This article is for teams operating in regulated environments like Microsoft GCC High and AWS GovCloud. It explains what commonly behaves differently, how to unblock typical integration issues, and what information to capture if you need Support.
This complements, and does not replace, your broader federal readiness guidance in FAQs: FedRAMP, CMMC, and DFARS.
What is different in government cloud environments
Different endpoints and service surfaces: APIs can have different base URLs, feature availability, or authorization rules.
Stricter tenant policies: conditional access, admin consent restrictions, and tenant-wide security settings can block required access even when credentials are correct.
Service-specific limitations: some evidence signals may be limited or exposed differently compared to commercial cloud tenants.
Common blockers and the fastest next step
403 Forbidden: confirm the admin role and that required permissions were granted with admin consent in the correct tenant.
401 Unauthorized: credentials are invalid, expired, or the wrong tenant was used. Reconnect in the in-app workflow.
Missing data after connection: allow time for the initial sync, then verify sync status in Managing your Integration connections. If needed, follow the in-product steps to trigger a manual sync. (Your manual sync doc is here.)
Rate limiting (429): this often resolves automatically. If it is persistent, capture timestamps and any correlation IDs shown in the UI.
GCC High specific notes
M365 signals can differ: SharePoint and OneDrive related evidence collection may require different permissions and sometimes different API surfaces.
Conditional access: stricter CA policies can block app access even when the connection succeeded initially.
AWS GovCloud specific notes
Partition and region behavior: GovCloud accounts can behave differently from commercial partitions. If accounts appear missing, confirm the expected regions and org configuration.
What to collect for Support (saves multiple back-and-forths)
Which environment you are in: GCC High, GovCloud, or both
Integration name and connection status (screenshot from the Integrations page)
Error message text, plus a screenshot
Approximate timestamp of the failure and your timezone
Whether the issue occurs for all admins or only some users
Frequently asked questions (FAQ)
If we migrate from commercial Microsoft 365 to a Microsoft GCC High environment, will employees' training completions and policy acceptances carry over in Secureframe?
Yes, in most cases everything will carry over intact. Training completions and policy acceptances are tied to the person, not the integration they synced from, and Secureframe matches personnel by email address. As long as employees keep the same email addresses through the GCC High migration, their training and policy history should remain intact.
A few important notes for a smooth transition:
When disconnecting the old integration: do not select the option to also remove its users, as this could result in data loss.
Duplicate accounts: If a name discrepancy exists between the old and new tenant sync (for example, "Mike" vs. "Michael"), a duplicate account may be created. Duplicate users can be merged, and any previously accepted policies and completed trainings will be retained after the merge.
CMMC/Defense-specific training: If the account is moving into a CMMC/Defense context, new training modules (such as CUI training) may be required.
Policy updates: Some policies include statements that are dynamically added based on your active integrations. After linking the GCC High environment, you should publish any updated policies and have employees re-accept them to ensure compliance records reflect the new environment accurately.