Microsoft has begun rolling out adaptive policy scopes for Communication Compliance in the Microsoft Purview compliance portal to government cloud customers, including GCC, GCC High, and Department of Defense (DoD) tenants. The move extends a feature first previewed for these environments in June 2025, bringing dynamic, attribute-based policy targeting to organizations that handle sensitive government data.

Communication Compliance, part of the Microsoft Purview risk and compliance suite, helps organizations detect, capture, and act on inappropriate or risky communications across Microsoft 365 services such as Exchange Online, Teams, and Yammer. With adaptive policy scopes, administrators can now assign policies based on user or group attributes—like department, location, or job title—rather than manually selecting individual users or static groups. This enables policies to automatically adjust as users join, leave, or change roles, ensuring continuous compliance without constant administrative overhead.

What Are Adaptive Policy Scopes?

Adaptive policy scopes allow compliance administrators to define a policy’s target audience using logical expressions built from Azure Active Directory attributes. Instead of picking a fixed distribution list, a scope can include something like “all users in the Finance department who are based in the US.” When a new hire joins Finance, they are automatically covered; when someone moves to Engineering, they drop out. This dynamic approach reduces the risk of coverage gaps caused by manual group management and aligns compliance enforcement with the real‑world structure of an organization.

The feature was already available in the commercial Microsoft 365 cloud, where it has been used to refine policies for insider risk management, data loss prevention, and other Purview solutions. By bringing adaptive scopes to Communication Compliance for government tenants, Microsoft is closing a feature gap that often left public‑sector organizations relying on less flexible, static assignments.

Why Government Clouds? The Security and Compliance Imperative

Government tenants operate under stricter regulatory frameworks than typical enterprises. GCC hosts data for state and local governments, GCC High supports defense contractors and agencies handling controlled unclassified information (CUI), and DoD is reserved for the Department of Defense itself. In these environments, communication monitoring is critical for preventing data leaks, detecting insider threats, and ensuring compliance with mandates like ITAR, DFARS, and FedRAMP.

Until now, government customers using Communication Compliance had to define policy scopes through fixed user lists or groups. This static approach could lead to scenarios where a reorganized team or a new hire was inadvertently left unmonitored for days or weeks. Adaptive scopes eliminate that gap by continuously evaluating membership based on user attributes. For a defense contractor in GCC High, for example, a policy could now automatically cover all employees working on a classified project, as indicated by a custom directory attribute. If an engineer is reassigned, the scope follows the attribute change, not a manual update.

What’s Included in the Government Rollout

The exact timing of the rollout was shared in the Microsoft 365 message center (likely under a message ID such as MC123456, though details may vary by tenant). The feature began appearing in government tenants in late June or early July 2025, following a preview period that allowed organizations to test the new capability and provide feedback.

Key capabilities now available for GCC, GCC High, and DoD include:
- Attribute‑based user scoping: Build scopes using Azure AD user attributes such as Department, Title, Country, or custom attributes.
- Group‑based scoping: Combine dynamic membership with existing Azure AD groups for hybrid targeting.
- Scope preview: Verify which users would be covered before activating the policy, reducing missteps.
- Policy simulation: Run what‑if analyses to see how many items would have been flagged had the policy been live.
- Integration with existing Communication Compliance workflows: Scoped policies generate alerts, remediation actions, and reports just like static policies.

Admins can access these options from the Communication Compliance solution card in the Microsoft Purview compliance portal. The “Scope” step in the policy creation wizard now presents two tabs: “Static” and “Adaptive.” Choosing “Adaptive” opens a query builder where logical rules can be constructed using AND/OR operators.

How Adaptive Scopes Improve Communication Compliance

Communication Compliance policies scan messages for predefined classifiers—such as profanity, threats, or custom trainable classifiers—and flag violations for review. With adaptive scopes, organizations can tailor which populations are subject to which policies, avoiding unnecessary noise and focusing investigations on high‑risk groups.

For example, a government agency might create separate policies:
- A “Legal Department” policy that monitors communications for privileged information leakage, scoped dynamically to members of the Legal division.
- A “Contractor Oversight” policy that looks for references to unapproved technologies, scoped to all external users or users with a “Contractor” attribute.
- A “Harassment Prevention” policy that applies to the entire organization, but only for internal communications, still using adaptive scoping to ensure it remains all‑inclusive even as teams evolve.

Prior to adaptive scopes, maintaining such granularity required frequent manual updates to distribution lists or security groups. The result was often a trade‑off between coverage and administrative burden. Adaptive scopes eliminate this balance act, letting compliance teams set granular rules once and rely on the directory to do the rest.

Implementation Considerations for Government Tenants

Government cloud customers have unique identity architectures. Many GCC High and DoD environments federate with on‑premises Active Directory, and Azure AD Connect synchronizes attributes. To make the most of adaptive scopes, organizations should ensure their on‑premises Active Directory contains accurate and up‑to‑date user attributes. A scope built on “Department” only works if the department field is consistently populated.

Microsoft recommends a phased approach:
1. Audit your Azure AD user attributes for completeness.
2. Identify a few high‑value use cases where dynamic scoping would close existing compliance gaps.
3. Create adaptive scopes in a test policy and use the scope preview to validate membership.
4. Run the policy in simulation mode to gauge the alert volume.
5. Activate the policy with a limited reviewer set before broad deployment.

Permissions remain critical: only users with the Communication Compliance role group (or equivalent custom roles) can configure or review policies. Government tenants should also review the data residency commitments: all monitored content stays within the respective cloud boundary, meeting sovereignty requirements.

Reactions from the Government IT Community

While this article is based on official information, the broader government IT community has long requested parity with commercial cloud features for Microsoft 365 compliance tools. In forums, user groups, and message‑center comments, admins have flagged static scoping as a pain point, especially for large agencies with high turnover. The availability of adaptive scopes is expected to be welcomed, though detailed feedback is still emerging as the feature reaches tenants.

One recurring theme in early adopter discussions is the need for better documentation on query syntax and attribute support. Government tenants often have custom schema extensions in Azure AD, and administrators are eager to understand which attributes are supported in the scope builder. Microsoft’s documentation for the commercial feature carries over to government clouds, but some users note that not all custom attributes may be immediately visible; they may require a refresh or re‑evaluation.

The Bigger Picture: Purview’s Maturation in Regulated Clouds

The addition of adaptive policy scopes to Communication Compliance is part of a broader effort by Microsoft to bring Purview’s advanced compliance capabilities to government and other regulated clouds. In recent months, other Purview solutions—such as Insider Risk Management, Information Protection, and eDiscovery—have also seen feature parity improvements for GCC High and DoD. This trend signals Microsoft’s recognition that government customers represent a significant and growing segment of the Microsoft 365 user base, and that they require the same sophisticated tooling to protect sensitive data.

For existing customers still on static scopes, the transition is a low‑risk enhancement. Policies created with static scopes continue to work unchanged; administrators can decide whether and when to migrate them to adaptive scopes. Microsoft has not announced any deprecation of static scopes, so the two methods will coexist for the foreseeable future.

What’s Next?

Looking ahead, the success of adaptive scopes in Communication Compliance could pave the way for their adoption in other Purview solutions currently lacking them in government clouds. Insider Risk Management, for example, already supports adaptive scopes in the commercial cloud, and its government equivalent may follow soon. Additionally, Microsoft’s roadmap hints at deeper integration with Microsoft 365 Copilot for compliance scenarios, where adaptive scopes could help scope the data that Copilot analyzes for potential violations.

In the short term, government organizations should begin planning to incorporate adaptive scopes into their compliance strategies. The shift from reactive, list‑based scoping to dynamic, attribute‑driven targeting represents a meaningful step toward more resilient and scalable compliance operations—one that reduces both risk and administrative friction.

For administrators ready to get started, the Purview compliance portal offers in‑product guidance and a new “Adaptive scope examples” panel that suggests common attribute combinations. As with any security or compliance change, thorough testing in a non‑production environment is recommended before full deployment.