Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings

Shawn_Veney Good points as always!  I know you and I have talked about this previously but figured I would comment here.  One major challenge that I see is for global companies that have users in multiple countries who also have valid export licenses. It seems that this use-case keeps getting missed. It would be unrealistic to put all user accounts into GCC-High as you now risk bringing non-US controlled military data into the US (think Eurofighter for example).  The employee working on a Eurofighter program may also be working on F35 data in the UK under a valid license.  The company would potentially run afoul of foreign export regulations and risk "ITAR taint" by putting that data on US servers. 

It appears that customers are unable to setup a "split-tenant" with a subset of users in GCC-High and other users in GCC or Commercial.  At least with Commercial you can turn on multi-geo to keep the data resident to the appropriate country, then turn Lockbox on to remove the "potential access" risk.  Per DoS guidance a few years back, if you have actual access records, then potential access is no longer considered an export.  From everything I have seen, the recordkeeping in O365 would easily be able to meet that threshold. 

Thoughts???