Skip to main content

GCC High FAQs and Troubleshooting

Answers to common questions after your GCC High setup and configuration

S
Written by Secureframe Engineering

After Secureframe sets up and configures your Microsoft GCC High tenant, some changes can affect how users sign in, share files, or send mail. This guide covers the most common questions and where to check. We'll add to it over time.

Why can't CUI users access the CUI Shared Drive or OneDrive right after setup?

Microsoft provisions the SharePoint document library in the background after the site is created. On GCC High this can take anywhere from about 15 minutes to 48 hours, with no guaranteed time, so the drive may look empty or missing at first — check back later. If it still isn't accessible, confirm the affected person is a member of the CUI Users group, since access to the CUI Shared Drive follows that group's membership.

I enabled the "Require Compliant Device" policy and now CUI users are locked out. Why?

That policy requires each device to be marked compliant by a mobile device management (MDM) solution such as Microsoft Intune. Until your MDM is enrolled and reporting device compliance, turning this policy on will block CUI users. Set up device compliance first, confirm devices are reporting as compliant, and then enable the policy.

MFA and the other security policies don't seem to be enforced. Is that expected?

Yes. Conditional Access policies are created in report‑only mode so no one is locked out during rollout — they log what would happen without actually enforcing it. Review the report‑only results in the Microsoft Entra admin center, then switch each policy to On when you're ready.

How do I check whether a Conditional Access policy is safe to turn on?

In the Microsoft Entra admin center, go to Identity → Monitoring → Sign‑in logs, filter by Conditional Access and the policy name, and review the report‑only results. Once the results look clean for your tenant, switch the policy to On.

Older email clients or devices stopped connecting. What changed?

Once enabled, the "Block Legacy Authentication" policy blocks legacy protocols such as Exchange ActiveSync and SMTP AUTH that can't satisfy modern MFA. We also disable POP and IMAP on the default mailbox plan and disable SMTP client authentication tenant‑wide. Move affected clients to modern authentication, and if a specific service account genuinely needs SMTP AUTH, re‑enable it only for that account.

Auto‑forwarding or mailbox forwarding to external addresses stopped working.

This is intentional. To protect CUI, we add mail‑flow rules that block external auto‑forwarding and external mailbox forwarding, and we disable auto‑forwarding on the default remote domain. If a specific business case requires external forwarding, handle it through a reviewed exception rather than re‑enabling forwarding broadly.

Users can no longer share files externally, or external links stopped working.

We tighten SharePoint and OneDrive sharing for CUI: external sharing is restricted to existing guests only, sharing links default to specific people with view‑only access, the allowed‑domains list is locked down, external links expire after 30 days, and downloads/sync from unmanaged devices are blocked. Re‑share within those limits, or add the recipient as a guest first.

Why aren't our Super Admins prompted for MFA or subject to the policies?

This is by design. Super Admins are excluded from the Conditional Access policies so these break‑glass accounts remain accessible if your sign‑in infrastructure is ever degraded. Keep Super Admin accounts few in number and tightly controlled.

Setup reported a licensing issue, or some policies didn't apply.

The risk‑based Identity Protection policies require Microsoft Entra ID P2 (Entra ID P1 is not sufficient). Add Entra ID P2 to your tenant and contact your Customer Success Manager to re‑run setup.

My IT Admins can't perform some user‑management actions.

IT Admins are granted the custom GCC High IT Admin role plus User Administrator, scoped to the Defense Trust Boundary. If an admin sees a permissions error, confirm they're a member of the IT Admins group — the roles are assigned to the group, not to individuals.

Teams meeting attendees are stuck in the lobby, or external guests can't join.

The Teams meeting policy auto‑admits only people in your organization, prevents anonymous users from starting or joining, and prevents PSTN callers from bypassing the lobby. Organizers can admit waiting participants from the lobby. Cloud recording is also turned off by policy.

Users can't install Teams apps, create SharePoint sites, or use certain integrations.

To limit unmanaged data paths, Teams apps are restricted to an approved list with sideloading disabled, third‑party file services (Dropbox, Box, Google Drive, ShareFile, Egnyte) and email‑into‑channel are blocked, and self‑service SharePoint site creation is disabled tenant‑wide. Have an admin provision sites or approve apps as needed.

Legitimate email is landing in quarantine.

Our anti‑spam, anti‑phishing, and anti‑malware policies are intentionally strict (high‑confidence spam is quarantined, ~50 executable/script attachment types are blocked, and zero‑hour auto‑purge is on). An admin can review and release messages from the Microsoft Defender portal and, where appropriate, refine the policies.

Did this answer your question?