Microsoft Defender for Identity data security and privacy


This article provides steps for how to delete personal data from the device or service and can be used to support your obligations under the GDPR. If you’re looking for general info about GDPR, see the GDPR section of the Service Trust portal.

Search for and identify personal data

In Defender for Identity, you can view identifiable personal data from the Microsoft Defender portal using the search bar.

Search for a specific user or computer, and select the entity to bring you to the user or computer profile page. The profile provides you with comprehensive details about the entity from Active Directory, including network activity related to that entity and its history.

Defender for Identity personal data is gathered from Active Directory through the Defender for Identity sensor and stored in a backend database.

Data sharing

Defender for Identity shares data, including customer data, among the following Microsoft products also licensed by the customer:

  • Microsoft Defender XDR
  • Microsoft Defender for Cloud Apps
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Cloud
  • Microsoft Sentinel
  • Microsoft Security Exposure Management (public preview)

Update personal data

Defender for Identity's personal user data is derived from the user's object in the Active Directory of the organization. Therefore, changes made to the user profile in the organization AD are reflected in Defender for Identity.

Delete personal data

  • After a user is deleted from the organization's Active Directory, Defender for Identity automatically deletes the user profile and any related network activity within a year.

  • Read-only permissions on the Deleted Objects container are recommended. To learn more about how the Deleted Objects container permission is used by the Defender for Identity service, see the Deleted Objects container recommendation in Grant required DSA permissions.

Export personal data

In Defender for Identity you have the ability to export security alert information to Excel. This function also exports the personal data.

Audit personal data

Defender for Identity implements the audit of personal data changes, including the deleting and exporting of personal data records. Audit trail retention time is 90 days. Auditing in Defender for Identity is a back-end feature and not accessible to customers.

Additional resources


Currently, Defender for Identity data centers are deployed in Europe, UK, North America/Central America/Caribbean, Australia East and Asia. Your workspace is created automatically in the data center that is geographically closest to your Microsoft Entra ID. Once created, Defender for Identity workspaces aren't movable.

Next steps