Data residency and customer data for Microsoft Entra multifactor authentication
Article
Microsoft Entra ID stores customer data in a geographical location based on the address an organization provides when subscribing to a Microsoft online service such as Microsoft 365 or Azure. For information on where your customer data is stored, see Where your data is located in the Microsoft Trust Center.
Cloud-based Microsoft Entra multifactor authentication and MFA Server process and store personal data and organizational data. This article outlines what and where data is stored.
The Microsoft Entra multifactor authentication service has datacenters in the United States, Europe, and Asia Pacific. The following activities originate from the regional datacenters except where noted:
Multifactor authentication SMS and phone calls originate from datacenters in the customer's region and are routed by global providers. Phone calls using custom greetings always originate from data centers in the United States.
General purpose user authentication requests from other regions are currently processed based on the user's location.
Push notifications that use the Microsoft Authenticator app are currently processed in regional datacenters based on the user's location. Vendor-specific device services, such as Apple Push Notification Service or Google Firebase Cloud Messaging, might be outside the user's location.
Personal data stored by Microsoft Entra multifactor authentication
Personal data is user-level information that's associated with a specific person. The following data stores contain personal information:
Blocked users
Bypassed users
Microsoft Authenticator device token change requests
Multifactor authentication activity reports—store multifactor authentication activity from the multifactor authentication on-premises components: NPS Extension, AD FS adapter and MFA server.
Microsoft Authenticator activations
This information is retained for 90 days.
Microsoft Entra multifactor authentication doesn't log personal data such as usernames, phone numbers, or IP addresses. However, UserObjectId identifies authentication attempts to users. Log data is stored for 30 days.
Data stored by Microsoft Entra multifactor authentication
For Azure public clouds, excluding Azure AD B2C authentication, the NPS Extension, and the Windows Server 2016 or 2019 Active Directory Federation Services (AD FS) adapter, the following personal data is stored:
Event type
Data store type
OATH token
Multifactor authentication logs
One-way SMS
Multifactor authentication logs
Voice call
Multifactor authentication logs Multifactor authentication activity report data store Blocked users (if fraud was reported)
Microsoft Authenticator notification
Multifactor authentication logs Multifactor authentication activity report data store Blocked users (if fraud was reported) Change requests when the Microsoft Authenticator device token changes
For Microsoft Azure Government, Microsoft Azure operated by 21Vianet, Azure AD B2C authentication, the NPS extension, and the Windows Server 2016 or 2019 AD FS adapter, the following personal data is stored:
Event type
Data store type
OATH token
Multifactor authentication logs Multifactor authentication activity report data store
One-way SMS
Multifactor authentication logs Multifactor authentication activity report data store
Voice call
Multifactor authentication logs Multifactor authentication activity report data store Blocked users (if fraud was reported)
Microsoft Authenticator notification
Multifactor authentication logs Multifactor authentication activity report data store Blocked users (if fraud was reported) Change requests when the Microsoft Authenticator device token changes
Data stored by MFA Server
If you use MFA Server, the following personal data is stored.
Important
In September 2022, Microsoft announced deprecation of Azure Multifactor authentication Server. Beginning September 30, 2024, Azure Multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should migrate their users’ authentication data to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent Azure MFA Server update. For more information, see Azure MFA Server Migration.
Event type
Data store type
OATH token
Multifactor authentication logs Multifactor authentication activity report data store
One-way SMS
Multifactor authentication logs Multifactor authentication activity report data store
Voice call
Multifactor authentication logs Multifactor authentication activity report data store Blocked users (if fraud was reported)
Microsoft Authenticator notification
Multifactor authentication logs Multifactor authentication activity report data store Blocked users (if fraud was reported) Change requests when Microsoft Authenticator device token changes
Organizational data stored by Microsoft Entra multifactor authentication
Organizational data is tenant-level information that can expose configuration or environment setup. Tenant settings from the multifactor authentication pages might store organizational data such as lockout thresholds or caller ID information for incoming phone authentication requests:
Account lockout
Fraud alert
Notifications
Phone call settings
For MFA Server, the following pages might contain organizational data:
Server settings
One-time bypass
Caching rules
Multi-Factor Authentication Server status
Multifactor authentication activity reports for public cloud
Multifactor authentication activity reports store activity from on-premises components: NPS Extension, AD FS adapter, and MFA server.
The multifactor authentication service logs are used to operate the service.
The following sections show where activity reports and services logs are stored for specific authentication methods for each component in different customer regions.
Standard voice calls may failover to a different region.
Note
The multifactor authentication activity reports contain personal data such as User Principal Name (UPN) and complete phone number.
MFA server and cloud-based MFA
Component
Authentication method
Customer region
Activity report location
Service log location
MFA server
All methods
Any
United States
MFA backend in United States
Cloud MFA
All methods
Any
Microsoft Entra sign-in logs in region
Cloud in-region
Multifactor authentication activity reports for sovereign clouds
The following table shows the location for service logs for sovereign clouds.
Multifactor authentication helps secure your environment and resources by requiring that your users confirm their identity by using multiple authentication methods, like a phone call, text message, mobile app notification, or one-time password. You can use multifactor authentication both on-premises and in the cloud to add security for accessing Microsoft online services, remote access applications, and more. This learning path provides an overview of how to use multifactor authentication as part of a cyber