Microsoft Defender for Identity data security and privacy

Note

This article provides steps for how to delete personal data from the device or service and can be used to support your obligations under the GDPR. If you’re looking for general info about GDPR, see the GDPR section of the Service Trust portal.

Search for and identify personal data

In Defender for Identity, you can view identifiable personal data from the Microsoft 365 Defender portal using the search bar.

Search for a specific user or computer, and select the entity to bring you to the user or computer profile page. The profile provides you with comprehensive details about the entity from Active Directory, including network activity related to that entity and its history.

Defender for Identity personal data is gathered from Active Directory through the Defender for Identity sensor and stored in a backend database.

Data sharing

Defender for Identity shares data, including customer data, among the following Microsoft products also licensed by the customer.

  • Microsoft Defender for Cloud Apps

Update personal data

Defender for Identity's personal user data is derived from the user's object in the Active Directory of the organization. Therefore, changes made to the user profile in the organization AD are reflected in Defender for Identity.

Delete personal data

  • After a user is deleted from the organization's Active Directory, Defender for Identity automatically deletes the user profile and any related network activity within a year. You can also delete any security alerts that contain personal data.

  • Read-only permissions on the Deleted Objects container are recommended. To learn more about how the Deleted Objects container permission is used by the Defender for Identity service, see the Deleted Objects container recommendation in Defender for Identity Permissions required for the Directory Service account.

Export personal data

In Defender for Identity you have the ability to export security alert information to Excel. This function also exports the personal data.

Audit personal data

Defender for Identity implements the audit of personal data changes, including the deleting and exporting of personal data records. Audit trail retention time is 90 days. Auditing in Defender for Identity is a back-end feature and not accessible to customers.

Additional resources

Important

Currently, Defender for Identity data centers are deployed in Europe, UK, North America/Central America/Caribbean, Australia East and Asia. Your instance is created automatically in the data center that is geographically closest to your Azure Active Directory (Azure AD). Once created, Defender for Identity instances aren't movable.

See also