Government Cloud Compatibility

TATER is built to scan tenants in commercial Microsoft 365, GCC, GCC High, and DoD clouds. This guide explains what works today, what requires a private deployment, and how to configure TATER per-tenant for sovereign clouds.

Compatibility matrix

Customer tenant cloud	Status	Path
Commercial Microsoft 365	Fully supported	Use the SaaS instance at app.tatersecurity.com today.
GCC (Government Community Cloud)	Supported with caveats	GCC tenants authenticate against commercial AAD, so technical scanning works. Data-residency commitments are documented in our Trust Center; review with your compliance officer before onboarding sensitive workloads.
GCC High	Private deployment required	The TATER SaaS app reg lives in commercial AAD and cannot consent to login.microsoftonline.us. A private TATER Gov instance in Azure US Government is required — see private deployment below.
DoD IL5/IL6	Private deployment required	Same constraints as GCC High plus stricter ATO / ITAR requirements. Reach out to discuss compliance attestations needed for your specific accreditation boundary.

Commercial & GCC tenants — configuration

For commercial and GCC tenants, TATER scanning works out of the box. There is one configuration step worth knowing about: when you add a tenant credential under Settings → Tenants, the form asks for the Microsoft Cloud Tier of that target tenant. For commercial and GCC, leave it on the default Commercial. (GCC tenants technically use commercial AAD, so the same default applies; we surface a GCC tier label as an audit-trail marker for customers who want to make the data-residency posture explicit.)

GCC High & DoD tenants — what TATER does today

Two things are useful right now for prospects in GCC High or DoD even before a private deployment exists:

1. Per-control GCC High and DoD guidance variants

Every catalog control can carry a Government Cloud Guidance block with GCC High and DoD-specific remediation steps, portal URLs, and Graph endpoints. When viewing a control's detail panel, sovereign-cloud admins see this section in addition to the standard remediation. Examples shipped today:

• Block legacy authentication: includes the entra.microsoft.us portal walkthrough
• MFA admins: covers GCC High and DoD sign-in URL differences
• Defender Safe Links: flags SKU/preview status differences in DoD
• EXO DKIM: documents the -ExchangeEnvironmentName O365USGovGCCHigh / O365USGovDoD PowerShell flags
• Customer Lockbox: notes GCC High availability and DoD roadmap caveats

Even without scanning, this lets a GCC High or DoD admin walk through TATER's catalog and use the platform as a compliance reference and remediation playbook for their tenant. Add new variants any time via Catalog → Edit control → Government Cloud Guidance (SuperAdmin / OrgAdmin).

2. Sovereign-cloud-aware scanning code

TATER's scanRun engine, OAuth token acquisition, and ARM client all read the target tenant's tier from the saved credential and use the right Graph / AAD / management endpoints automatically. This is invisible to admins on commercial; it's the foundation that makes the future TATER Gov deployment a config flip.

Private TATER Gov deployment (GCC High / DoD)

For customers requiring a TATER instance hosted in Azure US Government, we partner directly. A typical engagement covers:

1. Cloud tier selection. GCC High (USGov regions, FedRAMP High-aligned) or DoD IL5 (USDoD regions, dedicated). Both run on Azure US Government infrastructure.
2. Subscription provisioning. Customer's Azure US Gov subscription with appropriate EA / GCC contract amendments.
3. App registration in microsoftonline.us. Multi-tenant within Gov so customers consent the same way they do for commercial TATER.
4. Cosmos DB + Function App in USGov region. Single-region or paired regions per customer's resilience requirements.
5. Domain. app.tatersecurity.us or a customer-specific subdomain you control.
6. FedRAMP attestation. Most customers accept FedRAMP Moderate Equivalency in writing; FedRAMP Moderate authorization can be pursued on a customer-funded timeline. We do not currently hold a public ATO.
7. Compliance attestations. ITAR, EAR, CMMC, IRS Pub 1075, CJIS, etc. as applicable to your accreditation boundary. Documented in the SOW.
8. Cross-cloud limitations documented. Some third-party integrations TATER ships in commercial (e.g., Slack, certain SIEMs) are not available in US Gov regions; we list what's affected so you know up front.

Typical timeline: 4–8 weeks from signed SOW to a stood-up tenant ready for first scan. Contact sales@tatersecurity.com to start the conversation.

Microsoft endpoint reference

For administrators authoring custom remediation scripts or filling in Government Cloud Guidance for additional controls, here are the canonical endpoint URLs by tier:

Endpoint	Commercial / GCC	GCC High	DoD
OAuth authority	login.microsoftonline.com	login.microsoftonline.us	login.microsoftonline.us
Microsoft Graph	graph.microsoft.com	graph.microsoft.us	dod-graph.microsoft.us
Azure portal	portal.azure.com	portal.azure.us	portal.azure.us
ARM (management)	management.azure.com	management.usgovcloudapi.net	management.usgovcloudapi.net
Entra admin	entra.microsoft.com	entra.microsoft.us	entra.microsoft.us
Defender / Security	security.microsoft.com	security.microsoft.us	security.apps.mil
Compliance / Purview	compliance.microsoft.com	compliance.microsoft.us	compliance.apps.mil
Intune	intune.microsoft.com	intune.microsoft.us	intune.microsoft.us
EXO PowerShell -ExchangeEnvironmentName	O365Default	O365USGovGCCHigh	O365USGovDoD
Connect-MgGraph -Environment	Global	USGov	USGovDoD
Power Platform OAuth redirect	global.consent.azure-apim.net	gov.consent.azure-apim.us (TBD per region)	dod.consent.azure-apim.us (TBD per region)

Related

• Microsoft 365 Copilot integration — the connector wizard supports the same tier endpoints
• Settings reference — Tenants — where you select the Microsoft Cloud Tier for each scanned tenant
• Frameworks & Standards — CIS / SCuBA / DISA STIGs all map to gov-cloud variants where Microsoft has documented differences