  {
    "name": "DoD-Production",
    "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "clientId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "cloud": "DoD",
    "authMethod": "Interactive"
  }
]
Critical: Set "cloud": "DoD" to ensure the correct Graph endpoint (dod-graph.microsoft.us) is used.

Supported Features

All Intune Commander features are fully supported in the DoD cloud:
FeatureSupport Status
Device ConfigurationsFull support
Compliance PoliciesFull support
ApplicationsFull support
App Protection PoliciesFull support
Conditional AccessFull support
Endpoint SecurityFull support
Windows UpdatesFull support
Scripts & RemediationFull support
Enrollment ConfigurationsFull support
RBAC & Scope TagsFull support
GroupsFull support
Terms of UseFull support
Named LocationsFull support
Authentication StrengthsFull support
Windows 365 Cloud PCFull support (requires DoD-specific license)
PowerPoint Export Limitation: Conditional Access PowerPoint export is currently Commercial cloud only. DoD support is planned for a future release.

Differences from Other Clouds

Technical Differences

AspectDoDGCC-HighGCCCommercial
Graph API endpointdod-graph.microsoft.usgraph.microsoft.usgraph.microsoft.comgraph.microsoft.com
Authority hostlogin.microsoftonline.uslogin.microsoftonline.uslogin.microsoftonline.comlogin.microsoftonline.com
App registration portalportal.azure.usportal.azure.usportal.azure.comportal.azure.com
Tenant isolationPhysical (DISA IL5)Physical (IL4)LogicalNone
Personnel screeningSecret/Top SecretGovernment screeningUS citizensGlobal
DISA authorizationIL5IL4NoneNone

Service Availability

DoD typically receives new features 4-8 weeks after Commercial cloud:
  • Core features: Usually available within 4-6 weeks
  • Security features: Prioritized, may arrive sooner
  • Preview features: Often not available or significantly delayed
  • Third-party integrations: Severely limited; only DoD-approved services

Network Requirements

Required Outbound Connectivity

DoD uses military-grade government endpoints:
DestinationPurpose
login.microsoftonline.usAuthentication (required)
dod-graph.microsoft.usMicrosoft Graph API (required)
*.microsoft.usCertificate validation, service discovery
*.windows.netAzure infrastructure services
DoD network restrictions. Some DoD networks have strict outbound filtering. Coordinate with your Network Operations Center (NOC) or network security team to ensure connectivity to required *.microsoft.us endpoints.

Proxy and Firewall Configuration

Intune Commander uses the system proxy configuration:
  • Windows: Internet Options proxy settings
  • macOS/Linux: System environment variables (HTTP_PROXY, HTTPS_PROXY)
Ensure proxy/firewall allowlists include:
  • *.microsoft.us (all subdomains)
  • *.microsoftonline.us (all subdomains)
  • *.windows.net (Azure services)

CAC/PIV Authentication

If your DoD tenant requires CAC/PIV smart card authentication:
  1. Ensure smart card middleware is installed on the client machine
  2. Use Interactive authentication method
  3. Browser will prompt for smart card PIN during authentication
  4. Token is cached after initial authentication (valid for 1 hour by default)

Troubleshooting

Wrong Graph Endpoint

Symptom: “Authorization_RequestDenied” or “The resource principal named dod-graph.microsoft.us was not found” Solution:
  1. Verify you selected DoD (not GCCHigh) when creating the profile
  2. Delete the profile and recreate with correct cloud selection
  3. Clear cached tokens: Delete %LocalAppData%\.IdentityService\msal.cache

App Registration in Wrong Cloud

Symptom: “AADSTS90043: The request was made to the wrong cloud instance” or “Application not found” Solution:
  1. Verify app registration was created in portal.azure.us (not portal.azure.com)
  2. Ensure app is registered in your DoD tenant (not GCC-High, GCC, or Commercial)
  3. Create a new app registration in the correct tenant
  4. Update profile with new Client ID from DoD tenant

Network Connectivity Issues

Symptom: DNS resolution failures, timeouts, or “Unable to connect to dod-graph.microsoft.us” Solution:
  1. Test connectivity: nslookup dod-graph.microsoft.us
  2. Test HTTPS access: curl https://dod-graph.microsoft.us/beta
  3. Verify firewall allows outbound HTTPS (443) to *.microsoft.us
  4. Check proxy configuration allows dod-graph.microsoft.us
  5. Contact your NOC if connectivity issues persist

CAC/PIV Authentication Failures

Symptom: Smart card authentication fails or doesn’t prompt for PIN Solution:
  1. Verify smart card middleware is installed and functional
  2. Test smart card: Sign in to portal.azure.us in browser
  3. Ensure browser supports smart card authentication (Edge recommended)
  4. Clear browser certificates and retry
  5. Contact your PKI team if smart card issues persist

Permission Propagation Delays

Symptom: Permissions granted but still getting 403 Forbidden errors Solution:
  1. Wait 30-60 minutes after granting admin consent (DoD propagation is slower)
  2. Sign out and sign back in to refresh token
  3. Use Permission Check feature (View menu) to verify JWT token claims
  4. Contact Microsoft DoD support if permissions don’t propagate after 2 hours

Migration to DoD Cloud

Moving Configurations from Other Clouds

  1. Export from source tenant:
    • Connect to source tenant (Commercial, GCC, or GCC-High) in Intune Commander
    • Export all configurations to a folder
  2. Security and compliance review:
    • Critical: Review all configurations for DoD compliance requirements
    • Remove references to third-party services not authorized for DoD use
    • Ensure all URLs, scripts, and app references meet IL5 requirements
    • Review with your ISSM (Information Systems Security Manager)
  3. Create DoD app registration:
    • Register app in portal.azure.us in your DoD tenant
    • Grant all required permissions
    • Wait 30-60 minutes for permission propagation
  4. Import to DoD tenant:
    • Create DoD profile in Intune Commander
    • Import configurations from the export folder
    • Review and update all assignments (groups won’t migrate automatically)
    • Update any hardcoded endpoints to DoD equivalents
  5. Test and validate:
    • Test with pilot group before broad deployment
    • Validate Conditional Access policies don’t block critical access
    • Test device enrollment and compliance evaluation
    • Verify app deployments work in DoD environment
Cross-cloud sync not supported. You cannot synchronize configurations between DoD and other clouds in real-time. Use export/import for one-time migrations only. All ongoing changes must be managed separately in each cloud environment.

Build docs developers (and LLMs) love

Get started for freeTalk to us