Services excluded from the EU Data Boundary
While the majority of Microsoft's enterprise online services in the Azure, Dynamics 365, Power Platform, and Microsoft 365 service families are in-scope for the EU Data Boundary, subject to the continuing flows of Customer Data and pseudonymized personal data related to operation and use of the services detailed in other EU Data Boundary articles or sections in this documentation, some services in these families aren't in scope for the EU Data Boundary, typically where the nature of the service and the customer value it provides can't be delivered by implementing a regionalized architecture. In this documentation, we describe primary examples of services in this category. This list is non-exhaustive and may be updated over time. The Product Terms portion of the services agreement is the definitive source for determining whether a given service is an EU Data Boundary Service.
Azure Front Door and Content Delivery Network transfer Customer Data from the EU. Azure Front Door and Content Delivery Network are non-regional services that can be used to bring customers' static and dynamic content closer to their end users all over the world. To help accelerate global requests, Azure Front Door and Azure CDN cache data at global edge locations on behalf of the customer. Both services use a networking technique called anycast to direct traffic between customer end users and point of presence (PoP) locations using the fastest possible route. Due to the nature of this routing mechanism and in order to serve our customers' requirements to push data around the world, not all traffic will stay within the EU Data Boundary. Cached content duration can be changed based on a customer's configuration within the AFD or CDN profile settings.
Windows 10 IoT Core Services transfers Customer Data from the EU. Windows 10 IoT Core Services is a global software update distribution service that hosts Customer Data to be distributed to our customers' own customers. The service enables customers to update their managed IoT devices using the global Windows Update content delivery network (CDN), and it allows for their custom content and Microsoft's Windows IoT software updates to be delivered as a Windows Update. To provide this capability, Customer Data is stored in both Azure Storage and across the world in the servers that support Windows Update. Customer Data transferred globally includes all data customers upload in their Board-Supported-Package (BSP), which can contain custom drivers, applications, and other data targeted for the device update.
Microsoft 365 Applications (for builds pre-dating December 31, 2022): To ensure performance and stability for existing customers who use Microsoft 365 Applications, the EU Data Boundary commitments will apply only to versions released after December 31, 2022. Customers using older builds should upgrade to the latest version.
Microsoft security services help protect customers from the latest malware attacks, whether protecting their endpoints, cloud workloads, or their email and collaboration software. Examples of customer-facing security capabilities generated by Microsoft security services through usage of cross-boundary signals include:
- Protection against sophisticated modern security threats: Microsoft uses advanced analytics capabilities, including artificial intelligence, to analyze globally aggregated security-related data. This helps prevent, detect, investigate, respond to, and remediate threats. Without this centralized analytics capability across global data, the efficacy of these services would degrade significantly, preventing Microsoft from providing the necessary levels of protection to customers.
- Detecting a compromised enterprise user: Microsoft helps detect identity compromise by tracking suspicious account logins from multiple geo regions within a brief period. This is known as impossible travel attacks. To enable this type of protection, Microsoft security services centrally process global Microsoft Entra authentication logs.
- Detecting data exfiltration: Microsoft can help alert customers to potential data leakage from the enterprise by aggregating several signals of malicious access to data storage from various locations, a technique used by malicious actors to fly under the detection radar (known as low and slow attacks).
Microsoft Defender XDR is a unified pre-and post-breach enterprise defense suite that natively coordinates detection, prevention, and response across endpoints, identities, emails, and applications to provide integrated protection against sophisticated attacks. Microsoft Defender XDR services require operations of global systems including artificial intelligence, automation, and humans on global data sets to hunt global customer threats. Human security researchers and analysts operate the intelligence aspect of the service 24 hours a day, 365 days a year to create new detections, signatures, and heuristics by working with data consolidated from sites spread over the globe. Microsoft Defender XDR services store most EU Customer Data in the EU region. Limited transfers to the United States are encrypted during transit and storage. Access to this Customer Data is only through a Secure Admin Workstation (SAW) with just-in-time (JIT) access permission. For more information, visit the Microsoft Trust Center data location page and navigate to the Microsoft Defender XDR services within cloud service data residency and transfer policies.
The Microsoft Defender XDR services excluded from the EU Data Boundary are described in the following sections.
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Microsoft Defender contains next-generation protection that includes vulnerability management, attack surface reduction, endpoint detection and response, and automated investigation and remediation. Microsoft Defender for Endpoint is continuously updated by human security researchers and analysts to create new detections, requiring human researchers to work with data globally.
Microsoft Defender for Identity is a cloud service that helps protect enterprise hybrid environments from multiple types of advanced targeted cyber-attacks and insider threats. Defender for Identity is fully integrated with Microsoft Defender XDR, and leverages signals from both on-premises Active Directory and cloud identities to better identify, detect, and investigate advanced threats directed at an organization. Defender for Identity provides invaluable insights on identity configurations and security best practices as it’s continuously updated by human security researchers to create new detections. Microsoft Defender XDR services store most EU Customer Data in the EU. Limited transfers of Customer Data and pseudonymized personal data to the United States are encrypted during transit and storage. Access to data is only through a Secure Admin Workstation (SAW) with just-in-time (JIT) access permission.
Microsoft Defender for Cloud Apps delivers full protection for software as a service (SaaS) applications, helping monitor and protect cloud app data through advanced threat protection. SaaS apps are ubiquitous across hybrid work environments, and protecting SaaS apps and the important data they store is a big challenge for organizations. The rise in app usage, combined with employees accessing company resources outside of the corporate perimeter has introduced new attack vectors. To combat these attacks effectively, security teams rely on Defender for Cloud Apps to protect their data within cloud apps beyond the traditional scope of cloud access security brokers (CASBs). Defender for Cloud Apps shows the full picture of risks to an environment from SaaS app usage and provides control of what’s being used and when through identification of all users and third-party apps able to sign in. Microsoft Defender for Cloud Apps is continuously updated by globally distributed human security researchers and analysts to create new detections.
Microsoft Defender for Office 365 is a seamless integration into Office 365 subscriptions that protects against threats in email, links (URLS), attachments, and collaboration tools. Microsoft Defender for Office 365 safeguards organizations against malicious threats by providing admins and security operations teams with a wide range of capabilities. These capabilities start benefiting users, admins, and security operations at the time of installation by providing fast preset setup options, the ability to define threat protection policies, robust reporting that includes real-time viewing and monitoring, threat investigation and response tools, and automated investigation and response capabilities. Since malicious threats are rarely restricted to a single region, Microsoft Defender for Office 365 requires globally distributed human security researchers to analyze data holistically and globally with most data transferred and stored in the United States. The data Microsoft Defender for Office 365 collects for security analysis, such as sender/recipient email address, email headers including IP address of sender, URLs included in email content, and scrubbed/obfuscated subject lines are encrypted so security researchers and engineers cannot access the content in a human-readable way.
The suite of Microsoft Cloud Security services provides security posture management and threat protection for customers' workloads running in Azure, hybrid, and other cloud platforms, including Internet of Things (IoT) devices. These are global services, providing real-time alerts and security recommendations for customers' cloud resources. Cloud Security services store most Customer Data of EU customers in the EU region with limited transfers that are stored in the United States. Cloud Security services strictly control data with restricted role-based access controls (RBAC), Secure Admin Workstations (SAW), and just-in-time (JIT) access permission. Data transfer is encrypted on the wire and data storage is instrumented for continuous monitoring and detections.
The Microsoft Cloud Security services excluded from the EU Data Boundary are described in the following sections.
Microsoft Defender for Cloud is a cloud-native application protection platform with a set of security measures and practices designed to protect cloud-based applications from various cyber threats and vulnerabilities. Defender for Cloud combines several capabilities including DevOps security management, cloud security posture management, and protection of cloud workloads. To detect security threats and protect customer resources, Microsoft Defender for Cloud needs to analyze customer activity globally with limited pseudonymized personal data and Customer Data transfers to the United States. This pseudonymized personal data and Customer Data will be stored encrypted in the United States unless a customer provisions its tenant in the European Union. If a customer provisions its tenant in the European Union, all pseudonymized personal data and Customer Data derived from the customer’s resources in the European Union will be stored at rest in the European Union. Defender for Cloud may store a copy of security-related Customer Data in the respective locations, collected from, or associated with a customer resource, such as a virtual machine or Microsoft Entra tenant.
Microsoft Sentinel is a scalable, cloud-native solution that provides security information, event management (SIEM) orchestration, automation, and response (SOAR). Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise. With Microsoft Sentinel, you get a single solution for attack detection, threat visibility, proactive hunting, and threat response. Microsoft Sentinel provides a bird's-eye view across the enterprise alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution time frames. Microsoft Sentinel can store and process most Customer Data in the EU Data Boundary when its corresponding Azure Monitor workspace is in the EU. For more information, see Geographical availability and data residency in Microsoft Sentinel. Otherwise, Customer Data and pseudonymized personal data such as Object IDs can transfer outside of the EU Data Boundary.
Microsoft Defender for IoT is a unified security solution built specifically to identify Internet of Things (IoT) and operation technology (OT) devices, vulnerabilities, and threats. Use Defender for IoT to secure your entire IoT/OT environment, including existing devices that may not have built-in security agents. Defender for IoT provides agentless, network layer monitoring, and integrates with both industrial equipment and security operation center (SOC) tools. Defender for IoT uses agentless monitoring to provide visibility and security across your network, and identifies specialized protocols, devices, or machine-to-machine (M2M) behaviors. Microsoft Defender for IoT analyzes customers’ activities globally to provide customers with the perspective needed to see their IoT security solution across all locations. In addition, Defender for IoT views and analyzes security detection data to recognize security gaps and provide actionable recommendations. Microsoft Defender for IoT may use other Microsoft Online Services to process security-related Customer Data, and this data is stored based on the configuration settings of that service.
Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. Microsoft Defender for Storage provides comprehensive security by analyzing data plane and control plane system-generated logs from Azure Blob Storage, Azure Files, and Azure Data Lake Storage services. It uses advanced threat detection capabilities powered by Microsoft Security Intelligence, Microsoft Defender Antivirus, and Sensitive Data Discovery to help you discover and mitigate potential threats.
Dynamics 365 Fraud Protection is a sophisticated technology stack that uses connected big data across multiple lines of business and applies cutting-edge artificial intelligence (AI) to help provide more accurate decisions in real time. Dynamic 365 Fraud Protection provides enhanced detection of account fraud, connection to a fraud protection network, device fingerprinting, adaptable account rules engines, bot protection and custom configuration options. The Fraud Protection Network (FPN) pseudonymizes transaction data for use in a proprietary machine learning model for processing and analysis. This helps provide accurate scores and insights into global fraud detection. Additionally, device fingerprinting is used to collect pseudonymized personal data within the customer's environment, based on the customers’ provisioned geography.
Microsoft Copilot for Security is a generative AI-powered security solution that helps increase the efficiency and capabilities of defenders to improve security outcomes at machine speed and scale. Copilot for Security provides a natural language, assistive copilot experience that helps support security professionals in end-to-end scenarios such as incident response, threat hunting, intelligence gathering, and posture management. The solution leverages the full power of Azure OpenAI architecture to generate a response to a user prompt by using security-specific plugins, including organization-specific information, authoritative sources, and global threat intelligence.
Copilot for Security stores Customer Data and pseudonymized personal data such as user prompts and Microsoft Entra Object IDs in the tenant Geo. If a customer provisions their tenant in the EU and is not opted in to data sharing, all Customer Data and pseudonymized personal data will be stored at rest in the EU Data Boundary. Processing of prompts can occur in the designated Security GPU Geo. For more information on Security GPU geography selection, see Get Started with Copilot for Security or outside of the GPU Geo if the user has opted in to data sharing. For more information on data sharing, see Privacy and data security in Microsoft Security Copilot.