
GCC High Pricing and Licensing Guide: Per-User Costs Explained [July 1, 2026 Pricing Update]
Anna Fitzgerald
Senior Content Marketing Manager
Emily Bonnie
Senior Content Marketing Manager
Microsoft does not publicly list pricing for GCC High the way it does for Microsoft 365 Commercial. Licenses are sold through Enterprise Agreements and authorized partners, which makes it difficult for defense contractors to plan budgets. As of July 1, 2026, Microsoft also raised prices on the government G-series plans so current numbers matter more than ever.
As an authorized Microsoft reseller, Secureframe has access to current list pricing for GCC High and all plans. We created this guide to give you a clear picture of what GCC High actually costs in 2026, which license fits which use case, and strategies to reduce your spend.
What's GCC High pricing at a glance?
There are four Microsoft 365 government licenses most defense contractors evaluate for GCC High, plus one optional add-on bundle.
The table below shows current list prices as of July 1, 2026, reflecting the government price increase that took effect that day. Prices are per user per month for an annual billing plan.
| M365 GCCH License | List price (per user/mo) | Who it's for | What's included |
|---|---|---|---|
| Frontline F3 | $13.20 | Frontline or shift workers who primarily need secure mobile or web access, not desktop apps | Windows Enterprise use rights, Office for the web and mobile, Teams, Entra ID, Intune, core identity |
| Business Premium | $35.80 | Small and mid-sized DIB organizations with <300 users that need affordable productivity suite | Microsoft 365 apps, Entra ID, OneDrive, Intune, Teams, Defender for Business, Defender for Office 365 Plan 1 |
| Enterprise G3 | $65.20 | The enterprise default for organizations over 300 seats or that need productivity apps with enhanced security and compliance capabilities | Everything in Business Premium (except Defender for Business), plus more OneDrive storage and enterprise information and threat protection |
| Microsoft Defender + Purview Suites add-on | $24.40 | DIB organizations that want to extend Business Premium or G3 licenses with advanced endpoint security and data governance capabilities | Advanced endpoint security and data governance capabilities |
| Enterprise G5 | $97.50 | DIB organizations that want the full stack of AI-powered productivity apps and advanced security, compliance, analytics, and AI readiness capabilities | Everything in G3 plus the Defender suite, Purview suite, and advanced security, compliance, and analytics. |
Actual prices may vary based on the reseller, Enterprise Agreement terms, commitment length, and more. For a full comparison of what each plan includes, see Microsoft's official GCC High plan comparison PDF.
Recommended reading
What Is GCC High? A Complete Guide for Defense Contractors
What are the GCC High add-ons and do you need them for CMMC Level 2?
The Microsoft Defender for GCC-H and Microsoft Purview for GCC-H add-ons can be used with the Microsoft 365 G3 and Business Premium licenses to support customers in meeting CMMC Level 2 requirements, but they are not strictly required for all organizations.
The G3 and Business Premium base licenses include capabilities that map to the majority of the 110 NIST SP 800-171 Rev 2 controls behind CMMC Level 2. The add-ons extend those base licenses with advanced threat protection and data security capabilities. These capabilities are already included in the G5 license and therefore do not need to be purchased separately.
What does the Microsoft Defender Suite include?
The Microsoft Defender Suite adds endpoint detection and response and advanced threat protection capabilities.
This includes:
- Threat detection, investigation, and automated response across endpoints, identities, email, and cloud
- Advanced attack protection to stop ransomware, phishing, and credential compromise
- Endpoint protection with real-time threat prevention, endpoint detection and response (EDR), and vulnerability management
- Email and collaboration protection with anti-phishing, anti-malware, and safe links/attachments
- Identity threat detection with lateral movement and access risk protection
- Cloud app discovery, shadow IT control, and session-based access governance
- Enterprise IoT device security with continuous visibility and threat detection
- Vulnerability and attack surface management with prioritized remediation
- Incident correlation for faster triage and reduced analyst workload
- Automated policies and conditional access to contain compromised users or devices
- AI-driven security insights to prioritize risks and strengthen overall security posture
What does the Microsoft Purview Suite include?
The Microsoft Purview Suite adds advanced data security and compliance capabilities.
This includes:
- Automatic classification and sensitivity labeling
- Unified data loss prevention (DLP) across email, chat, cloud apps, and endpoints
- Insider-risk detection with privacy-aware analytics
- Advanced eDiscovery and audit for legal and compliance needs
- Data lifecycle, retention, and records management
- Governance tools to manage and protect sensitive data
- Compliance Manager with tasks and audit-ready evidence
- Visibility into data usage, movement, and risk
While these add-ons can make specific controls easier to implement and can strengthen your overall cybersecurity posture, they are not strictly required for CMMC Level 2.
When the Microsoft Defender and Purview add-ons were made available for use with Business Premium for GCC High on February 20, 2026, Microsoft updated this blog describing them as providing “the required security and compliance capabilities to support customers in meeting CMMC L2 requirements.” However, organizations including Secureframe have achieved CMMC Level 2 certification without them.
Whether your organization needs these Microsoft add-ons for CMMC Level 2 depends on several factors, including:
- which requirements are applicable based on your CMMC scope
- how you implement each control
- which tools are in your tech stack beyond the Microsoft license
- what your System Security Plan (SSP) documents
Our NIST 800-171 configuration guide for GCC High links to a series of blogs that map each control family to specific capabilities across Microsoft Purview, Defender, Entra ID, Intune, and other tools that help satisfy it, so you can better understand which controls the base license already covers.
Here is how the per-user monthly cost compares for each Level 2 path, rounded to the nearest dollar:
- Business Premium: Base license $36 + add-on $24 = $60
- G3: Base license $65 + add-on $24 = $90
- G5: Base license with advanced threat protection and data security and compliance capabilities already included = $98
For this reason, G5 can be more cost-effective for organizations with CMMC Level 2 requirements than headline prices suggest.
GCC High vs GCC pricing: Why is GCC High more expensive than GCC?
GCC High can be roughly 30% more expensive than Microsoft 365 GCC, depending on the license tier. The GCC High and GCC figures below reflect the July 1, 2026 pricing update, and are listed per user per month for an annual billing plan.
| License | GCC High list price (per user/mo) | GCC list price (per user/mo) | Percentage increase over GCC |
|---|---|---|---|
| F3 | $13.20 | $10.70 | 23% |
| Business Premium | $35.80 | N/A | N/A |
| G3 | $65.20 | $47.70 | 37% |
| Defender + Purview add-on | $24.40 | $24.40 | 0% |
| G5 | $97.50 | $75.00 | 30% |
GCC High costs more than GCC because it is:
- FedRAMP Class D Certified (previously referred to as FedRAMP High Authorized)
- Built on Azure Government, a physically separated infrastructure from Azure Commercial
- In dedicated U.S. data centers with U.S. support personnel
- Designed for organizations that handle sensitive government data subject to the International Traffic in Arms Regulations (ITAR), the Export Administration Regulations (EAR), the Defense Federal Acquisition Regulation Supplement (DFARS), and other requirements, and explicitly recommended by Microsoft for CMMC Levels 2 and 3.

GCC is another government cloud offering that's intended for US Government requirements. However, GCC is a data enclave built on Azure Commercial. Meaning, some shared services may involve data processing or support staff outside the continental U.S. and therefore not meet the strict data residency and data sovereignty controls required for all types of CUI, like export-controlled data. So while GCC can support DFARS 252.204-7012 and CMMC Level 2 requirements for CUI Basic, it is not suitable for most organizations that handle CUI or are subject to ITAR, EAR, CMMC Level 2 (C3PAO) or CMMC Level 3 requirements.
GCC High vs Commercial pricing: Why is GCC High more expensive than Commercial?
GCC High can be roughly 60% more expensive than Microsoft 365 Commercial, depending on the license tier. Below are list prices for the Business Premium and enterprise licensing plans (G3 and G5 are for GCC High, E3 and E5 are for Commercial).
| License | GCC High price (per user/mo) | Commercial price (per user/mo) | Percentage increase over Commercial |
|---|---|---|---|
| Business Premium | $35.80 | $22.00 | 63% |
| G3 / E3 | $65.20 | $39.00 | 67% |
| G5 / E5 | $97.50 | $60.00 | 63% |
GCC High has a much higher premium over M365 Commercial licenses (nearly double that of GCC). That's because Microsoft 365 Commercial is built entirely on Azure Commercial, not as a data enclave on it. So there's no dedicated U.S. data centers, no U.S.-only personnel with government-level background checks supporting it, and no FedRAMP Certification, which brings licensing costs down significantly. But it also brings the compliance bar down too.
While it can be used to demonstrate CMMC Level 1 compliance, M365 Commercial was not purpose-built for U.S. government regulations and is not suitable for DFARS 7012, ITAR, EAR, CMMC Level 2, or Level 3.
Recommended reading
GCC High vs GCC vs Commercial: Which Microsoft 365 Do You Need?
Is GCC High affordable for small contractors?
Microsoft launched Microsoft 365 Business Premium for GCC High on November 3, 2025, one week before CMMC Phase 1 took effect. It was created as an affordable entry point for GCC High for small contractors.
Because of its launch date and purpose, its base price did not change in the July 1, 2026 pricing update.
Key details of Business Premium for GCC High
- Base price: ~$36 per user per month
- Price with Defender and Purview add-on: ~$60 per user per month
- Seat limit: up to 300 users
- Includes: Premium Office applications, Teams, secure cloud storage, business email, Microsoft Defender for Business and Office 365 Plan 1
- Who it is for: Small and mid-sized defense contractors that need GCC High to meet CMMC requirements but cannot afford enterprise licensing
- Not available in GCC
Important caveat: as with other government plans, Business Premium provides a secure environment but does not make you CMMC compliant automatically. You still need proper configuration and documentation, and may need support from an RPO or consultant.

For a full breakdown of what Business Premium includes, see our GCC High Business Premium guide. Ready to get started? Purchase Microsoft 365 Business Premium for GCC High through our Marketplace.
What are real-world cost examples for GCC High?
Below are cost estimates for how a 50-person defense contractor might license GCC High to meet CMMC requirements. Each example shows the base license cost, then the optional Defender and Purview add-on as a separate line, since the add-on is not required for Level 2. Keep in mind that licensing is only one part of your total cost. For the full picture, see our CMMC certification cost breakdown.
Example 1: 50-person contractor, full migration to GCC High G3
| Line item | Monthly cost | Annual cost |
|---|---|---|
| 50 users x G3 ($65.20) | $3,260 | $39,120 |
| Optional: 50 users x Defender + Purview add-on ($24.40) | $1,220 | $14,640 |
| Total (base license with add-on) | $4,480 | $53,760 |
A full migration is the most expensive option and is not always necessary. It tends to make sense when most of your revenue is defense-related, most employees routinely touch CUI, or you handle export-controlled ITAR or EAR data that requires stricter infrastructure requirements and access controls.
Example 2: 50-person contractor using Business Premium (GCC High)
| Line item | Monthly cost | Annual cost |
|---|---|---|
| 50 users x Business Premium ($35.80) | $1,790 | $21,480 |
| Optional: 50 users x Defender + Purview add-on ($24.40) | $1,220 | $14,640 |
| Total (base license with add-on) | $3,010 | $36,120 |
On the base license, Business Premium saves nearly $18,000/year compared with G3 in this scenario. The trade-off is seat count and fewer advanced enterprise features. Evaluate whether the seat limit and missing capabilities matter for your specific CMMC scope before committing.
Example 3: 50-person contractor using the enclave approach (10 CUI users)
| Line item | Monthly cost | Annual cost |
|---|---|---|
| 10 GCC High G3 users ($65.20) | $652 | $7,824 |
| Optional: 10 users x Defender + Purview add-on ($24.40) | $244 | $2,928 |
| 40 Commercial E3 users ($39) | $1,560 | $18,720 |
| Total (base licenses only) | $2,212 | $26,544 |
| Total (base licenses with add-on) | $2,456 | $29,472 |
The enclave approach saves roughly $12,000/year compared with a full 50-user GCC High G3 migration in this scenario, before any optional add-on. With the add-on to the GCC High G3 licenses, it saves nearly double at $25,000/year. Savings when using the enclave approach over enterprise scale significantly with company size.
Recommended reading
GCC High Alternatives for CMMC: Cloud Options Compared
How to reduce GCC High licensing costs
GCC High costs can be a sticker shock, particularly for small businesses. Here are proven strategies to save so you can use the only Microsoft-recommended cloud environment for CMMC Level 2 or higher without breaking the bank.
1. Use the enclave approach
Only employees who directly handle CUI need GCC High licenses. Isolate CUI into a defined boundary and keep everyone else on commercial Microsoft 365. This can reduce license costs by 50 to 80% depending on what share of your users actually touch CUI.
2. Consider GCC if your contracts allow it
GCC High is not always required for CMMC compliance. If your contracts do not reference ITAR, EAR, or DFARS 252.204-7012, GCC may be sufficient and saves about $17/user/month on G3 and $23/user/month on G5.
See our GCC vs GCC High guide and confirm with your contracting officer before deciding.
3. Choose Business Premium for organizations under 300 seats
At approximately $36/user/month versus $65 for G3 and $98 for G5, Business Premium can offer meaningful savings for eligible organizations, depending on the CMMC level and whether you add the optional add-on.
See our Business Premium guide and confirm eligibility.
4. Decide whether you actually need the Defender and Purview add-on
Since the add-on is not strictly required for all Level 2 contractors, start by mapping which controls your base license already covers, then decide whether the advanced capabilities are worth the extra $24.40/user/month.
If you do want them, compare G3 plus the add-on ($89.60) against G5 ($97.50). The gap is only about $8/user/month, and G5 includes more.
5. Negotiate your Enterprise Agreement
GCC High pricing is negotiable, especially for multi-year commitments or large seat counts. Evaluate multiple AOS-G partners to compare quotes before signing. As an authorized GCC High reseller, Secureframe is committed to competitive pricing.
How to purchase GCC High licenses
GCC High licenses are not available through Microsoft's standard online portal. The process depends on your organization's size.
- Organizations under 300 seats: Work with a Microsoft AOS-G (Agreement for Online Services - Government) authorized partner. These partners are specifically approved by Microsoft to sell GCC High. Not all Microsoft partners qualify.
- Organizations with 300 or more seats: Purchase through an LSP (Licensing Solution Provider) via a standard Enterprise Agreement, or through an AOS-G partner.
The purchasing process
- Eligibility verification: Fill out Microsoft’s U.S. Government Cloud intake form to verify eligibility for GCC High (or GCC).
- Partner engagement: Select an AOS-G partner to purchase licenses. With Secureframe, you can purchase licenses and add-ons in-app.
- Tenant provisioning: Microsoft provisions a new GCC High tenant for your organization. This can take up to 30 days per Microsoft SLA.
How did Microsoft 365 GCC High licenses increase on July 1, 2026?
Microsoft raised list prices for government licenses across GCC and GCC High effective July 1, 2026, with the exception of Business Premium. The increase is now in effect for new purchases. Existing customers move to the new pricing at their next renewal after July 1.
| License | Old (per user/mo) | New (per user/mo) | New (per user/yr) | Change |
|---|---|---|---|---|
| Microsoft 365 G5 | $93.40 | $97.50 | $1,170.00 | +4% |
| Microsoft 365 G3 | $60.00 | $65.20 | $782.40 | +9% |
| Microsoft 365 Business Premium | $35.80 | $35.80 | $429.60 | No change |
| Microsoft 365 F3 | $12.30 | $13.20 | $158.40 | +7% |
Because Business Premium did not increase, it is an even more cost-effective option relative to the enterprise G-series SKUs. For suites where a government increase exceeds 10%, Microsoft phases it over multiple years at no more than 10% per year to comply with federal regulations, so some SKUs may reach their full list price in a later year.
Purchase Microsoft 365 GCC High licenses through Secureframe
As an authorized AOS-G reseller, Secureframe offers competitive pricing on Microsoft 365 GCC High licenses.

Since GCC High is a significant investment, you want to make sure it is driving real compliance outcomes and revenue.
Secureframe Defense can help. It automatically provisions a Microsoft GCC High environment and virtual desktops to securely access that CUI environment. It also maps your live configuration to NIST SP 800-171 controls, automates evidence collection, keeps your SSP aligned with your actual environment as it changes over time for continuous compliance, and more.
See how Secureframe Defense works with GCC High to simplify CMMC end to end by visiting secureframe.com/cmmc or talking to an expert.
Go from zero to CMMC ready in weeks
FAQs
Does CMMC require GCC High?
Not always. CMMC Level 2 requires a FedRAMP Moderate Authorized or equivalent cloud environment for handling CUI and it does not explicitly mandate GCC High over GCC. However, GCC High is typically required when your contracts include ITAR, EAR, or CMMC Level 2 and Level 3 requirements. For a full analysis, see our guide: Does CMMC require GCC High?
Do I need the Defender and Purview add-ons for CMMC Level 2?
Not strictly. Base Business Premium and G3 licenses include capabilities that map to a majority of NIST SP 800-171 Rev 2 controls. The Microsoft Defender for GCC-H and Microsoft Purview for GCC-H add-ons extend those with advanced endpoint security and data governance features that can make certain controls easier to implement, but they are optional as long as you have a documented and effective alternative to implement those controls. G5 includes the full capabilities in the base license.
What is the difference between GCC and GCC High?
GCC is designed for defense contractors handling CUI at the FedRAMP Moderate level. GCC High meets FedRAMP High requirements and is required for organizations handling data subject to ITAR, EAR, or specific DFARS clauses. GCC High is more expensive and has stricter eligibility requirements. See our GCC vs GCC High comparison.
Can I get GCC High for free?
No. There is no free tier. Microsoft sometimes offers trial periods through AOS-G partners. Contact a partner to ask about evaluation options.
Can I mix license tiers within GCC High?
Yes. You can assign different license tiers to different users within the same GCC High tenant. This is a key cost optimization strategy: assign G5 only to security and compliance admins who need advanced features, and use G3 or Business Premium for other users.
Do I need to cancel my commercial licenses?
Your commercial licenses do not automatically convert to GCC High. You will purchase new GCC High licenses and can cancel or let your commercial licenses expire after migration.
What does an Azure Virtual Desktop seat actually cost in GCC High?
If you need to store and securely access CUI in GCC High while keeping physical endpoints out-of-scope, then you can use Azure Virtual Desktops. AVD costs are two things billed separately:
- GCC High licensing for each user who connects (billed per user per month).
- Azure infrastructure costs, including the virtual machine, disk, and networking (billed by consumption)
A compute price quoted for a multi-session host usually does not include the Windows license, since that comes from the user's per-user SKU.
Do I need a separate license for each Azure Virtual Desktop user in GCC High?
Yes. Azure Virtual Desktop has no per-user Windows license built into the compute price. You pay for the Azure VM, disk, and networking, and each connecting user must hold an eligible per-user GCC High SKU (F3, Business Premium, G3, or G5).
Which GCC High licenses work with Azure Virtual Desktop?
All four GCC High productivity licenses are eligible per-user licenses for Windows 11 Enterprise multi-session: F3, Business Premium, G3, and G5. The Windows Enterprise use rights are included in each. One caveat on F3: it is the cheapest way to cover the Windows access right, but it is a frontline license and does not include the productivity and security stack for CMMC Level 2. A user who handles CUI on an AVD desktop still needs Business Premium, G3, or G5.

Anna Fitzgerald
Senior Content Marketing Manager
Anna Fitzgerald is a digital and product marketing professional with nearly a decade of experience delivering high-quality content across highly regulated and technical industries, including healthcare, web development, and cybersecurity compliance. At Secureframe, she specializes in translating complex regulatory frameworks—such as CMMC, FedRAMP, NIST, and SOC 2—into practical resources that help organizations of all sizes and maturity levels meet evolving compliance requirements and improve their overall risk management strategy.

Emily Bonnie
Senior Content Marketing Manager
Emily Bonnie is a seasoned digital marketing strategist with over ten years of experience creating content that attracts, engages, and converts for leading SaaS companies. At Secureframe, she helps demystify complex governance, risk, and compliance (GRC) topics, turning technical frameworks and regulations into accessible, actionable guidance. Her work aims to empower organizations of all sizes to strengthen their security posture, streamline compliance, and build lasting trust with customers.