All insights
Data ProtectionUK GDPR Article 44

Data Residency Governance: Answering the Question Your DPO Cannot Currently Evidence

"Where is the data?" is the question every regulator, auditor, and DPIA requires a precise answer to and most organisations cannot provide one. This analysis covers the actual residency commitments across each Microsoft 365 workload, the verification methods management should require, and the licensing decisions that determine whether a data residency position is defensible under UK GDPR and DORA.

INSIGHTS OF 2026
6 min read
Practitioner Insight

Updated: March 2026

The Question Every CISO Asks

"Where is our data?" It sounds simple. It is not. Microsoft 365 is not a single service running in a single data centre. It is a constellation of workloads - Exchange Online, SharePoint Online, OneDrive, Teams, Microsoft Defender, Purview - each with its own data storage architecture, replication strategy, and residency commitment. And the answer to "where is our data?" varies by workload, by licensing tier, and by when your tenant was provisioned.

This article provides the operational reality, not the marketing summary.

Where M365 Data Actually Lives

For UK tenants (those with a billing address in the United Kingdom), Microsoft commits to storing the following data at rest within UK data centres (UK South - London, UK West - Cardiff):

Core Workloads - UK Committed

  • Exchange Online - Mailbox content (emails, calendar items, contacts)
  • SharePoint Online - Site content, document libraries, metadata
  • OneDrive for Business - User file storage
  • Microsoft Teams - Chat messages, channel messages (stored in Exchange and SharePoint respectively)

Workloads with Caveats

  • Microsoft Defender for Endpoint - Telemetry data may be processed in EU data centres (Ireland, Netherlands) depending on when your Defender tenant was created
  • Microsoft Defender for Office 365 - Email filtering telemetry is processed in the nearest regional data centre, which for UK tenants is typically EU West (Ireland)
  • Microsoft Purview - DLP policy match data and audit logs are stored in the region aligned to your tenant, but processing occurs in the nearest available compute region
  • Microsoft Copilot - Prompts and responses are processed in the region of the underlying data, but the LLM inference may run on GPU clusters in US data centres (Microsoft states prompts are not stored outside the region, but the processing itself crosses boundaries)

How to Verify Tenant Data Location

Navigate to Microsoft 365 admin center > Settings > Org settings > Organization profile > Data location. This page shows the committed data residency for each workload.

For PowerShell verification:

# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName admin@contoso.com

# Check mailbox location
Get-Mailbox -Identity admin@contoso.com | Select-Object DisplayName, MailboxRegion, Database

# For SharePoint, check the tenant geo
Connect-SPOService -Url "https://contoso-admin.sharepoint.com"
Get-SPOGeoStorageQuota
# If this returns only one row with "GBR", your SharePoint data is in the UK

Data Boundary Commitments

Microsoft has made two significant commitments that affect UK organisations:

1. The EU Data Boundary (effective January 2024)

Microsoft committed that all customer data for EU and EFTA customers would be stored and processed within the EU Data Boundary. The UK is not part of the EU Data Boundary. This is a crucial distinction that many data protection officers miss.

UK tenants are covered by Microsoft's Product Terms data residency commitments, which are workload-specific (listed above). They are not covered by the EU Data Boundary blanket commitment.

2. Advanced Data Residency (ADR)

For organisations that require specific contractual commitments beyond the default terms, Microsoft offers the Advanced Data Residency (ADR) add-on. (Note: ADR is distinct from Multi-Geo, which enables data placement across multiple geographies within a single tenant). ADR extends data residency commitments to additional workloads:

  • Exchange Online (included in default)
  • SharePoint Online (included in default)
  • OneDrive for Business (included in default)
  • Microsoft Teams (included in default)
  • Microsoft Defender for Office 365 (ADR add-on)
  • Microsoft Purview (ADR add-on)
  • Copilot for Microsoft 365 (ADR add-on)

ADR is licensed per-user and costs approximately £3-4 per user per month. For regulated organisations, it is considered essential.

Multi-Geo: Configuration and Licensing

Multi-Geo is a separate capability from ADR. It allows you to store individual users' data in different geographic regions within the same tenant. This is relevant for organisations with offices in multiple countries that need to comply with local data residency laws.

Licensing

Multi-Geo requires Microsoft 365 E3/E5 plus the Multi-Geo Capabilities in Microsoft 365 add-on (minimum 250 seats committed).

Configuration

Multi-Geo is configured at the tenant level by Microsoft (you cannot self-serve). Once enabled:

# View available geo locations for your tenant
Get-SPOGeoStorageQuota

# Move a user's OneDrive to a specific geo
Start-SPOUserAndContentMove -UserPrincipalName "user@contoso.com" -DestinationDataLocation "GBR"

# Check move status
Get-SPOUserAndContentMoveState -UserPrincipalName "user@contoso.com"

# Move a SharePoint site to a specific geo
Start-SPOSiteContentMove -SourceSiteUrl "https://contoso.sharepoint.com/sites/project" -DestinationDataLocation "GBR"

Exchange Mailbox Geo Move

# Move an Exchange mailbox to a preferred data location
Set-MgUser -UserId "user@contoso.com" -MailboxRegion "GBR" -PreferredDataLocation "GBR"

# Verify the move (can take 24-72 hours)
Get-Mailbox -Identity "user@contoso.com" | Select-Object DisplayName, MailboxRegion, Database

Verifying Data Location: The Admin Centre Method

For non-PowerShell verification, navigate to:

  1. Microsoft 365 admin center > Settings > Org settings > Organization profile > Data location
  2. This shows the committed geography for each core workload
  3. For individual mailboxes: Exchange admin center > Recipients > Mailboxes > Select user > Others tab > Mailbox location
  4. For SharePoint: SharePoint admin center > Settings > Multi-Geo (if enabled)

Purview DLP Geo-Based Policies

An underutilised capability: you can create DLP policies that apply differently based on the user's data location. For example, stricter DLP rules for users whose data resides in a non-UK geography:

Navigate to Microsoft Purview > Data loss prevention > Policies. When creating a policy, in the Locations step, you can scope the policy to specific geographic locations if Multi-Geo is enabled.

This allows you to apply enhanced monitoring and blocking rules to data that resides outside the UK, while maintaining standard controls for UK-resident data.

The UK Adequacy Decision Reality

The UK received an adequacy decision from the EU Commission in June 2021, valid until June 2025, and subsequently renewed. This means EU organisations can transfer personal data to the UK without additional safeguards (Standard Contractual Clauses, etc.).

However, adequacy is not permanent. If the UK diverges significantly from EU data protection standards - through reform of the Data Protection and Digital Information Act or otherwise - adequacy could be revoked. The recommended approach is to:

  1. Document your reliance on adequacy - Know which data flows depend on it
  2. Have SCCs ready - Pre-sign Standard Contractual Clauses with EU counterparties as a fallback
  3. Monitor legislative developments - The DPDI Act's progress should be tracked quarterly
  4. Consider data localisation - For critical data flows, keep data within the UK geography regardless of adequacy status

EU Data Boundary Program

For completeness, the EU Data Boundary is Microsoft's commitment that EU/EFTA customer data will be stored and processed within the EU. Key facts:

  • Phase 1 (Jan 2023): Core services data at rest
  • Phase 2 (Jan 2024): Pseudonymised personal data in logs and telemetry
  • Phase 3 (ongoing): All personal data including support interactions

UK organisations are outside this boundary. If you have EU subsidiaries, their data is covered; your UK parent company's data is not. This creates a split architecture requirement for multinational firms.

Sovereign Cloud vs Commercial

Microsoft operates sovereign cloud environments (Azure Government, Azure China 21Vianet) that are physically and logically isolated from commercial Azure. The UK does not have a sovereign cloud. UK government organisations (OFFICIAL-SENSITIVE and above) use commercial Azure with enhanced controls:

  • Azure Policy enforcing UK South/West region deployment
  • Customer Lockbox preventing Microsoft engineer access without approval
  • Advanced Data Residency for M365 workloads
  • Azure Confidential Computing for computation on encrypted data

For most private-sector regulated organisations, commercial Azure with ADR and appropriate Conditional Access policies provides sufficient data residency assurance. Sovereign cloud is typically only required for defence and national security workloads.

Practical Recommendations

  1. Verify your tenant's data location today - Use the admin centre and PowerShell commands above
  2. License ADR if you are regulated - The default commitments have gaps in Defender and Purview
  3. Deploy Multi-Geo only if you have multi-country operations - It is expensive and complex for single-country firms
  4. Do not rely solely on adequacy decisions - Have contractual fallbacks ready
  5. Document everything - Your DPO will need a data residency map for DPIA purposes. Build it now.
  6. Monitor Copilot data flows - As AI workloads scale, understand where inference is processed, not just where data is stored

The question "where is our data?" deserves a precise, verifiable answer. If you cannot provide one today, start with the admin centre data location page and work outward from there.

Facing this in your environment?

We implement and operate these exact controls inside Microsoft 365 tenants. Find the right first step for your situation.

Explore Readiness Sprint
PreviousEthical Wall Enforcement: Meeting SRA Conflict of Interest Obligations in Microsoft 365Next ISO 27001:2022 Certification: The Microsoft 365 Evidence Map Management Needs

More in Data Protection

ISO 27001 A.5.12

Data Classification Governance: Why Taxonomy Failures Undermine Every Downstream Control

12 min readISO 27001 A.8.12

USB Exfiltration Control: The Data Loss Prevention Measure Insurers Now Expect

7 min readISO 27001 A.5.14

External Sharing Governance: Five Controls That Prevent Regulatory Breach in SharePoint

5 min read