Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings

Howdy Jonathan_Priganc!  You hit on a topic that our team at Microsoft encounters frequently within the Defense Industrial Base.  Virtually every large DIB entity has missions OCONUS, and in service of other sovereign defense requirements outside the U.S..  It's a very nuanced set of topics.  There are data sovereignty requirements for export controls in the U.S. working with the U.S. DoD (e.g. ITAR & EAR) that may include export licenses for foreign user populations, such as foreign locations and/or subsidiaries.  At the same time, there may be data sovereignty requirements for export controls in other countries, such as those imposed by the U.K. MoD or AU DoD.  Often times, the same person may have obligations to both sets of export controls at the same time.  They are in direct competition with one another.  It often translates to that person having access into multiple data enclaves in each sovereign location.  Then the question becomes, where you do locate the person's Mailbox, OneDrive for Business and Team's account?  Do they need multiple?  Do you need to isolate one from another?  And in all transparency, will a Geo of the Commercial Office 365 offering even fit the export control requirements for the foreign defense entity in question?  There is no definitive answer.  We've seen customers go in multiple directions.  I've come up with several reference architectures that we share to help address "Cross-Sovereign" deployments of Office 365.  We are happy to share with you.  At the end of the day, Microsoft will accommodate multiple solutions, to include a multi-cloud approach.  But it will be a decision your organization will wrestle with, especially as the compliance bar shifts.