Data residency

Data residency deals with the physical location where data is stored and processed. Data residency requirements are a common concern for public sector customers, who often request that Microsoft limit where different types of data are stored and processed. Microsoft Cloud for Sovereignty enables customers to configure Sovereign Landing Zones (SLZs) to restrict the services and regions that end users can use and enforce service configuration to help customers achieve their data residency needs.

Data residency in Azure

Most Azure services are deployed regionally and enable you to specify where customer data is stored and processed. Examples of such regional services include VMs, storage, and SQL Database. A region is part of a geography, and for regional services, Microsoft doesn't store customer data outside the selected geography, except in documented circumstances. For more information, see Data Residency in Azure and the whitepaper Enabling Data Residency and Data Protection in Microsoft Azure Regions.

As defined in our services agreements, Customer data means all data, including all text, sound, video, or image files, and software, that are provided to Microsoft by or on behalf of the customer through online services. Customer data doesn't include Professional Services data. For clarity, customer data doesn't include information used to configure resources in the online services, such as technical settings and resource names.

Certain Azure services don't enable you to specify the region where a service, such as Microsoft Entra ID, Azure Monitor, or Traffic Manager, is deployed. These services operate globally to deliver critical functionality to customers and are referred to as non-regional services. Unless otherwise specified, non-regional services store and process customer data in any Microsoft data center within Azure public regions. For more information, see Data Residency in Azure.

Data transferred between Azure regions remains on the Microsoft Global Network. You can configure virtual networks in Azure to enable access only from corporate networks with Azure network security groups and Azure Firewall. Further, you can restrict access from the internet to specific locations with capabilities such as Azure Web Application Firewall (WAF) Geomatch custom rules and Conditional Access - Block access by location.

Data residency in Microsoft Cloud for Sovereignty

The Sovereignty Baseline policy initiatives of Microsoft Cloud for Sovereignty require you to configure the Azure regions where resources can be deployed. For regional services, the regions configured determine the geographies of those services and the effective data residency boundary for customer data storage.

You can configure SLZs to restrict the use of particular services, including non-regional services that don't meet your particular data residency needs.

The base configuration of the SLZs includes network rules that decide from which networks your resources can be accessed.

  • Data in an application deployed to a subscription in the Corp or Confidential Corp Landing Zones is restricted to your organization's network within Azure and connected to Azure.
  • Data in an application deployed to a subscription in the Online or Confidential Online Landing Zones can be accessed over the internet from anywhere, if the user or system accessing the data has the appropriate credentials and there are no firewall or conditional access rules blocking the access.

For more information, see Overview of the Sovereign Landing Zone.

Data residency and resilience

The regions that you configure as allowed regions for Microsoft Cloud for Sovereignty can affect the resilience of the workloads you deploy. Typically, less restrictive region selection enables greater resilience because you can distribute applications over more and farther apart regions. You can consider encryption (at-rest, in-transit, and in-use) as an alternative control measure to region restriction, especially for applications that have high availability requirements.

Most Azure regions consist of three or more availability zones. Storage and compute services spread across multiple availability zones are resilient against local disasters that can affect an entire data center. For resilience against disasters that could affect an entire region, many Azure regions also have a regional pair within the same geography, enabling automatic or customer-configured cross-region replication for supported services. To help achieve certain data residency standards, some regions don't have a regional pair and customers are responsible for data resilience in the unlikely event of a full region failure. For more information, see Regions with availability zones and no region pair.

See also