Skip to main content
The Government Community Cloud High (GCC-High) is designed for US federal agencies and contractors that process Controlled Unclassified Information (CUI) or are subject to ITAR, DFARS, and other strict compliance requirements. GCC-High operates on physically and logically isolated infrastructure with heightened security controls.

Cloud Endpoints

GCC-High uses dedicated government cloud endpoints:
ServiceEndpoint
Graph APIhttps://graph.microsoft.us/beta
Authority Hosthttps://login.microsoftonline.us
OAuth 2.0 Authorizationhttps://login.microsoftonline.us/{tenant}/oauth2/v2.0/authorize
OAuth 2.0 Tokenhttps://login.microsoftonline.us/{tenant}/oauth2/v2.0/token
Graph Scopeshttps://graph.microsoft.us/.default

Implementation Details

From CloudEndpoints.cs: 
CloudEnvironment.GCCHigh => 
  ("https://graph.microsoft.us/beta", AzureAuthorityHosts.AzureGovernment)
The authority host constant AzureAuthorityHosts.AzureGovernment maps to:
  • Authority URI: https://login.microsoftonline.us
Do not confuse with Commercial endpoints. GCC-High uses .us domains exclusively. Using .com endpoints will result in authentication failures.

Compliance & Certifications

GCC-High provides the highest level of compliance certifications:
CertificationStatus
FedRAMP HighAuthorized
DISA IL4Compliant
DISA IL5In progress
ITARCompliant
DFARSCompliant
CJISCompliant
IRS 1075Compliant
NIST 800-171Compliant
DoD SRG IL4Compliant

Data Residency

  • Physical location: US government datacenters only
  • Personnel: All support personnel are US citizens with government screening
  • Isolation: Physically and logically isolated from Commercial and GCC clouds
  • Encryption: All data encrypted at rest and in transit

App Registration

Prerequisites

  • Global Administrator or Application Administrator role in Entra ID
  • GCC-High tenant
  • Access to the Azure Government Portal: https://portal.azure.us
Use Azure Government Portal, not Azure Commercial Portal. GCC-High app registrations MUST be created at portal.azure.us, not portal.azure.com.

Registration Steps

1. Create App Registration

  1. Sign in to the Azure Government Portal with your GCC-High credentials
  2. Navigate to Entra ID > App registrations > New registration
  3. Configure the registration:
    • Name: Intune Commander - GCC-High (or your preferred name)
    • Supported account types: Accounts in this organizational directory only (single tenant)
    • Redirect URI:
      • Platform: Mobile and desktop applications
      • URI: http://localhost:45132
    • Click Register

2. Note Registration Details

After registration, copy the following values:
  • Application (client) ID - Found on the Overview page
  • Directory (tenant) ID - Found on the Overview page
These values will be different from any app registrations in your Commercial or GCC tenants. Do not reuse Client IDs across clouds.

3. Configure API Permissions

Navigate to API permissions and add the following Microsoft Graph Application permissions: Device Management 
DeviceManagementConfiguration.ReadWrite.All
DeviceManagementApps.ReadWrite.All
DeviceManagementServiceConfig.ReadWrite.All
DeviceManagementManagedDevices.Read.All
DeviceManagementRBAC.ReadWrite.All
DeviceManagementScripts.ReadWrite.All
Conditional Access & Identity 
Policy.ReadWrite.ConditionalAccess
Policy.Read.All
Agreement.ReadWrite.All
Organization & Branding 
Organization.Read.All
OrganizationalBranding.ReadWrite.All
Groups 
Group.Read.All
GroupMember.Read.All
Windows 365 (Optional) 
CloudPC.ReadWrite.All
  1. Still on the API permissions page
  2. Click Grant admin consent for [Your Organization]
  3. Click Yes to confirm
  4. Verify all permissions show a green checkmark in the Status column
Admin consent in GCC-High may take 15-30 minutes to propagate fully through the government cloud infrastructure.

5. (Optional) Configure Client Secret

For unattended/service principal authentication:
  1. Navigate to Certificates & secrets
  2. Click New client secret
  3. Add a description: Intune Commander Service Principal
  4. Select expiration: 12 months (recommended)
  5. Click Add
  6. Immediately copy the secret value - it will not be shown again
Government data handling: Client secrets for GCC-High apps must be stored according to your organization’s CUI and ITAR data handling procedures.

Authentication Methods

Interactive Browser (Default)

Configuration:
  • Auth Method: Interactive
  • Client Secret: (leave blank)
Behavior:
  • Opens browser window to login.microsoftonline.us
  • Supports MFA, Conditional Access, and all Entra ID features
  • Token cached locally for persistent sessions
  • Automatically uses GCC-High authority host
Azure.Identity Implementation: 
var credential = new InteractiveBrowserCredential(
    new InteractiveBrowserCredentialOptions
    {
        TenantId = profile.TenantId,
        ClientId = profile.ClientId,
        AuthorityHost = new Uri("https://login.microsoftonline.us"),
        RedirectUri = new Uri("http://localhost:45132")
    }
);

Client Secret (Service Principal)

Configuration:
  • Auth Method: ClientSecret
  • Client Secret: (paste the secret value)
Behavior:
  • No user interaction required
  • Authenticates as the application identity
  • Secrets encrypted and stored in the profile file
  • Automatically uses GCC-High authority host
Azure.Identity Implementation: 
var credential = new ClientSecretCredential(
    profile.TenantId,
    profile.ClientId,
    profile.ClientSecret,
    new ClientSecretCredentialOptions
    {
        AuthorityHost = new Uri("https://login.microsoftonline.us")
    }
);

Profile Configuration

Creating a Profile

From the Login Screen:
  1. Launch Intune Commander
  2. Fill in the profile details:
    • Profile Name: Agency-GCCHigh-Production
    • Tenant ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (from portal.azure.us)
    • Client ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (from portal.azure.us)
    • Cloud: GCCHigh (critical—select this, not Commercial or GCC)
    • Auth Method: Interactive or ClientSecret
    • Client Secret: (if using ClientSecret auth method)
  3. Click Save Profile

JSON Profile Format

[
  {
    "name": "Agency-GCCHigh-Production",
    "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "clientId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "cloud": "GCCHigh",
    "authMethod": "Interactive"
  }
]
Critical: Set "cloud": "GCCHigh" to ensure correct endpoint selection.

Supported Features

All Intune Commander features are fully supported in GCC-High:
FeatureSupport Status
Device ConfigurationsFull support
Compliance PoliciesFull support
ApplicationsFull support
App Protection PoliciesFull support
Conditional AccessFull support
Endpoint SecurityFull support
Windows UpdatesFull support
Scripts & RemediationFull support
Enrollment ConfigurationsFull support
RBAC & Scope TagsFull support
GroupsFull support
Terms of UseFull support
Named LocationsFull support
Authentication StrengthsFull support
Windows 365 Cloud PCFull support (requires license)
PowerPoint Export Limitation: Conditional Access PowerPoint export is currently Commercial cloud only. GCC-High support is planned for a future release.

Differences from Commercial & GCC

Technical Differences

AspectGCC-HighGCCCommercial
Graph API endpointgraph.microsoft.usgraph.microsoft.comgraph.microsoft.com
Authority hostlogin.microsoftonline.uslogin.microsoftonline.comlogin.microsoftonline.com
App registration portalportal.azure.usportal.azure.comportal.azure.com
Tenant isolationPhysical & logicalLogical onlyNone
Personnel screeningGovernment screeningUS citizens (screened)Global workforce

Service Availability

GCC-High typically receives new features 2-6 weeks after Commercial cloud:
  • Core features: Usually available within 2-4 weeks
  • Preview features: May not be available or significantly delayed
  • Third-party integrations: Limited compared to Commercial

Network Requirements

Required Outbound Connectivity

GCC-High uses government-specific endpoints:
DestinationPurpose
login.microsoftonline.usAuthentication (required)
graph.microsoft.usMicrosoft Graph API (required)
*.microsoft.usCertificate validation, service discovery
*.windows.netAzure infrastructure services
Do not allowlist .com domains. GCC-High requires .us government endpoints. Blocking .us domains will prevent authentication and API access.

Proxy Support

Intune Commander uses the system proxy configuration:
  • Windows: Internet Options proxy settings
  • macOS/Linux: System environment variables (HTTP_PROXY, HTTPS_PROXY)
Ensure proxy configuration allows connections to *.microsoft.us and *.microsoftonline.us domains.

Troubleshooting

Wrong Cloud Selected

Symptom: “AADSTS90043: The request was made to the wrong cloud instance” Solution:
  1. Verify you selected GCCHigh when creating the profile
  2. Delete the profile and recreate with correct cloud selection
  3. Clear cached tokens: Delete %LocalAppData%\.IdentityService\msal.cache

App Registration in Wrong Portal

Symptom: Authentication fails with “Application not found” or “Invalid client” Solution:
  1. Verify app registration was created in portal.azure.us (not portal.azure.com)
  2. Create a new app registration in the correct portal
  3. Update profile with new Client ID from portal.azure.us

Endpoint Mismatch

Symptom: API calls return 401 Unauthorized or DNS resolution failures Solution:
  1. Verify profile cloud is set to GCCHigh
  2. Check network connectivity to graph.microsoft.us and login.microsoftonline.us
  3. Ensure firewall allows outbound HTTPS to *.microsoft.us
  4. Test connectivity: curl https://graph.microsoft.us/beta

Permission Propagation Delays

Symptom: Permissions granted but still getting 403 Forbidden errors Solution:
  1. Wait 15-30 minutes after granting admin consent
  2. Sign out and sign back in to refresh token
  3. Use Permission Check feature to verify JWT token claims
  4. Contact Microsoft support if permissions don’t propagate after 1 hour

Migration from Commercial or GCC

Moving Configurations to GCC-High

  1. Export from source tenant:
    • Connect to Commercial or GCC tenant in Intune Commander
    • Export all configurations to a folder
  2. Review for compliance:
    • Ensure configurations meet GCC-High compliance requirements
    • Remove references to third-party services not approved for CUI
    • Update URLs to government-specific endpoints (if any hardcoded)
  3. Import to GCC-High tenant:
    • Create app registration in portal.azure.us
    • Create GCCHigh profile in Intune Commander
    • Import configurations from the export folder
    • Review and update assignments (groups won’t migrate automatically)
  4. Test thoroughly:
    • Validate Conditional Access policies with pilot group
    • Test device enrollment and compliance evaluation
    • Verify app deployments and MAM policies
Cross-cloud sync not supported. You cannot synchronize configurations between Commercial/GCC and GCC-High in real-time. Use export/import for one-time migrations only.

Build docs developers (and LLMs) love

Get started for freeTalk to us