Zero Data Retention on Azure Open AI DataZone LLM Deployments

Question

Zero Data Retention on Azure Open AI DataZone LLM Deployments

Ghinwa Choueiter 0

Hi,

I am posting this after being in touch with several folks and entities at Azure and not receiving a clear answer.

We have applied for Modified Access Review by filling out the form at aka.ms/oai/modifiedaccess to request removal of data logging and monitoring in compliance-sensitive environments.

Our support person at Azure says it was approved, but we still want to know if we were approved for full or partial ZDR. If we were approved for partial ZDR, we would like to know what we should add to our llm request headers containing PII/PHI. We have not gotten any clear answer so far.

This is what our Azure contact had originally written:

What Approval Means

When ZDR is approved for Azure OpenAI endpoints, Microsoft commits not to retain any customer request or response data beyond what is strictly necessary for real-time processing.
This ensures prompts and completions are not stored for training, debugging, or analytics once processed.

Does It Apply to All Requests?

Yes, if full ZDR is granted, all requests under that deployment are covered.
If partial ZDR is approved (e.g., only for sensitive data), Marr Labs must:
- Tag requests containing PHI/PII using the prescribed metadata or headers.
- Ensure proper classification so retention policies can apply correctly.

thank you,

G

Ghinwa Choueiter 0 Reputation points

2025-11-17T17:59:10.05+00:00

Thank you so much. Can you please help me figure out if I got full or partial ZDR?

G

Ghinwa Choueiter 0

I should also add that I've already run

for name in $(az cognitiveservices account list -g "$RG" --query "[].name" -o tsv); do
  raw=$(az cognitiveservices account show -g "$RG" -n "$name" \
        --query "properties.capabilities[?name=='ContentLogging'] | [0].value" -o tsv)
  if [ -z "$raw" ]; then val="UNKNOWN"; else val="$(echo "$raw" | tr '[:upper:]' '[:lower:]')"; fi
  echo "$name | ContentLogging=$val"
done

and I see this for all relevant LLM endpoints

ContentLogging set to False

SRILAKSHMI C 10,885 Reputation points Microsoft External Staff Moderator

2025-11-18T18:04:29.89+00:00
Hi Ghinwa Choueiter,

Thank you for the additional details.

Seeing ContentLogging = false on your Azure OpenAI/DataZone deployments confirms that content logging is disabled, but it does not independently confirm whether the MAR team granted full ZDR or partial ZDR. This property only reflects logging behavior at the service level, not the scope of your ZDR approval.

To determine definitively whether your approval was full or partial ZDR, the only authoritative source is the Modified Access Review (MAR) approval team. The MAR decision (full vs. partial) is not visible through Azure CLI, ARM, or portal properties.

The next step is:

If you are a managed customer, your Microsoft Account Manager can contact the MAR reviewers and request the exact classification for your approval. This is the fastest and only official path to get the confirmation in writing.

Once we receive confirmation from MAR:

Full ZDR: no headers required, applies to all requests.

Partial ZDR: you will need to tag sensitive requests using the header specified in your approval (e.g., x-ms-azureai-sensitivity: high).

Thank you!
SRILAKSHMI C 10,885 Reputation points Microsoft External Staff Moderator

2025-11-19T14:37:24.9033333+00:00

Hi Ghinwa Choueiter,

Did you get any chance to review the above response. Do let me know if you have any further queries.

Thank you!

2 answers

Your answer

Ghinwa Choueiter 0 Reputation points

2025-11-17T17:59:10.05+00:00

Thank you so much. Can you please help me figure out if I got full or partial ZDR?

G
Ghinwa Choueiter 0 Reputation points

2025-11-17T18:06:27.62+00:00

I should also add that I've already run

for name in $(az cognitiveservices account list -g "$RG" --query "[].name" -o tsv); do raw=$(az cognitiveservices account show -g "$RG" -n "$name" \ --query "properties.capabilities[?name=='ContentLogging'] | [0].value" -o tsv) if [ -z "$raw" ]; then val="UNKNOWN"; else val="$(echo "$raw" | tr '[:upper:]' '[:lower:]')"; fi echo "$name | ContentLogging=$val" done

and I see this for all relevant LLM endpoints

ContentLogging set to False
SRILAKSHMI C 10,885 Reputation points Microsoft External Staff Moderator

2025-11-18T18:04:29.89+00:00

Hi Ghinwa Choueiter,

Thank you for the additional details.

Seeing ContentLogging = false on your Azure OpenAI/DataZone deployments confirms that content logging is disabled, but it does not independently confirm whether the MAR team granted full ZDR or partial ZDR. This property only reflects logging behavior at the service level, not the scope of your ZDR approval.

To determine definitively whether your approval was full or partial ZDR, the only authoritative source is the Modified Access Review (MAR) approval team. The MAR decision (full vs. partial) is not visible through Azure CLI, ARM, or portal properties.

The next step is:

If you are a managed customer, your Microsoft Account Manager can contact the MAR reviewers and request the exact classification for your approval. This is the fastest and only official path to get the confirmation in writing.

Once we receive confirmation from MAR:

Full ZDR: no headers required, applies to all requests.

Partial ZDR: you will need to tag sensitive requests using the header specified in your approval (e.g., x-ms-azureai-sensitivity: high).

Thank you!
SRILAKSHMI C 10,885 Reputation points Microsoft External Staff Moderator

2025-11-19T14:37:24.9033333+00:00

Hi Ghinwa Choueiter,

Did you get any chance to review the above response. Do let me know if you have any further queries.

Thank you!

Answer 1

When it comes to Zero Data Retention (ZDR) for Azure OpenAI endpoints, if your request for modified access has been approved, Microsoft commits to not retaining customer request or response data beyond what is necessary for real-time processing. This means that if full ZDR is granted, all requests under that deployment will not be stored for training, debugging, or analytics after processing.

If you have been approved for partial ZDR, it is crucial to tag requests containing Personally Identifiable Information (PII) or Protected Health Information (PHI) using the prescribed metadata or headers. This tagging ensures that the appropriate retention policies can be applied correctly to sensitive data. Your Azure contact should provide specific guidance on what metadata or headers are required for tagging these requests.

If you are unsure about the specifics of your approval (full or partial), it would be best to follow up with your Azure support representative for clarification on the details of your ZDR status and the necessary steps for compliance-sensitive environments.

References:

Ghinwa Choueiter 0 Reputation points

2025-11-17T15:24:39.4533333+00:00

I've been having back and forth with the Azure support representative and others for 2 weeks now and I still don't have an answer!

Answer 2

Hello Ghinwa Choueiter

Welcome to Microsoft Q&A and Thank you for reaching out,

I understand how important it is to have clarity on your Zero Data Retention (ZDR) approval status for your Azure OpenAI DataZone deployment, especially given the compliance-sensitive nature of your environment.

Based on your scenario and how ZDR is implemented within Azure OpenAI, here is a explanation:

1. ZDR Approval: Full vs. Partial

The Modified Access Review (MAR) team is responsible for determining whether your deployment receives full ZDR or partial ZDR. However, the approval notification typically does not explicitly state which category you were granted it generally only confirms that ZDR was approved.

To obtain the definitive classification (full or partial), your Azure account team can request clarification directly from the MAR approvers. If needed, I can help obtain this confirmation for you.

2. What Full ZDR Means

When full ZDR is granted:

No customer request or response data is retained beyond real-time processing.

Prompts and completions are not stored for training, debugging, analytics, or any internal logging.

You do not need to include any special headers in your LLM requests.

Full ZDR applies automatically to all requests sent to the approved deployment.

3. What Partial ZDR Means

If your approval is partial ZDR:

ZDR applies only to requests that contain sensitive data such as PII or PHI.

These requests must be tagged so that ZDR policies are applied correctly.

For Azure OpenAI DataZone deployments, this typically requires adding a sensitivity header such as:

x-ms-azureai-sensitivity: high

(or whichever classification tag was specified for your deployment in your approval documentation).

This ensures that only appropriately classified requests follow ZDR retention rules.

Please refer this

I Hope this helps. Do let me know if you have any further queries.

Thank you!

Share via

Zero Data Retention on Azure Open AI DataZone LLM Deployments

2 answers

Your answer