Many government contractors are migrating to Office 365 Government Cloud Community High (GCC High) due to requirements found in DFARS 7012, a regulation enforced within contracts with the Department of Defense. This transition to the cloud is often the first for many businesses or involves moving from another non-compliant cloud environment/provider. The move can cause a lot of headache if unaware of the challenges. This blog will give several considerations for planning a proper migration to your new GCC High tenant.
Of course, you'll want to start by getting your actual licensing, but we will not focus on that here. If you haven't already, you will first need to become eligible through Microsoft's process.
Office 365 GCC High has greater restrictions when it comes to connecting to other cloud service providers (CSPs). This has been a pain point for many clients when migrating mail into Exchange Online in GCC High.
Microsoft will whitelist individual IPs but will not whitelist ranges of IPs, like in the case of Google's G-Suite. However, if you are on a cloud based system or a hosted system with a single IP, you would likely be able to whitelist it.
Your IP Needs to Be On the List
Summit 7 has developed a two-step process to help customers have a smooth cutover from any CSP to Exchange Online in GCC High. For more information on this process and how your migration from another cloud provider can be a successful one, contact us here.
2. Migration Tools
The use of a proper migration tool will help smooth out any migration. Whether you are migrating from one tenant to another tenant, on-premises to a GCC High tenant, or even a hybrid environment to a GCC High tenant - choosing the right tool is critical. One of the main benefits of using a tool is to keep end user impact to a minimum.
Summit 7 primarily uses two tools when dealing with Exchange Online migrations. If we perform a tenant-to-tenant migration, we prefer to use BitTitan as it is cheaper than SkyKick and performs most of the major steps. If conducting a migration from another cloud provider to GCC High, we use a combination of BitTitan and SkyKick to depending upon the migration scenario to properly move everything with minimal interruption.
End users that are using a MAC will have additional steps to configure their mail profile. The steps will be different depending on end users with Outlook for Mac or Apple Mail. End users that have Windows 10 with Outlook will have an easier time depending on the tool as some tools with create a new mail profile for them with minimal interruption.
It is less common but some organizations need to migrate Teams from a commercial environment to a GCC High environment. At this time, we know one tool available to migrate teams, called FLY by AvePoint. It uses an on-premises server infrastructure to migrate everything needed. One benefit of this tool over other tools is that it has the capability to migrate everything in your tenant to another tenant. This should work even with a GCC High environment as the on-premises AvePoint server can have a static IP that is not shared, which should allow it to be whitelisted by Microsoft.
If you are needing to migrate SharePoint content to your tenant, the tool of choice is ShareGate. It is a simple, affordable tool that can perform all SharePoint migrations needed. ShareGate runs on a standalone server that can use Azure Cloud Storage to help speed up migrations for environments with a lot of data.
ShareGate or BitTitan can be used to migrate OneDrive content. One thing to think about prior to migrating users OneDrive content is the accidental duplication of items. If you are moving a user from one tenant to another with OneDrive content, their content will still be locally saved on their machine. When they go to connect to the new tenant, there is a possibility of downloading and uploading duplicate content. Make sure you have a plan in place for this.
As many of you already know, there is no migration path to migrate MFA. The only option is to have users reconfigure their MFA settings in their new tenant. This is also the case when migrating from Office 365 MFA to Azure MFA Conditional Access.
If your organization heavily uses distribution lists, the first step would be to go through the lists and remove any that are not being used. The next step would be to determine who manages these lists. Do end users manage the lists, or IT? If IT manages the distribution lists, they can be recreated by synchronizing your Active Directory using AD Connect to your new tenant. If your end users manage distribution lists, the path forward may be more involved.
Office365 Pro Plus
If you are currently in an Office 365 commercial environment, you are most likely using Office365 Pro Plus for all your end users. If this is the case, moving to GCC High will be easier. When the domain is cutover to the new environment; the users will be logged out of their existing Office365 Pro Plus account and simply need to login using their GCC High credentials to activate their new license. If they are using anything else, you will need to plan on how to upgrade all of your end users to the latest Office Suite as Modern authentication only works with Office 2013 or later and Azure Information Protection requires users to have the latest version of the Office Suite.
3. Feature Parity
When moving into a GCC High environment it is good to know what is not available. As of this writing, below are some of the products or features that are not available in GCC High:
- My Analytics
- Customer Lockbox
- Audio Conferencing (PSTN)
- Azure ATP
Sharing Constraints and Guest Access
Currently external sharing and guest users are not fully available in GCC High. Though, there are many caveats and exceptions to that statement, it is best to expect prior to your migration that these two functions are not full functioning. We have heard of Azure AD B2B support being a possibility in the near future, along with One-Time Passcode (OTP) authentication.
This initial iteration of B2B is scoped to support only adding guests from other Azure Government tenants and not Azure Commercial”
Also, external users accessing your information systems can add several layers of security and compliance complexity. You will need to thoroughly review and edit you System Security Plan (SSP) and implement several technical policies to accommodate this access.
Sometimes Sharing is a Bad Thing ... If It's CUI
Teams is now available in GCC High with a few differences, the following is not available in Teams for GCC High
- Email a channel
- Unified Presence for Skype and Teams
- Teams-Skype for Business Chat interoperability
- OneNote Tab
- PSTN Calls .
Azure Information Protection (AIP)
When using Azure information Protection for encryption, you need to be aware of nuances in sending encrypted emails from a GCC High tenant to a commercial tenant, or a 3rd party tenant.
GCC High to GCC High - Everything works as expected
GCC High to Commercial - Can only open in the browser with one-time passcode
GCCH to 3rd Party - Can only open in the browser with one-time passcode
The above scenarios are not exhaustive of all policies but are representative of defaults. To turn on AIP and configure the product for optimal use in your organization, feel free to reach out.
The term “Label” can be confusing when it comes to Office 365 and Azure. A label can be defined as one of the following things:
- AIP Labeling - Azure Information Protection labels are found in the Azure Portal. These labels require the AIP client to be installed for Windows 10 only.
- Unified Labeling - Unified Labeling is inclusive of the labels you will find in the Security and Compliance Center. Eventually these will be the only labels recommended to use. As of right now, unified labels are not fully functional as the unified label client is in preview for Windows 10. However, unified labels do work better with a MAC now as there is not an AIP client for the MAC.
If you are thinking about deploying labels in your existing commercial environment, We would recommend holding off until you finish moving to your new GCCH tenant. The labels themselves currently work the same as they would in a commercial environment.
5. GCC High Support
The last thing to take into consideration is the support from Microsoft for your new GCC High environment. Simply put - the Office 365 GCC High engineering and support group is a small team. Microsoft is the leader in government cloud SaaS; nevertheless, they still experience the occasional hiccup.
For the best support you need to select the right AOSG partner you purchase licensing and services from. Microsoft is relying heavily on the AOSG partners to provide the necessary implementation, configuration, and support. Microsoft does not recommend attempting an implementation or migration without an AOSG partner in support. That partner will be your best advocate in getting answers from Microsoft in the quickest and most detailed manner if technical difficulties occur.
Microsoft support is continuing to improve, but is extremely valuable to have a partner fighting for your request.