Identity data storage for European customers in Azure Active Directory

Azure AD stores identity data in a location chosen based on the address provided by your organization when subscribing to a Microsoft service like Microsoft 365 or Azure. For information on where your identity data is stored, you can use the Where your data is located section of the Microsoft Trust Center.

For customers who provided an address in Europe, Azure AD keeps most of the identity data within European datacenters. This document provides information on any data that is stored outside of Europe by Azure AD services.

Microsoft Azure AD Multi-Factor Authentication

For cloud-based Azure AD Multi-Factor Authentication, authentication is complete in the closest datacenter to the user. Datacenters for Azure AD Multi-Factor Authentication exist in North America, Europe, and Asia Pacific.

  • Multi-factor authentication using phone calls originate from datacenters in the customer's region and are routed by global providers.
  • Multi-factor authentication using SMS is routed by global providers.
  • Multi-factor authentication requests using the Microsoft Authenticator app push notifications that originate from EU datacenters are processed in EU datacenters.
    • Device vendor-specific services, such as Apple Push Notifications, may be outside Europe.
  • Multi-factor authentication requests using OATH codes that originate from EU datacenters are validated in the EU.

For more information about what user information is collected by Azure Active Directory Multi-Factor Authentication Server (MFA Server) and cloud-based Azure AD MFA, see Azure Active Directory Multi-Factor Authentication user data collection.

Microsoft Azure Active Directory B2B (Azure AD B2B)

Azure AD B2B stores invitations with redeem link and redirect URL information in US datacenters. In addition, email address of users that unsubscribe from receiving B2B invitations are also stored in U.S. datacenters.

Microsoft Azure Active Directory Domain Services (Azure AD DS)

Azure AD DS stores user data in the same location as the customer-selected Azure Virtual Network. So, if the network is outside Europe, the data is replicated and stored outside Europe.

Azure role-based access control (Azure RBAC)

Role definitions, role assignments, and deny assignments are stored globally to ensure that you have access to your resources regardless of the region you created the resource. For more information, see What is Azure role-based access control (Azure RBAC)?.

Federation in Microsoft Exchange Server 2013

  • Application identifier (AppID) - A unique number generated by the Azure Active Directory authentication system to identify Exchange organizations.
  • Approved Federated domains list for Application
  • Application’s token signing Public Key

For more info about federation in Microsoft Exchange server, see the Federation: Exchange 2013 Help article.

Other considerations

Services and applications that integrate with Azure AD have access to identity data. Review how each service and application processes identity data, and verify that they meet your company's data storage requirements.

For more information about Microsoft services' data residency, see the Where your data is located section of the Microsoft Trust Center.

Next steps

For more information about any of the features and functionality described above, see these articles: