This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Microsoft Defender for Office 365 helps protect organizations against threats in email messages, links (URLs), file attachment, and collaboration tools. For more information about Defender for Office 365, see Microsoft Defender for Office 365 overview.
We collect the following personal data as part of metadata when Microsoft 365 receives and processes email or Microsoft Teams messages:
Microsoft gathers system execution metadata for offline machine learning, and IP address and sender reputation information to protect users from malicious email or to filter unwanted email. This protection includes proactive zero-hour auto purge (ZAP) to remove messages that were already delivered.
All reports in Defender for Office 365 are subject to End User Pseudonymous Identifiers (EUPI) and End User Identifiable Information (EUII):
Microsoft stores this data securely in Microsoft Entra and maintains it in accordance with Microsoft privacy practices and Microsoft Trust Center policies. All service log data at rest is encrypted and hashed using Office Data Loader (ODL) and Common Data Platform (CDP) encryption (no clear text). Defender for Office 365 uses this data for the following features:
Defender for Office 365 operates in the Microsoft Entra datacenters. For the following geo locations, data at rest for organizations that were provisioned in these geo locations is stored only in these geo locations:
In Exchange Online Protection (EOP), the following data is stored at rest in the local region geo:
In Defender for Office 365, the following customer data is stored at rest in the local region geo:
Data from Defender for Office is retained for 180 days in reporting and logs. When email and Microsoft Teams messages are sent to Microsoft 365, sender and recipient personal data is extracted. Data is stored and processed securely: personal information is encrypted and automatically deleted 30 days after the retention period.
Your data is available to you while the license is within the grace period or suspended. At the end of this period, the data is erased from Microsoft systems in an unrecoverable manner no later than 190 days from the end of the subscription or after user account deletion.
Defender for Office 365 shares data, including customer data, among the following Microsoft products, if they're also licensed by a customer:
Training
Module
Understand Microsoft 365 privacy - Training
Learn about Microsoft 365 privacy standards, the reasons we have them in place, and how they differentiate Microsoft in protecting and respecting customer data.
Certification
Microsoft Certified: Information Protection and Compliance Administrator Associate - Certifications
Demonstrate the fundamentals of data security, lifecycle management, information security, and compliance to protect a Microsoft 365 deployment.
Documentation
Microsoft Defender for Office 365 data retention - Microsoft Defender for Office 365
Admins can learn how long Defender for Office 365 features retain data.
Security Operations Guide for Defender for Office 365 - Microsoft Defender for Office 365
A prescriptive playbook for SecOps personnel to manage Microsoft Defender for Office 365.
Microsoft Defender for Office 365 security documentation - Microsoft Defender for Office 365
Learn about the robust security solutions in Defender for Office 365 to better protect your email and collaboration tools.