The Government Community Cloud (GCC) is designed for US federal, state, local, and tribal government entities, and contractors holding or processing data on behalf of the US government. GCC uses the same endpoints as Commercial cloud but provides compliance with government requirements.
Cloud Endpoints
GCC uses the same technical endpoints as Microsoft Commercial cloud:
| Service | Endpoint |
|---|
| Graph API | https://graph.microsoft.com/beta |
| Authority Host | https://login.microsoftonline.com |
| OAuth 2.0 Authorization | https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize |
| OAuth 2.0 Token | https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token |
| Graph Scopes | https://graph.microsoft.com/.default |
Implementation Details
From CloudEndpoints.cs:
CloudEnvironment.GCC =>
("https://graph.microsoft.com/beta", AzureAuthorityHosts.AzurePublicCloud)
GCC shares the same API endpoints as Commercial but provides FedRAMP High compliance and is physically and logically isolated in the Microsoft cloud infrastructure.
Compliance & Certifications
GCC provides the following compliance certifications:
| Certification | Status |
|---|
| FedRAMP High | Authorized |
| CJIS | Compliant |
| IRS 1075 | Compliant |
| DISA IL2 | Compliant |
| NIST 800-171 | Compliant |
App Registration
Prerequisites
- Global Administrator or Application Administrator role in Entra ID
- GCC tenant
- Access to the Azure Portal: https://portal.azure.com
GCC uses the standard Azure Portal (portal.azure.com), not the government-specific portal used by GCC-High and DoD.
Registration Steps
1. Create App Registration
- Sign in to the Azure Portal with your GCC credentials
- Navigate to Entra ID > App registrations > New registration
- Configure the registration:
- Name:
Intune Commander - GCC (or your preferred name)
- Supported account types: Accounts in this organizational directory only (single tenant)
- Redirect URI:
- Platform: Mobile and desktop applications
- URI:
http://localhost:45132
- Click Register
2. Note Registration Details
After registration, copy the following values:
- Application (client) ID - Found on the Overview page
- Directory (tenant) ID - Found on the Overview page
Navigate to API permissions and add the following Microsoft Graph Application permissions:
Device Management
DeviceManagementConfiguration.ReadWrite.All
DeviceManagementApps.ReadWrite.All
DeviceManagementServiceConfig.ReadWrite.All
DeviceManagementManagedDevices.Read.All
DeviceManagementRBAC.ReadWrite.All
DeviceManagementScripts.ReadWrite.All
Policy.ReadWrite.ConditionalAccess
Policy.Read.All
Agreement.ReadWrite.All
Organization.Read.All
OrganizationalBranding.ReadWrite.All
Group.Read.All
GroupMember.Read.All
4. Grant Admin Consent
- Still on the API permissions page
- Click Grant admin consent for [Your Organization]
- Click Yes to confirm
- Verify all permissions show a green checkmark in the Status column
For unattended/service principal authentication:
- Navigate to Certificates & secrets
- Click New client secret
- Add a description:
Intune Commander Service Principal
- Select expiration: 12 months (recommended)
- Click Add
- Immediately copy the secret value - it will not be shown again
Authentication Methods
Interactive Browser (Default)
Configuration:
- Auth Method:
Interactive
- Client Secret: (leave blank)
Behavior:
- Opens browser window for authentication
- Supports MFA, Conditional Access, and all Entra ID features
- Token cached locally for persistent sessions
Client Secret (Service Principal)
Configuration:
- Auth Method:
ClientSecret
- Client Secret: (paste the secret value)
Behavior:
- No user interaction required
- Authenticates as the application identity
- Secrets encrypted and stored in the profile file
Profile Configuration
Creating a Profile
From the Login Screen:
- Launch Intune Commander
- Fill in the profile details:
- Profile Name:
Agency-GCC-Production
- Tenant ID:
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
- Client ID:
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
- Cloud:
GCC (select this, not Commercial)
- Auth Method:
Interactive or ClientSecret
- Client Secret: (if using ClientSecret auth method)
- Click Save Profile
[
{
"name": "Agency-GCC-Production",
"tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"clientId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"cloud": "GCC",
"authMethod": "Interactive"
}
]
"cloud": "GCC" to ensure the profile is recognized as a GCC environment.
Supported Features
All Intune Commander features are fully supported in GCC:
| Feature | Support Status |
|---|
| Device Configurations | Full support |
| Compliance Policies | Full support |
| Applications | Full support |
| App Protection Policies | Full support |
| Conditional Access | Full support |
| Endpoint Security | Full support |
| Windows Updates | Full support |
| Scripts & Remediation | Full support |
| Enrollment Configurations | Full support |
| RBAC & Scope Tags | Full support |
| Groups | Full support |
| Terms of Use | Full support |
| Named Locations | Full support |
| Authentication Strengths | Full support |
| Conditional Access PowerPoint Export | Full support |
| Windows 365 Cloud PC | Full support (requires license) |
Differences from Commercial
Technical Differences
None. GCC uses identical API endpoints and authentication flows as Commercial cloud.
Compliance Differences
| Aspect | GCC | Commercial |
|---|
| Data residency | US datacenters only | Worldwide |
| Personnel screening | US citizens (screened) | Global workforce |
| FedRAMP | High | Not certified |
| CJIS | Compliant | Not certified |
| IRS 1075 | Compliant | Not certified |
Service Availability
Most Microsoft 365 and Intune features reach GCC on the same timeline as Commercial. Occasional delays of 1-2 weeks may occur for preview features.
Network Requirements
Required Outbound Connectivity
GCC uses the same endpoints as Commercial cloud:
| Destination | Purpose |
|---|
login.microsoftonline.com | Authentication |
graph.microsoft.com | Microsoft Graph API |
*.microsoft.com | Certificate validation, service discovery |
Troubleshooting
Wrong Cloud Selected
Symptom: Authentication succeeds but all API calls fail with 401 or 403 errors
Solution:
- Verify you selected GCC (not Commercial) when creating the profile
- Delete the profile and recreate with correct cloud selection
- Clear cached tokens: Delete
%LocalAppData%\.IdentityService\msal.cache
Tenant Not in GCC
Symptom: “Tenant is not in the GCC environment”
Solution:
- Verify your tenant is actually a GCC tenant (check Microsoft 365 admin portal URL)
- If your tenant is Commercial, select Commercial cloud instead
- Contact your Microsoft account team if you believe you should have GCC access
Permission Errors
Solution:
- Use the Permission Check feature (View menu)
- Verify all required permissions are consented
- Grant admin consent in Azure Portal
- Sign out and sign back in
Migration from Commercial
Moving Configurations from Commercial to GCC
-
Export from Commercial tenant:
- Connect to Commercial tenant in Intune Commander
- Export all configurations to a folder
-
Import to GCC tenant:
- Connect to GCC tenant in Intune Commander
- Import configurations from the export folder
- Review and update assignments (groups won’t migrate automatically)
-
Update references:
- Update any hardcoded URLs or resource references
- Verify app registrations exist in GCC tenant
- Test Conditional Access policies with pilot group
Cross-cloud sync not supported. You cannot synchronize or replicate configurations between Commercial and GCC in real-time. Use export/import for one-time migrations.