The EU Data Boundary: Is the Work Truly Complete? Microsoft Claims It Is
Under the banner of the EU Data Boundary, Microsoft is expanding its commitments regarding data residency for its customers. The primary focus is on clients located within the European Union and the European Free Trade Association (EFTA), which includes Iceland, Liechtenstein, Norway, and Switzerland. Essentially, Microsoft promises to keep storage and processing of data as localized as possible within these regions, aiming to ensure data remains within the EU and EFTA boundaries.
Official milestones began in early 2023, when Microsoft announced that it had achieved its first goal: ensuring that all customer data—specifically, data provided by or on behalf of the customer in the context of using Microsoft’s services—was stored within the EU data boundary (EUDB). Over the following year, the scope was broadened to include pseudonymous data contained in system logs. The latest extension now covers support-related information, including both data supplied by clients (such as logs) and data generated by Microsoft (like intervention notes).
Services Still Undergoing Adaptation
Microsoft asserts that the third phase marks the completion of its EU Data Boundary initiative. However, in reality, many services are still being re-architected to fully comply with this framework. Some of these include:
– Azure Monitor: This service’s change analysis component depends on Microsoft Graph, which requires a comprehensive storage and processing of customer properties and pseudonymous data like session tokens and product IDs, often stored outside the EUDB.
– Azure Resource Manager: For resilience purposes, certain customer data, such as IP addresses and object or session identifiers, may be stored outside of the EUDB.
– Power Automate: Personal workflows created outside of specific solutions are stored in resource groups at the user level. These groups include globally replicated object identifiers. Microsoft is working to eliminate this kind of workflow, which can already be deactivated manually.
– Exchange Online: To maintain integrity, pseudonymous data related to email messages sometimes is transferred outside the EUDB.
– Teams: Features like Q&A, based on Viva Engage (formerly Yammer), process customer messages, reactions, and user interactions outside the EUDB in certain cases. This particularly affects clients who used the feature without prior enrollment in Viva Engage. Microsoft initially aimed to relocate all content within the EU by the end of 2024 but has now extended this deadline to June 30, 2025.
Services That Will Remain Outside the EUDB
Some services are inherently incompatible with the EU Data Boundary due to their architecture. For example:
– Azure Content Delivery Network (CDN) and Azure Front Door cannot be integrated within the EUDB. The same applies to Windows 10 IoT Core Services, which relies on Windows Update for distributing updates via CDN.
– Several security services under Microsoft’s Defender and Cloud Security suites also remain outside the EUDB because they consolidate threat indicators globally.
Additionally, older versions of Microsoft 365 applications, predating December 31, 2022, as well as beta or trial versions of services, won’t be part of the EUDB.
Services Designed with Inherent Data Transfer
Some services are built to inherently transfer data beyond the EUDB boundaries. These include:
– Azure Databricks: Certain identity information, such as names, usernames, and email addresses, are stored in the United States.
– Microsoft Fabric: The Power BI component has global features that necessitate transferring data outside the EUDB.
– Azure Communications Services: During emergency calls over Real-Time Communications (RTC), a temporary number is assigned to the user which, along with the user ID, is replicated to the US.
– Dynamics 365 and Power Platform: Features like marketing campaign distribution rely on Azure CDN and Front Door, leading to data transfer outside the EU.
– Microsoft AutoUpdate (Mac): Device identifiers are stored in the US.
– Microsoft 365 Telemetry: When users log into applications with multiple Entra ID accounts, logs—including pseudonymous user data—are stored outside the EUDB, often in the US.
– Targeted Microsoft 365 Deployments: During phased rollouts (“rings”), tenant IDs and pseudonymous user identifiers are processed outside the EU, primarily in the USA.
Transfers That Will Persist for Operational Reasons
Certain data transfers will continue out of the EUDB out of necessity for operational purposes:
– Service Restoration: When automation isn’t possible, Microsoft staff may perform remote access via dedicated management stations for customer data, or through similar devices or Virtual Desktop Infrastructure (VDI) setups for other data.
– Customer-Initiated Transfers: Transfers arising from customer actions—such as configuring a service to send data outside the EUDB or accessing a service from outside this boundary—will still occur. Additionally, responding to GDPR requests often requires processing data outside the EUDB.
– Professional Services: Data provided during consulting engagements isn’t part of the EUDB. Support ticket management involves globally replicated names and, in escalated cases, may include transferring detailed problem descriptions and reproduction steps. Voice messages left during support interactions can also leave the EUDB.
– Directories: Some data from Entra, like user names and email addresses, may be replicated outside the EUDB to maintain service continuity.
Optional Features That Bypass the EUDB
Enabling certain optional features in Microsoft services can lead to data transfer outside the EUDB:
– Azure OpenAI: When deployed globally, user inputs and generated outputs may be processed in regions where the service is available.
– Azure Portal: Contact information saved to streamline support ticket creation can be stored outside the EUDB.
– Microsoft 365 Research: This feature, which allows users to select text for definitions or translations, is now deprecated but can be reactivated.
– Shared Teams Channels Invitations: If a user from the EUDB joins a shared channel in Teams where Azure AD B2B Direct Connect is enabled, their email address is temporarily stored in the U.S.
– Azure AI Bot Service in Teams: Each bot is configured with a single global endpoint, which the creator chooses (e.g., Japan, Southeast Asia, Europe, or the US). The traffic is then routed to a regional endpoint.
– Microsoft 365 Application Proxy: Advanced routing configurations may cause data to exit the EUDB.
– Security Copilot: Activating processing outside the EUDB, especially where GPUs are available, results in data transfer outside the boundary.
This ongoing landscape reflects a complex balance between operational functionality and strict data residency commitments. While Microsoft claims the EU Data Boundary is now fully operational, practical realities indicate that multiple services still require data to be processed or stored outside the designated regions due to technological constraints or feature requirements. The continued close monitoring of these boundaries remains essential for organizations prioritizing data sovereignty within the EU and EFTA.
Published by: Clément Bohic
