Back

Connecting Office 365 to GCC High for Cross-Cloud Collaboration

Previously a natural tension existed between commercial organizations operating out of Microsofts commercial side with their enclaves or business un...

8 min read
Published on Nov 4, 2022
commercial-office-365-gcc-high-cross-cloud-collaboration

Previously, a natural tension existed between commercial organizations operating out of Microsoft’s commercial side with their enclaves or business units operating within the government cloud. Historically, this means somewhat limited collaborative experience, especially given isolated government enclaves. But after much patience, these silos are coming down. Now, you can connect Commercial Office 365 tenants to GCC high tenants in cross-cloud collaboration. This should translate to greater productivity and better communication, among other benefits.

Unfortunately, configuring cross-cloud collaboration can have significant security and compliance impacts. For instance, improperly connecting tenants could lead to data exfiltration, an expanded threat surface, and failed assessments. As such, ensure that you have a well-planned governance and security strategy prior to connecting Commercial Office 365 to GCC High.

To start off, cross-cloud tenant collaboration is essentially a tale of two tenants, both of whom desire communication between the two entities. Unfortunately, until this feature rolled out, this was nearly impossible to do. However, moving forward, it’s become increasingly straightforward to create a relationship between the different tenants.

Here’s a detailed walkthrough of cross-cloud tenant collaboration for better collaboration across your hybrid environment.

Pricing of Cross-Cloud Collaboration

Before jumping into how to connect Commercial Office 365 to GCC High, it is paramount that we look at pricing. To begin, let’s examine the old pricing model. The latter was based on total licensing that includes Azure AD Premium Plan 1 and Plan 2. Further, it was a 1:5 billing model whereby you required just one tenant license for five external identities.

This has since shifted to the Monthly Active Users (MAU) billing model. The latter is particularly useful in a situation where you count on having unique guest users with authentication activity within a calendar month. For this model, the first 50,000 MAUs per month are free for both Premium P1 and Premium P2.

What You Need to Begin Cross-Cloud Collaboration

The first step in connecting Commercial Office 365 to GCC High is to know the Azure AD roles in both tenants. Recommended roles to keep an eye out for are those of the security administrator and global administrator.

The other thing you’ll need is tenant support. It’s crucial to mention that this link is public, meaning you do not have to log in. You simply need to plug your tenant name into the URL. Then, you should see whether your business has support or not.

Enabling Cross-Tenant Access: Commercial 

Note that the general assumption is that you know how to go to Azure Directory and that you understand that there is a setting on there known as External Identities and, under it, cross-tenant access settings.

When you go on the commercial end, you’re going to see Microsoft Azure Government and Microsoft Azure China, both unchecked. Once you check either of these, this should then take you to the government side of things where again you will check Microsoft Azure Commercial. It is important to note that different from the Commercial end, Microsoft China will not be listed in GCC High.

The first validation you’ll be conducting is whether you can send a guest request from Azure in Commercial to a GCC High user. In the event that you are unable to do this, it simply means that while cross-tenant collaboration is enabled, it might not be configured correctly.

Azure AD

To solve this, you’ll need to do more. Specifically, for you to run this validation, there’s some Azure AD information that you must first gather. Collect both the Tenant ID and Primary Domain from each tenant side. Note that while this appears relatively straightforward with fewer demands on information to be collected, there are T2T interactions that will require rules to be imposed.

Now, you should be ready to connect the tenants. Note that it doesn’t matter whether you connect from the GCC High end or the Commercial end. The significant step here is adding the organization.

GCC High

At this point, you’ve been successful with the first validation meaning you can successfully send a request from the commercial side to the GCC High side. You should hence move on to validation number two, which involves getting the GCC High user to accept the invitation with the intention of having the GCC High user access a Commercial team site and post a message.

To achieve this, you should have already had Cross Tenant Collaboration enabled, had GCC High point to the Commercial Tenant, and vice versa. Once all these are done, tell Cross Tenant Collaboration you want users or groups to access applications.

From the commercial end, you’ll need to enable External Application Access. Essentially, you’ll be configuring the tenant restrictions that Commercial has with GCC High. Similarly, you want to enable External Application access from the GCC High tenant side. You should notice that on the interface, before enacting any changes, everything is restricted. In retrospect, this is a good thing as it is in line with a Zero Trust policy. You should successfully have GCC High user access to the Commercial tenant side at this point.

Now that you can send a request from Azure in Commercial to a GCC High user and have the GCC High user accept any invitations, you can further validate whether a GCC High user has access to a Commercial team site and whether they can successfully post a message.

Teams

On the Commercial tenant side, a Teams owner should add the GCC High user to the team. Henceforth, they should be able to send messages through the Team web client. Overall, the GCC High user should now have access to all resources found on the Commercial tenant side.

Cross-Tenant Collaboration: Other Considerations 

Two male government employees enabling Cross-Cloud Collaboration. As you embark on connecting Commercial Office 365 to GCC High, consider working with multiple tenants. The latter means that you have two or more tenants and is different from working with a multi-tenant. With multiple tenants, you’ve got to now consider the management, logging, and licensing. These could add lots of overhead and pain. This is, of course, dependent on whether you are working on a long-term or short-term project, as you could probably have the flexibility to meet the overheads with the latter.

To address the security challenge, it would be best that you target specific people within the GCC High tenant ecosystem who can connect to other tenants, both on the GCC High end and commercial end. You could probably base these permissions on the different roles, for instance, only allowing global administrators to access other GCC High tenants. Further, it is best to keep in mind that documentation is your friend. It keeps track of external tenants, their Azure AD tenant IDs, and the intent and results of a configuration. Finally, there’s already an excellent configuration with Azure Log Analytics. Thus, so long as you have Azure AD Directory where the diagnostic settings are pushing to Log Analytics, you can configure it such that every time there are Cross Tenant Collaboration changes, you are notified.

PowerShell

There are a few additional considerations to be made when testing with non-production tenants. Specifically, you want to capture all manual steps, which reiterates the importance of documentation. Additionally, you should consider PowerShell automation which steps in place of tedious, repetitive manual steps.

In Commercial, decide on more stringent controls on an external partner, vendor, or business with explicit guidelines. You should consider taking over a T2T interaction and decide the tenets of the relationship with more configurations during cross-tenant configuration.

Overall cross tenant collaboration opens the doors for organizations that have all their users and resources in GCC High to collaborate with Commercial tenants. Further, for organizations with two tenants, both GCC High and Commercial, it allows one enclave of the business to collaborate with another without the red tape that previously existed.

Office 365 Cross-Cloud Collaboration

Connecting Commercial Office 365 tenants to GCC High tenants requires an adequate understanding of Microsoft’s strategy for secure and flexible collaboration across highly regulated and commercial organizations. This is particularly true given that if not configured properly, your CUI could travel outside of your controlled environment. Besides, improper cross-training of individuals who do not typically work with sensitive information adds uncertainty risks. This might then require that you consider if you can allow Commercial users to access GCC High.

Learn More About Cross-Cloud Collaboration

In retrospect, cross-tenant collaboration doesn’t have to be intimidating. With testing, documentation, automation, and alerts, it could be relatively manageable.

At Agile IT, we pride ourselves on our expertise in this subject. In fact, we’ve already started connecting Office 365 tenants to GCC High tenants. We can help you determine the best practice approach to improve your organizational collaboration without compromising CMMC compliance. Schedule a call today to get started.

Related Posts

Risks of not using a CMMC RPO

The Risks of Not Using a CMMC RPO for Compliance and Certification Readiness

A CMMC RPO helps organizations prepare for certification and avoid compliance failures. Learn why working with an RPO is essential for achieving CMMC compliance.

Mar 20, 2025
8 min read
CMMC 2.0 Require GCC High for Compliance

Does CMMC 2.0 Require GCC High for Compliance?

Does CMMC 2.0 require GCC High? Learn the cloud options for compliance, data security, and protecting CUI under NIST 800-171 and DFARS.

Mar 17, 2025
10 min read
Office 365 License Comparison: Business Plans Vs. E5, E3 and E1

CMMC RPO vs a C3PAO: Understanding Their Roles in Compliance

Understanding the difference between an RPO and a C3PAO is crucial for CMMC compliance. Learn why they should be separate and how an RPO helps prepare for certification.

Mar 15, 2025
6 min read
Can You Meet CMMC with Google Workspace?

Can You Meet CMMC with Google Workspace?

Is Google Workspace CMMC compliant? Learn about its DFARS, NIST 800-171, and ITAR limitations and how migrating to GCC High ensures full compliance.

Mar 4, 2025
7 min read
Is Maintaining a GCC High Tenant Worth It for Non-Government

Evaluating the Need for a GCC High Tenant in Non-Government Organizations

Explore whether maintaining a GCC High tenant is necessary for organizations not involved in government work. Understand the pros and cons, costs, and compliance considerations.

Feb 25, 2025
7 min read
Top 10 Reasons to Partner with an MSP for Security and Compliance

Top 10 Reasons to Partner with an MSP for Security and Compliance

Discover why partnering with an MSP for security and compliance is critical for organizations navigating FAR CUI and CMMC requirements.

Feb 21, 2025
8 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation