Configuring Azure non-regional services for the EU Data Boundary

Azure non-regional services (you can find a complete list at Azure Products by Region) are services that have no dependency on a specific Azure region and don't currently let customers specify a deployment region. These services were architected and optimized to be always available as part of Azure's global cloud. As part of the EU Data Boundary commitment to meet the data residency requirements of EU customers, many of these services and core components of the Azure platform that support them are being rearchitected. This work, some of which involves extensive service and platform rearchitecting, is ongoing. Some Azure non-regional services have completed this work; for others, work is ongoing, and the services will be available in the EU Data Boundary on varying schedules throughout 2024. This documentation lists Azure non-regional services that have already met the EU Data Boundary commitment and describes how to configure the services to store and process Customer Data and pseudonymized personal data in the EU Data Boundary. To learn more about Azure non-regional services with residual data transfers outside of the EU Data Boundary, refer to Services temporarily excluded from the EU Data Boundary and Services that will temporarily transfer a subset of Customer Data or pseudonymized personal data out of the EU Data Boundary.

Non-regional services that don't handle Customer Data or pseudonymized personal data

The following Azure non-regional services don't store or process Customer Data or pseudonymized personal data:

Customer devices with cloud components that can be configured regionally

Azure supports several hybrid and IoT solutions and devices that allow you to extend Azure services and capabilities to the environment of your choice. These solutions are considered non-regional, however after you purchase a device you can configure the connections back to Azure to store and process Customer Data and pseudonymized personal data in specific geographic locations. When you select an EU location, your Customer Data and pseudonymized personal data are stored and processed within the EU Data Boundary.

Configuration details for each service are described below.

Azure Sphere

The Azure Sphere Security service is a customer facing global security service that enables daily attestation security verification and a secured software supply chain that manages OS and customer-provided application updates for Azure Sphere enabled customer devices. Using the new Regional Data Boundary parameter, customers can now specify that application binary files potentially containing Customer Data are signed by the EU-based Microsoft Product Release and Security Services (PRSS) signing service and stored in EU located Azure Sphere blob storage. For more information, see Azure Sphere CLI image command.

Azure Stack Edge

Azure Stack Edge devices let you select an Azure geographic location to which your device will be connected. Your Edge data is stored and processed in this region. For details about region availability and selecting a region, see Choosing a region for Microsoft Azure Stack Edge Pro with GPU.

Azure Stack HCI

When you register your Azure Stack HCI cluster, you select from one of the supported EU-based Azure Stack HCI regions to which your cluster will be connected for registration, billing, and management. For more information, see Connect Azure Stack HCI to Azure.

Azure Stack Hub

Azure Stack Hub customers can select their geographical preference for data processing on existing Azure Stack Hub deployments. New Azure Stack Hub deployments can set the geographical region during the deployment process. Your Edge data is stored and processed in this region. For more information, see Azure Stack Hub security controls.

Azure Data Box

When you order a Data Box, you specify both a source country and a destination Azure region. Data Box supports data ingestion or egress only within the same country/region as the destination and won't cross any international borders. The only exception is for orders in the EU, where Data Boxes can ship to and from any EU country/region. For more information, see Azure Data Box, Azure Data Box Heavy FAQ.

Azure Monitor components

Azure Monitor provides a comprehensive solution for collecting, analyzing, and acting on system-generated and diagnostic data from your cloud and on-premises environments. Azure Monitor is available in the EU Data Boundary, allowing you to store and process all Customer Data and pseudonymized personal data in the EU Data Boundary except for specific scenarios that are identified in the following sections and described in more detail at Services that will temporarily transfer a subset of Customer Data or pseudonymized personal data out of the EU Data Boundary.

Components available in the EU Data Boundary

Metrics

Metrics is a feature of Azure Monitor that collects numeric data from monitored resources into a time-series database. Metrics are numerical values that are collected at regular intervals and describe some aspects of a system at a particular time. For more information, see types of metrics in Azure Monitor Metrics. Azure Monitor tracks metrics on a subscription basis and makes them available to administrators of that subscription. Metrics doesn't store or process any Customer Data.

Note

The public preview feature that allows you to create and store custom metrics enables you to add Customer Data to metrics, and this data is stored and processed globally. Preview features for Microsoft Online Services aren’t in scope for the EU Data Boundary or data residency commitments.

Activity Log

Every Azure resource provider collects audit logs, also known as activity logs, which provide insights into subscription-level events. These logs include Customer Data and pseudonymized personal data for some resource types. Data originating in the EU is stored in the EU, otherwise, this data is stored globally.

Diagnostic logs

Diagnostic logs provide detailed diagnostic information for Azure resources and the Azure platform they depend on. These logs aren't collected until the customer routes them to the customer's chosen destination. For more information, see Diagnostic settings in Azure Monitor.

Alerts and Action Groups

Alerts and Action Groups are built on a Log Analytics Workspace or an Application Insights resource, which are both Geo-aligned. Data sent by a customer to an Action Groups endpoint in the EU is stored in the EU and uses an EU-based SMS system when an alert is triggered to send an email, text, or phone call.

This workflow stores and processes all Customer Data and pseudonymized personal data in the EU when run fully within the EU. If an engineer creates a resource outside of the EU, for instance in East US, and the monitoring for this workflow is also set up in East US, the Alert workflow runs in the US, even if notifications are sent to partners in the EU.

Log Analytics

Log Analytics is an Azure regional service that stores and processes all Customer Data and pseudonymized personal data in the Geo selected when you create the service.

Components that are not available in the EU Data Boundary

Application Change Analysis

Application Change Analysis builds on Azure Resource Graph to provide insights into changes across multiple infrastructure and application deployment layers. Change analysis data is currently stored and processed globally, but in the future, it will move to a regional model. For more information, see Services that will temporarily transfer a subset of Customer Data or pseudonymized personal data out of the EU Data Boundary.

Applications Insights

Application Insights is an Azure regional service that stores and processes all Customer Data in the Geo selected when you create the service. Work is in progress to store and process pseudonymized personal data in the EU Data Boundary as described in Services that will temporarily transfer a subset of Customer Data or pseudonymized personal data out of the EU Data Boundary.

Additional non-regional services that are available in the EU Data Boundary

All of these services can be configured to be used in the EU Data Boundary. The following sections describe how to configure the listed non-regional services to store and process Customer Data and pseudonymized personal data in the EU Data Boundary.

Configuration details for each service are described in the following sections.

Azure Bot Service

Azure Bot Service provides a collection of libraries, tools, and services that let you build, test, deploy, and manage intelligent bots. The Bot Service enables you to create a Bot within the EU Data Boundary and all the data plane related data for your Bot is stored and processed within the EU. Customer Data and pseudonymized personal data is stored and processed in the EU Data Boundary aside from specific residual transfers that are documented in Services that will temporarily transfer a subset of Customer Data or pseudonymized personal data out of the EU Data Boundary. For details about how to add regional settings to a bot, see Regionalization support - Bot Service.

Azure Communication Services

When creating an Azure Communication Services resource, you specify a geography (not an Azure region). All chat messages and resource data are stored in that geography, in a region selected internally by Communication Services. Selecting the Europe geography or one of the country geographies that are part of the EU Data Boundary ensures that your Customer Data and pseudonymized personal data is stored and processed in the EU Data Boundary, aside from specific residual transfers that are documented in Services that will temporarily transfer a subset of Customer Data or pseudonymized personal data out of the EU Data Boundary. For more information, see Region availability and data residency for Azure Communication Services.

Azure Kubernetes Service on Azure Stack HCI

Azure Kubernetes Service on Azure Stack HCI sends data to the region selected when the cluster was configured. Any included Customer Data is stored and processed in this region.

Azure Migrate

When you create an Azure Migrate project, you specify a geography (not an Azure region). All metadata collected from the on-premises environment is securely stored and processed in the location you created the project. Selecting a geography in the EU ensures that your data is stored and processed in the EU Data Boundary. For the specific metadata locations associated with each geography, see Azure Migrate supported geographies. For more information, see Azure Migrate appliance FAQ - How is data stored.

Azure Virtual Desktop

When you create a new Azure Virtual Desktop host pool, you specify the Azure region where the metadata for that host pool is created. This determines where the information associated with the host pool is stored, which includes a host pool or application name. If you select either of the EU regions, this data is stored and processed only within the EU. Microsoft doesn't control or limit the locations from where you or your users can access their Azure Virtual Desktop Virtual Machines. For more information, see Data locations for Azure Virtual Desktop. Customer administrators can also configure the transfer of files to local devices through Configure device redirection.

Azure VM Image Builder

Azure VM Builder: For virtual machine (VM) image templates created in an EU region, storage and processing of data occurs in the EU. For more information, see Create an Azure Image Builder Bicep file or ARM JSON template.

Cloud Shell

Cloud Shell is an interactive, authenticated, browser-accessible terminal for managing Azure resources. Cloud Shell enables you to create new storage within the EU Data Boundary by selecting a Cloud Shell region in the EU Data Boundary. Customer Data is not stored or processed in Cloud Shell and pseudonymized personal data is stored and processed in the EU Data Boundary aside from specific residual transfers that are documented in Services that will temporarily transfer a subset of Customer Data or pseudonymized personal data out of the EU Data Boundary. For more information, see Persist files in Azure Cloud Shell.

Microsoft Entra ID and Azure Active Directory B2C

Microsoft Entra ID and Azure Active Directory B2C: A Microsoft Entra tenant contains a directory for managing users and provides identity and access management (IAM) capabilities to applications and resources used by your organization. When creating a Microsoft Entra tenant, you specify a geography (not an Azure region) as your Location. When you select a Location that is part of the EU Data Boundary, your Customer Data and pseudonymized personal data is stored and processed in the EU Data Boundary, aside from specific residual transfers that are documented in the following locations:

For more information, see Quickstart: Create a new tenant in Microsoft Entra ID. You can verify your Microsoft Entra directory data location through Microsoft Entra admin center by navigating to the Properties page and ensuring the associated country or region value is part of the EU Data Boundary.

Microsoft Fabric

For Microsoft Fabric, the geographic area (Geo) in which a customer's services tenancy is hosted is determined by the first user that signs up. For more information, see Power BI implementation planning: Tenant setup. Customers can configure their service to be in-scope for the EU Data Boundary by provisioning their tenant and all Microsoft Fabric capacities in an EU datacenter location. Customer Data and pseudonymized personal data is stored and processed in the EU Data Boundary aside from specific residual transfers that are documented in Services that transfer a subset of Customer Data or pseudonymized personal data out of the EU Data Boundary on an ongoing basis.

Fabric also enables the option to select an Azure region where Customer Data is stored when creating new Microsoft Fabric capacity. The default option listed is your tenant home region. If you select that region, all associated data, including Customer Data, is stored in that Geo. If you select a different region, some Customer Data is still stored in the home Geo. By selecting a region in the EU, Customer Data will be stored in the EU Data Boundary.

Power BI Embedded

Power BI Embedded analytics allows you to embed Power BI items such as reports, dashboards, and tiles in a web application or in a website. When you create a new Power BI Embedded resource, you can select the Azure region where you would like your workspace data and content for the capacity to be stored. The default option listed is your tenant home region; if you select that region, all of your data and content is stored in that Geo. If you select a different region, some data and content is still stored in the home Geo.

Translator

For customers who require data to be stored and processed within the EU, Translator provides a European endpoint (api-eur.cognitive.microsofttranslator.com). When using the Translator European endpoint, requests are processed by datacenters within the EU Data Boundary only. If no datacenter within the EU Data Boundary is available, the request isn't processed, and an error is returned. All requests sent to the European endpoint are processed in the EU only, even if the request originates from outside the EU. For more information, see Translator V3.0 Reference - Azure Cognitive Services.