+# Microsoft Adoption Score

+## How to enable Adoption Score

+2. Select **enable Adoption Score**. It can take up to 24 hours for insights to become available.

+- The user who creates the BlackBerry DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Bloomberg DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Cisco Jabber DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the FactSet DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Fuze DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the FX Connect DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the ICE DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the InvestEdge DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the LivePerson Conversational Cloud DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Quip DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Refinitiv Eikon Messenger DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the ServiceNow DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Skype for Business Server DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Slack DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the SQL DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Symphony DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Cisco Webex DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Zoom DataParser connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a Android Archiver connector must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a AT&T Network connector must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a Bell Network connector must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a Bloomberg Message connector in Step 3 (and who downloads the public keys and IP address in Step 1) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the CellTrust connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Cisco Jabber connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Cisco Jabber on Oracle connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Cisco Jabber on PostgreSQL connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the CellTrust SL2 data connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft Purview compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the EML connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a Enterprise Number Archiver connector must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who sets up the custom connector in the compliance portal (in Step 5) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the FX Connect connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The admin who creates the ICE Chat connector in Step 3 (and who downloads the public keys and IP address in Step 1) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates an Instant Bloomberg connector in Step 3 (and who downloads the public keys and IP address in Step 1) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a LinkedIn Company Page connector must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the MS SQL Database Importer connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates an O2 Network connector must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Pivot connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Redtail Speak Importer connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Reuters Dealing connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Reuters Eikon connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Reuters FX connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the RingCentral connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a Rogers Network Archiver connector in Step 3 must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Salesforce Chatter connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the ServiceNow connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a Signal Archiver connector in Step 3 must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Skype for Business connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- Obtain the username and password for your organization's Slack enterprise account. You use these credentials to sign into this account when you create the data connector. It's also recommended that you have automated user provisioning in your Slack organization configured to use single sign-on (SSO). [Roles in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals)

+- The user who creates the Slack eDiscovery connector must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the Microsoft Purview compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Slack eDiscovery connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Symphony connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a Telegram Archiver connector in Step 3 must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a TELUS Network connector must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the text-delimited connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who sets up the Twitter connector in the compliance portal (in Step 5) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the YouTube connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a Verizon Network connector must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Webex Teams connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Webpage Capture connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a WeChat Archiver connector in the compliance portal must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates a Verizon Network connector must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Workplace from Facebook connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the XIP connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the XSLT/XML connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Yieldbroker connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the YouTube connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Zoom Meetings connector in Step 1 (and completes it in Step 3) must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- **Adult, racy, and gory**: Detects images of these types. The images must be between 100 kilobytes (KB) and 4 megabytes (MB) in size and be greater than 50 x 50 pixels in height x width dimensions. Scanning and detection are supported for Exchange Online email messages, and Microsoft Teams channels and chats. Detects content in .jpeg, .png, .gif, and .bmp files.

+Complete the following steps to add users to this role group:

+1. Sign into the [Microsoft Purview compliance portal](https://compliance.microsoft.com) using credentials for an admin account in your Microsoft 365 organization.

+2. Select **Permissions** in the left nav, and select **Roles** under the **Microsoft Purview solutions** list.

+3. Select the *Communication Compliance* role group and then select **Edit**.

+4. Select the **Choose users** tab, then select the checkbox for all users you want to add to the role group.

+6. Choose **Select**, then **Next**.

+7. Select **Save** to add the users to the role group. Select **Done** to complete the steps.

+[Add users to the Insider Risk Management role group](insider-risk-management-configure.md#add-users-to-the-insider-risk-management-role-group)

+1. [Create and manage audit log retention policies on PowerShell](audit-log-retention-policies.md#create-and-manage-audit-log-retention-policies-in-powershell) - You can also use Security & Compliance PowerShell to create and manage audit log retention policies. One reason to use PowerShell is to create a policy for a record type or activity that isnΓÇÖt available in the UI.

+2. On the row of your intended solution, under the **Open solution** column, select **Open**. YouΓÇÖll arrive at the solution's location in the Microsoft Purview compliance portal, Microsoft 365 Defender portal, or its admin center, where you can take the recommended action.

+For step-by-step guidance to create custom alert policies, see [Alert policies in Microsoft 365](/microsoft-365/compliance/alert-policies).

+Log records include attributes such as date, time, activity, organization ID, and data encryption policy ID. The record is available as part of Unified Audit Logs and is accessible from the Microsoft Purview compliance portal Audit Log Search tab.

+ - A DLP policy is set to **Block** upload of sensitive items that contain credit card numbers.

+Summary table

+|Service domain list setting |Upload sensitive item to site on list |Upload sensitive item to site not on list |

+||||

+|Allow |- No DLP policies are applied </br> - User activity is audited </br> - Event generated | - DLP policies are applied </br> - Configured actions are taken </br>- Event is generated </br>- Alert is generated |

+|Block | - DLP policies are applied </br> - Configured actions are taken </br> - Event is generated </br> - Alert is generated | - No DLP policies are applied </br> - User activity is audited </br>- Event is generated |

+> For an explanation of each one, and the new roles that they contain, select a role group in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview compliance portal</a> > **Permissions & roles** > **Compliance center** > **Roles**, and then review the description in the flyout pane. Or, see [Role groups in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#role-groups-in-the-defender-and-compliance-portals).

+- The user who creates the Epic connector in Step 3 must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the Healthcare connector in Step 3 must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the HR connector in Step 3 must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the HR connector in Step 3 must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+- The user who creates the physical badging connector in Step 3 must be assigned the Data Connector Admin role. This role is required to add connectors on the **Data connectors** page in the compliance portal. This role is added by default to multiple role groups. For a list of these role groups, see the "Roles in the Defender and compliance portals" section in [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-defender-and-compliance-portals). Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role, and then add the appropriate users as members. For instructions, see the "Create a custom role group" section in [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md#create-a-custom-role-group).

+### Add users to the Insider Risk Management role group

+Complete the following steps to add users to this role group:

+2. Select **Permissions** in the left nav, and select **Roles** under the **Microsoft Purview solutions** list.

+3. Select the *Insider Risk Management* role group, then select **Edit**.

+4. Select the **Choose users** tab, then select the checkbox for all users you want to add to the role group.

+6. Choose **Select**, then **Next**.

+7. Select **Save** to add the users to the role group. Select **Done** to complete the steps.

+For a list of device and configuration requirements, see [Learn about forensic evidence (preview)](insider-risk-management-forensic-evidence.md#device-and-configuration-requirements). To onboard supported devices, complete the steps outlined in the [Onboard Windows 10 and Windows 11 devices into Microsoft 365 overview](/microsoft-365/compliance/device-onboarding-overview) article.

+For a list of minimum device and configuration requirements, see [Learn about forensic evidence (preview)](insider-risk-management-forensic-evidence.md#device-and-configuration-requirements). To onboard supported devices, complete the steps outlined in the [Onboard Windows 10 and Windows 11 devices into Microsoft 365 overview](/microsoft-365/compliance/device-onboarding-overview) article.

+The Device health report allows you to view the status and health of all devices that have the forensic evidence agent installed. Each report widget on the report displays information for last 24 hours.

+## Device and configuration requirements

+The following tables include the supported minimum requirements for utilizing insider risk management forensic evidence.

+### Supported platforms

+|**Operating system**|**SKU**|**Processor**|

+|:-|:-|:-|

+| Windows 10 | Enterprise | 64-bit (Intel or AMD) |

+| Windows 11 | Enterprise | 64-bit (Intel or AMD) |

+### Physical devices

+|**Hardware**|**Minimum requirement**|

+|:-|:-|

+| RAM | Minimum of 8 GB (at least 2 GB should be available for client usage |

+| CPU processor | Intel i5 or above and AMD Ryzen 5 or above |

+| Graphics card | Compatible with DirectX 11 or later, with a WDDM 1.0 driver or later (currently only integrated graphics cards supported)|

+| Disk space | Minimum of 10 GB of disk storage |

+| Display | Minimum screen resolution of 1920 x 1080 |

+### Hyper-V and virtual machines

+|**Hardware**|**Minimum requirement**|

+|:-|:-|

+| RAM | Minimum of 16 GB (at least 2 GB should be available for client usage) |

+| CPU processor | Minimum of two vCPU processors and at least four cores for each vCPU processor |

+| Disk space | Minimum of 10 GB of disk storage |

+| Display | Minimum screen resolution of 1920 x 1080 |

+> [!IMPORTANT]

+> If the minimum requirements aren't met, users are likely to run into Microsoft Purview client issues and the quality of forensic recordings may not be reliable.

+Alert information contains information from the Security and Compliance Alerts schema and the [Office 365 Management Activity API](/office/office-365-management-api/office-365-management-activity-api-schema.md#security-and-compliance-alerts-schema) common schema.

+The following fields and values are exported for insider risk management alerts for the Security and Compliance Alerts schema:

+| Category | The category of the alert is *InsiderRiskManagement*. This category can be used to distinguish from these alerts from other security and compliance alerts. |

+| Version | The version of the Security and Compliance Alerts schema. |

+Next, check quarantine in the Microsoft Purview compliance portal. Often, messages containing a one-time pass code, especially the first ones your organization receives, end up in quarantine.

+To view all of the default role groups that are available in the compliance portal and the roles that are assigned to the role groups by default, see [Roles and role groups in the Microsoft 365 Defender and Microsoft Purview compliance portals](/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center).

+Microsoft 365 audits this activity and makes it available to administrators. The operation is 'New-TransportRule' and a snippet of a sample audit entry from the Audit Log Search in Microsoft Purview compliance portal follows:

+- The new capabilities provide detailed usage reports through the Microsoft Purview compliance portal.

+When you configure a privileged access policy with the [Microsoft 365 admin center](https://admin.microsoft.com) or the Exchange Management PowerShell, you define the policy and the privileged access feature processes and the policy attributes in the Microsoft 365 substrate. The activities are logged in the audit log. The policy is now enabled and ready to handle incoming requests for approvals.

+In the [Microsoft 365 admin center](https://admin.microsoft.com) or with the Exchange Management PowerShell, users can request access to elevated or privileged tasks. The privileged access feature sends the request to the Microsoft 365 substrate for processing against the configured privilege access policy and records the Activity in the audit logs.

+For an approved request, the task is processed by the Exchange Management runspace. The approval is checked against the privileged access policy and processed by the Microsoft 365 substrate. All activity for the task is logged in the audit logs.

+#### To identify the Message ID of the email you want to revoke by using Message Trace in the Microsoft Purview compliance portal

+1. Search for the email by sender or recipient using [New Message Trace in Microsoft Purview compliance portal](https://blogs.technet.microsoft.com/exchange/2018/05/02/new-message-trace-in-office-365-security-compliance-center/).

+#### To identify the Message ID of the email you want to revoke by using Message Encryption reports in the Microsoft Purview compliance portal

+1. In the Microsoft Purview compliance portal, navigate to the **Message encryption report**. For information on this report, see [View email security reports in the Security &amp; Compliance Center](../security/office-365-security/view-email-security-reports.md).

+To verify whether you can revoke a message, check whether the Revocation Status field is visible in the Encryption report, in the **Details** table in the Microsoft Purview compliance portal.

+Once you know the Message ID of the email you want to revoke, and you have verified that the message is revocable, you can revoke the email using the Microsoft Purview compliance portal or Windows PowerShell.

+To revoke the message using the Microsoft Purview compliance portal

+1. Using a work or school account that has global administrator permissions in your organization, connect to the Microsoft Purview compliance portal.

+2. Run the following GET request to retrieve the Id for the eDiscovery (Premium) case. Use the value `https://graph.microsoft.com/beta/security/ediscovery/cases` in the address bar of the request query. Be sure to select **v1.0** in the API version dropdown list.

+ 

+1. In Graph Explorer, run the following GET request to retrieve the Id for the collection that you created in Step 2, and contains the items you want to purge. Use the value `https://graph.microsoft.com/beta/security/ediscovery/cases('caseId')/sourceCollections` in the address bar of the request query, where CaseId is the Id that you obtained in the previous procedure. Be sure to surround the case Id with parentheses and single quotation marks.

+ 

+1. In Graph Explorer, run the following POST request to purge the items returned by the collection that you created in Step 2. Use the value `https://graph.microsoft.com/beta/security/ediscovery/cases('caseId')/sourceCollections('collectionId')/purgeData` in the address bar of the request query, where caseId and collectionId are the Ids that you obtained in the previous procedures. Be sure to surround the Id values with parentheses and single quotation marks.

+ 

+ 

+1. First, [connect to Security & Compliance PowerShell](/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell).

+### Data loss prevention

+- **In preview** Multiple updates for authorization groups in [Configure endpoint DLP settings](/microsoft-365/compliance/dlp-configure-endpoint-settings.md) and [Using Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-using.md).

+ - [Printer groups](/microsoft-365/compliance/dlp-configure-endpoint-settings.md#printer-groups-preview)

+ - [Removable USB storage device groups](/microsoft-365/compliance/dlp-configure-endpoint-settings.md#removable-storage-device-groups-preview)

+ - [Network share paths](/microsoft-365/compliance/dlp-configure-endpoint-settings.md#network-share-groups-preview)

+ - [Website groups](/microsoft-365/compliance/endpoint-dlp-using.md#scenario-4-avoid-looping-dlp-notifications-from-cloud-synchronization-apps-with-auto-quarantine-preview)

+ - [VPN network location groups](/microsoft-365/compliance/dlp-configure-endpoint-settings.md#vpn-settings-preview)

+ - [Sensitive service domains](/microsoft-365/compliance/dlp-configure-endpoint-settings.md#sensitive-service-domains)

+- **In preview** Polices can use grouping of conditions, nesting of groups and the use of boolean operators (AND/OR/NOT) between them.

+ - [Complex rule design](/microsoft-365/compliance/dlp-policy-design.md#complex-rule-design-preview)

+ - [Use trainable classifiers as conditions in DLP policies](/microsoft-365/compliance/dlp-policy-reference.md#location-support-for-how-content-can-be-defined)

+- **In preview** For endpoints, support for detecting sensitive items that are password protected or encrypted.

+ - [Conditions that devices support](/microsoft-365/compliance/dlp-policy-reference.md#conditions-devices-supports)

+- **Generally available** [100 new files types that can be scanned](/exchange/security-and-compliance/mail-flow-rules/inspect-message-attachments.md#supported-file-types-for-mail-flow-rule-content-inspection)

+### Trainable classifiers

+- **In preview** 20 + new trainable classifiers and a standalone trainable classifier definitions article.

+ - [Trainable classifiers definitions](/microsoft-365/compliance/classifier-tc-definitions.md)

+| Training method | Teaching method | Freeform selection method | Layout method |

+| Locations | Can be applied to multiple libraries. | Can be applied to multiple libraries. | Can be applied to multiple libraries. |

+# Add or remove a _Geography_ administrator in Microsoft 365 Multi-Geo

+You can configure separate administrators for each _Geography_ location that you have in your _Tenant_. These administrators will have access to the SharePoint Online and OneDrive settings that are specific to their _Geography_ location.

+Some services - such as the term store - are administered from the _Primary Provisioned Geography_ location and replicated to _Satellite Geography_ locations. The _Geography_ admin for the _Primary Provisioned Geography_ location has access to these, whereas _Geography_ admins for _Satellite Geography_ locations don't.

+Global administrators and SharePoint Online administrators continue to have access to settings in the _Primary Provisioned Geography_ location and all _Satellite Geography_ locations.

+## Configuring _Geography_ administrators

+Configuring _Geography_ admins requires SharePoint Online PowerShell module.

+Use [Connect-SPOService](/powershell/module/sharepoint-online/Connect-SPOService) to connect to the admin center of the _Geography_ location where you want to add the _Geography_ admin. (For example, Connect-SPOService https://ContosoEUR-admin.sharepoint.com.)

+To view the existing _Geography_ admins of a location, run `Get-SPOGeoAdministrator`

+## Adding a user as a _Geography_ admin

+To add a user as a _Geography_ admin, run `Add-SPOGeoAdministrator -UserPrincipalName <UPN>`

+To remove a user as a _Geography_ Admin of a location, run `Remove-SPOGeoAdministrator -UserPrincipalName <UPN>`

+## Adding a group as a _Geography_ admin

+You can add a security group or a mail-enabled security group as a _Geography_ admin. (Distribution groups and Microsoft 365 Groups are not supported.)

+To add a group as a _Geography_ administrator, run `Add-SPOGeoAdministrator -GroupAlias <alias>`

+To remove a group as a _Geography_ administrator, run `Remove-SPOGeoAdministrator -GroupAlias <alias>`

+[Set an alias (MailNickName) for a security group](/powershell/module/azuread/set-azureadgroup)

+ Title: "Service Behavior in a Multi-Geo Enabled Environment"

+# Service behavior a Multi-Geo enabled environment

+Here's a look at how Microsoft 365 services work in a Multi-Geo environment.

+The SharePoint admin center has a [**Geo locations** tab](https://go.microsoft.com/fwlink/?linkid=2185076) in the left navigation that features a geo locations map where you can view and manage your geo locations. Use this page to add or delete geo locations for your _Tenant_.

+A unified [Audit log](https://support.office.com/article/0d4d0f35-390b-4518-800e-0c7ec95e946c) for all your _Satellite Geography_ locations is available from the Microsoft 365 audit log search page. You can see all the audit log entries from across geo locations, for example, NAM & EUR users' activities will show up in one org view and then you can apply existing filters to see specific user's activities.

+There's one central Microsoft Purview compliance portal for a Multi-Geo _Tenant_: [Microsoft Purview admin center](https://compliance.microsoft.com/).

+By default, an eDiscovery Manager or Administrator of a Multi-Geo _Tenant_ will be able to conduct eDiscovery only in the _Primary Provisioned Geography_ of that _Tenant_. The Office 365 global administrator must assign eDiscovery Manager permissions to allow others to perform eDiscovery and assign a "Region" parameter in their applicable Compliance Security Filter to specify the region for conducting eDiscovery as satellite location, otherwise no eDiscovery will be carried out for the satellite location. To configure the Compliance Security Filter for a Region, see [Configure Office 365 Multi-Geo eDiscovery](multi-geo-ediscovery-configuration.md).

+## Exchange Online mailboxes

+Users' Exchange Online mailboxes are moved automatically if their PDL is changed. When a new mailbox is created, it's provisioned to the user's PDL or to the central location if no value has been set for the user's PDL.

+You can set your IP DLP policies for OneDrive for Business, SharePoint Online, and Exchange Online in the Security and Compliance center, scoping policies as needed to the whole _Tenant_ or to applicable users. For example: If you wish to select a policy for a user in a satellite location, select to apply the policy to a specific OneDrive for Business and enter the user's OneDrive for Business URL. See [Overview of data loss prevention policies](https://support.office.com/article/1966b2a7-d1e2-4d92-ab61-42efbb137f5e) for general guidance in creating DLP policies.

+Implementing Information Protection and Microsoft Purview Data Loss Prevention policies to all users in a geo location isn't an option available in the UI, instead you must select the applicable accounts for the policy or apply the policy globally to all accounts.

+Power Apps created for the satellite location will use the end point located in the central location for the _Tenant_. Microsoft Power Apps isn't a Multi-Geo service.

+## Microsoft Power Automate

+Flows created for the satellite location will use the end point located in the default geo location for the _Tenant_. Microsoft Power Automate isn't a Multi-Geo service.

+## SharePoint Online storage quota

+By default, all geo locations of a multi-geo environment share the available _Tenant_ storage quota. You can also manage the storage quota by allocating a specific quota for a particular geo location. For more information, see [SharePoint storage quotas in multi-geo environments](sharepoint-multi-geo-storage-quota.md).

+Administrators can set and manage sharing policies for each of their locations. The OneDrive for Business and SharePoint Online sites in each geo location will honor only the corresponding geo-specific sharing settings. (For example, you can allow [external sharing](https://support.office.com/article/C8A462EB-0723-4B0B-8D0A-70FEAFE4BE85) for your central location, but not for your satellite location or vice versa.) Note that the sharing settings don't allow configuring sharing limitations between geo locations.

+## Microsoft Stream

+Videos uploaded to Microsoft Stream in a 1:1 chat are stored in the OneDrive for Business of the person uploading. Meeting recordings are stored in the OneDrive for Business of each attendee who records the meeting.

+See [Manage metadata in a Multi-Geo tenant](/sharepoint/dev/solution-guidance/multigeo-managedmetadata) for more details and for developer guidance.

+There's a [user profile application](/sharepoint/manage-user-profiles) in each geo location. Each user's profile information is hosted in their geo location and available to the administrator for that geo location.

+See [Work with user profiles in a Multi-Geo tenant](/sharepoint/dev/solution-guidance/multigeo-userprofileexperience) for additional details and for developer guidance.

+Yammer is not a Multi-Geo workload. Yammer threads stored in Yammer will be placed in the _Tenant's_ central location. Yammer is rolling out a file storage change which will store Yammer files within SharePoint. Yammer files stored in SharePoint will be placed the SharePoint site associated with the Yammer group. SharePoint group sites are based on PDL logic as outlined in [SharePoint Sites and Groups](multi-geo-capabilities-in-onedrive-and-sharepoint-online-in-microsoft-365.md#sharepoint-sites-and-groups).

+ Title: "Advanced data residency in Microsoft 365"

+audience: ITPro

+ms.localizationpriority: medium

+search.appverid:

+- MET150

+f1.keywords:

+- NOCSH

+description: Learn about advanced data residency options in Microsoft 365.

+# Advanced Data Residency in Microsoft 365

+## Overview of Advanced Data Residency

+The Microsoft 365 Advanced Data Residency add-on ("ADR") provides eligible customers with expanded coverage of Microsoft 365 workloads and Customer Data, committed data residency for local country datacenter regions, and prioritized tenant migration services. With Advanced Data Residency, enterprise customers can best address their data residency compliance and tenant location requirements.

+The following workloads are included in ADR. For more information, see:

+- [Exchange Online](m365-dr-workload-exo.md)

+- [SharePoint Online and OneDrive for Business](m365-dr-workload-spo.md)

+- [Microsoft Teams](m365-dr-workload-teams.md)

+- [Microsoft Defender for Office P1 and Exchange Online Protection](m365-dr-workload-mdo-p1.md)

+- [Office for the Web](m365-dr-workload-office-for-web.md)

+- [Viva Connections](m365-dr-workload-viva-connections.md)

+- [Viva Topics](m365-dr-workload-viva-topics.md)

+- [Microsoft Purview](m365-dr-workload-purview.md)

+ - [Audit (Standard)](m365-dr-workload-purview.md#purview-audit-standard)

+ - [Audit (Premium)](m365-dr-workload-purview.md#purview-audit-premium)

+ - [Data Retention](m365-dr-workload-purview.md#data-lifecycle-managementdata-retention)

+ - [Microsoft Purview Records Management](m365-dr-workload-purview.md#data-lifecycle-managementrecords-management)

+ - [Sensitivity Labels](m365-dr-workload-purview.md#information-protectionsensitivity-labels)

+ - [Data Loss Prevention](m365-dr-workload-purview.md#information-protectiondata-loss-prevention-dlp)

+ - [Office Message Encryption](m365-dr-workload-purview.md#information-protectionoffice-message-encryption)

+ - [Information Barriers](m365-dr-workload-purview.md#insider-risk-managementinformation-barriers)

+## Licensing and Purchase

+### Licensing Requirements

+- Microsoft 365 F1, F3, E3, or E5

+- Office 365 F3, E1, E3, or E5

+- Exchange Online Plan 1 or Plan 2

+- OneDrive for Business Plan 1 or Plan 2

+- SharePoint Online Plan 1 or Plan 2

+### Eligibility

+The Advanced Data Residency ("ADR") add-on is intended for enterprise customers of Microsoft 365 who have comprehensive data residency requirements. To be eligible to purchase ADR, customers must meet two pre-requisites:

+- Subscription(s) in the _Tenant_ are purchased through Microsoft Enterprise Agreement ("EA") or Web Direct channel.

+- The _Tenant_ _Default Geography_ must be one of the countries included in the _Local Region Geography_

+

+Geographic and channel availability will be updated as available.

+Customers must cover 100% of paid users above with ADR add-on license for tenant to receive data residency for ADR workloads.

+### Mixed/Hybrid Tenants:

+A customer is defined as "mixed" or "hybrid" if they have multiple license types including both Commercial/Public Sector (for example, E3, E5) **and** Education (for example, A1, A3, etc.) licenses in their subscription.

+Mixed/Hybrid customers have rights to purchase full ADR add-on for only the paid portion of Microsoft 365 SKUs and not obligated to cover free subscription types. However, they must cover the paid education seats with ADR (Microsoft 365 A3/A5, Office 365 A3/A5).

+## Data Migration Management

+If all of a customer's tenant data covered by the Advanced Data Residency feature isn't already stored at rest within their eligible _Local Region Geography_, then a data migration to the _Local Region Geography_ will be required. If all of a customer's tenant data covered by the Advanced Data Residency feature is already stored at rest within their eligible _Local Region Geography_, then no data migration to the _Local Region Geography_ will be required.

+### Starting Data Migration

+After a customer has received their Advanced Data Residency licenses, then the customer will need to signal they're ready for their data migration to begin, if one is necessary. To signal your tenant is ready for its data migration, the customer administrator will visit the Data Location section of the Microsoft 365 Admin Console within the Settings -> Org Settings -> Organization Profile area. From here the customer administrator will be able to see the current location of their data-at-rest and what _Local Region Geography_ their customer data will be migrated to, Please Note: Data migration won't begin until the customer administrator has executed this task. Further, the migration expectation discussed elsewhere in this documentation won't start being tracked until this task has been executed by the customer administrator.

+Once the customer signal is received, they'll be provided with their opt-in date and the target date of completion.

+In addition to a notification posted to the Message Center upon completion, the Data Location section in the Microsoft 365 Admin Console will also be updated as each workload requiring a data migration is complete.

+### Migration Expectations

+Microsoft will use reasonable efforts to try to complete an Advanced Data Residency add-on customer migration within twelve (12) months from the time the customer administrator has signaled they're ready for migration. However, Microsoft may not be able to complete the migration within this timeframe for all customers. For example, larger or more complex customers or situations outside of Microsoft's control may require additional time to complete the migration. Advanced Data Residency add-on customers also receive prioritized migration services for their tenants over the legacy Move Program migration option. These migration expectations also apply to all ADR EDU customers as well. Customers utilizing the legacy Move Program for a data migration who don't have the Advanced Data Residency feature, will instead follow [Legacy Move Program Migration Expectations](m365-dr-legacy-move-program.md#migration-expectations).

+Data moves are a back-end service operation with minimal impact to end-users. We adhere to the [Microsoft Online Services Service Level Agreement (SLA)](https://go.microsoft.com/fwlink/p/?LinkId=523897) for availability so there's nothing that customers need to prepare for or to monitor during the move. Notification of any service maintenance is done if needed.

+During the migration process, Microsoft temporarily copies your address book data into Microsoft global resources where it's encrypted and only used to support business continuity and disaster recovery operations (BCDR). After Microsoft has completed the mailbox data moves, Microsoft deletes that temporary data from the global resources. Microsoft continues to invest in global and regional resources regularly. In calendar year 2023, Microsoft plans to utilize regional resources for BCDR purposes during the migration process.

+### During and After your Migration

+Data moves are a back-end operation with minimal if any impact to end users. No action is required while Microsoft moves each service and associated customer data for your tenant to the applicable geography.

+> [!NOTE]

+> Moves occur at different times for each service. As a result, you'll see the described below on reduced functionality for each service happen at different times.

+Watch the Microsoft 365 Message Center for confirmation when moves for each workload service is complete.

+### Impact on End Users and Workloads

+Data moves are a back-end service operation with minimal impact to end-users. Features that can be impacted are listed on the During and after your data move page. We adhere to the [Microsoft Online Services Service Level Agreement (SLA)](https://go.microsoft.com/fwlink/p/?LinkId=523897) for availability so there's nothing that customers need to prepare for or to monitor during the move. Notification of any service maintenance is done if needed.

+### Features Impacted

+Because of the complex nature of the hundreds of services (both standard and customizable) that are available within the many workloads that customers sign up for and use within a typical E3 or E5 license, the migration of customer data from one data center to another could cause minor disruption and/or temporary unavailability of certain services customers use. See the migration sections of each workload in the [Workload Data Residency Capabilities section](m365-dr-workload-exo.md) for more information.

+### Status Notification

+For customers requiring a data migration, they may monitor the Message Center for updates to be provided as each workload completes its data migration. The Data Location section in the Microsoft 365 Admin Console may also be referenced to see if a workload has completed its migration.

+Due to the nature of how migrations work, there's no granular status provided to indicate just how close to completion a migration may be.

+### FAQ

+#### How do enterprise customers purchase the Microsoft 365 Advanced Data Residency add-on?

+<details><summary>Click to expand</summary>

+Eligible enterprise customers should contact their Microsoft account team or Enterprise Agreement licensing partner to facilitate a purchase of Advanced Data Residency add-on. Web Direct customers should purchase through their online account.

+</details>

+#### What does the launch of ADR mean for the Move Program?

+<details><summary>Click to expand</summary>

+The Advanced Data Residency and Move Program efforts will exist simultaneously for a limited time and have different customer commitments. The Move Program is limited to Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams. ADR includes these and more workloads. The Move program was terminated with the launch of the Qatar local datacenter and won't be available for any future local datacenters. Advanced Data Residency customers receive prioritized migration services over Move Program customers. See the Migration Expectation section for more detail.

+</details>

+#### How can I move my data to my country with Advanced Data Residency? What does the process look like?

+<details><summary>Click to expand</summary>

+The first step is to purchase the ADR SKU, refer to [ADR Eligibility](advanced-data-residency.md#eligibility). Once you have purchased ADR, you'll receive a notification via Message Center (in the tenant admin center) outlining the purchase confirmation. After you confirm readiness to begin migrations 12-month expectation to migrate all your customer at-rest data, as it relates to the workloads listed above, will begin. From there all workloads migrating customer data will provide notifications to the tenant admin via Message Center (two messages each; one at the start and end of the migration process).

+</details>

+## Related articles

+[Legacy Move Program](m365-dr-legacy-move-program.md)

+

+[New datacenter geos for Microsoft Dynamics CRM Online](/power-platform/admin/new-datacenter-regions?branch=main)

+

+[Azure services by region](https://azure.microsoft.com/regions/)

+[Teams experience in a Microsoft 365 Multi-Geo-enabled tenancy](/microsoftteams/teams-experience-o365odb-spo-multi-geo?branch=main)

+## Configure Multi-Geo Search

+Your Multi-Geo _Tenant_ will have aggregate search capabilities allowing a search query to return results from anywhere within the _Tenant_.

+By default, searches from these entry points will return aggregate results, even though each search index is located within its relevant _Geography_ location:

+- OneDrive for Business

+- Delve

+- SharePoint Home

+- Search Center

+Additionally, Multi-Geo search capabilities can be configured for your custom search applications that use the SharePoint search API.

+Please review [Configure Search for OneDrive for Business Multi-Geo](configure-search-for-multi-geo.md) for instructions including any limitations and differences.

+## Validating the Microsoft 365 Multi-Geo configuration

+Below are some basic use cases you may wish to include in your validation plan before broadly rolling out Microsoft 365 Multi-Geo to your company. Once you have completed these tests and any additional use cases that are relevant to your company, you may choose to move on to adding the users in your initial pilot group.

+OneDrive for Business:

+Select OneDrive from the Microsoft 365 app launcher and confirm that you are automatically directed to the appropriate _Geography_ location for the user, based on the user's PDL. OneDrive for Business should now begin provisioning at that location. Once provisioned, try uploading and downloading some documents.

+OneDrive Mobile App:

+Log in to your OneDrive mobile App with your test account credentials. Confirm that you can see your OneDrive for Business files and can interact with them from your mobile device.

+OneDrive sync client:

+Confirm that the OneDrive sync client automatically detects your OneDrive for Business _Geography_ location upon login. If you need to download the sync client, you can click **Sync** in the OneDrive library.

+Office applications:

+Confirm that you can access OneDrive for Business by logging in from an Office application, such as Word. Open the Office application and select **OneDrive ΓÇô \<TenantName\>**. Office will detect your OneDrive location and show you the files that you can open.

+Sharing:

+Try sharing OneDrive files. Confirm that the people picker shows you all your SharePoint online users regardless of their _Geography_ location.

+In a multi-geo environment, each _Geography_ location has its own search index and Search Center. When a user searches, the query is fanned out to all the indexes, and the returned results are merged.

+For example, a user in one _Geography_ location can search for content stored in another _Geography_ location, or for content on a SharePoint site that's restricted to a different Geography location. If the user has access to this content, search will show the result.

+## Which search clients work in a Multi-Geo environment?

+These clients can return results from all Geography locations:

+As soon as the Multi-Geo environment has been set up, users that search in OneDrive get results from all _Geography_ locations.

+As soon as the Multi-Geo environment has been set up, users that search in Delve get results from all _Geography_ locations.

+The Delve feed and the profile card only show previews of files that are stored in the central location. For files that are stored in _Satellite Geography_ locations, the icon for the file type is shown instead.

+As soon as the Multi-Geo environment has been set up, users will see news, recent and followed sites from multiple _Geography_ locations on their SharePoint home page. If they use the search box on the SharePoint home page, they'll get merged results from multiple _Geography_ locations.

+After the multi-geo environment has been set up, each Search Center continues to only show results from their own _Geography_ location. Admins must [change the settings of each Search Center](#_Set_up_a_1) to get results from all _Geography_ locations. Afterwards, users that search in the Search Center get results from all _Geography_ locations.

+As usual, custom search applications interact with the search indexes by using the existing SharePoint Search REST APIs. To get results from all, or some _Geography_ locations, the application must [call the API and include the new Multi-Geo query parameters](#_Get_custom_search) in the request. This triggers a fan out of the query to all _Geography_ locations.

+## What's different about search in a Multi-Geo environment?

+<td align="left">You can create query rules with promoted results at different levels: for the whole _Tenant_, for a site collection, or for a site. In a Multi-Geo environment, define promoted results at the _Tenant_ level to promote the results to the Search Centers in all _Geography_ locations. If you only want to promote results in the Search Center that's in the _Geography_ location of the site collection or site, define the promoted results at the site collection or site level. These results are not promoted in other _Geography_ locations.</td>

+<td align="left">If you don't need different promoted results per _Geography_ location, for example different rules for traveling, we recommend defining promoted results at the _Tenant_ level.</td>

+<td align="left">Search returns refiners from all the _Geography_ locations of a _Tenant_ and then aggregates them. The aggregation is a best effort, meaning that the refiner counts might not be 100% accurate. For most search-driven scenarios, this accuracy is sufficient.

+<td align="left">For search-driven applications that depend on refiner completeness, query each _Geography_ location independently.</td>

+<td align="left">Multi-Geo search doesn't support dynamic bucketing for numerical refiners.</td>

+<td align="left">If you're developing a search-driven application that depends on document IDs, note that document IDs in a Multi-Geo environment aren't unique across _Geography_ locations, they are unique per _Geography_ location.</td>

+<td align="left">We've added a column that identifies the _Geography_ location. Use this column to achieve uniqueness. This column is named "GeoLocationSource".</td>

+<td align="left">The search results page shows combined results from the _Geography_ locations, but it's not possible to page beyond 500 results.</td>

+<td align="left">Guests only get results from the _Geography_ location that they're searching from.</td>

+## How does search work in a Multi-Geo environment?

+2. The query is sent to all _Geography_ locations in the _Tenant_.

+3. Search results from each _Geography_ location are merged and ranked.

+Custom search applications get results from all, or some, _Geography_ locations by specifying query parameters with the request to the SharePoint Search REST API. Depending on the query parameters, the query is fanned out to all _Geography_ locations, or to some geo locations. For example, if you only need to query a subset of _Geography_ locations to find relevant information, you can control the fan out to only these. If the request succeeds, the SharePoint Search REST API returns response data.

+EnableMultiGeoSearch - This is a Boolean value that specifies whether the query shall be fanned out to the indexes of other geo locations of the multi-geo _Tenant_. Set it to **true** to fan out the query; **false** to not fan out the query. If you don't include this parameter, the default value is **false**, except when making a REST API call against a site which uses the Enterprise Search Center template, in this case the default value is **true**. If you use the parameter in an environment that isn't multi-geo, the parameter is ignored.

+MultiGeoSearchConfiguration - This is an optional list of which geo locations in the multi-geo _Tenant_ to fan the query out to when **EnableMultiGeoSearch** is **true**. If you don't include this parameter, or leave it blank, the query is fanned out to all geo locations. For each geo location, enter the following items, in JSON format:

+<td align="left">The _Geography_ location, for example NAM.</td>

+<td align="left">Full results from <strong>all</strong> the _Geography_ locations.</td>

+<td align="left">Partial results from one or more _Geography_ locations. The results are incomplete due to a transient error.</td>

+Here's a sample CSOM query that's fanned out to **all** _Geography_ locations:

+ Title: OneDrive Cross-Tenant User Data Migration Step 1

+recommendations: true

+audience: ITPro

+ms.localizationpriority: high

+- SPMigration

+- M365-collaboration

+- m365initiative-migratetom365

+search.appverid: MET150

+description: "Step 1 of the OneDrive Cross-tenant migration feature"

+# Step 1: Connect to the source and target tenants

+This is Step 1 in a solution designed to complete a Cross-tenant OneDrive migration. To learn more, see [Cross-tenant OneDrive migration overview](cross-tenant-onedrive-migration.md).

+- **Step 1: [Connect to the source and the target tenants](cross-tenant-onedrive-migration-step1.md)**

+- Step 2: [Establish trust between the source and the target tenant](cross-tenant-onedrive-migration-step2.md)

+- Step 3: [Verify trust has been established](cross-tenant-onedrive-migration-step3.md)

+- Step 4: [Pre-create users and groups](cross-tenant-onedrive-migration-step4.md)

+- Step 5: [Prepare identity mapping](cross-tenant-onedrive-migration-step5.md)

+- Step 6: [Start a Cross-tenant OneDrive migration](cross-tenant-onedrive-migration-step6.md)

+- Step 7: [Post migration steps](cross-tenant-onedrive-migration-step7.md)

+## Before you begin

+- **Microsoft SharePoint Online Powershell**. Confirm you have the most recent version installed. If not, [Download SharePoint Online Management Shell from Official Microsoft Download Center](/download/details.aspx?id=35588).

+- Be a SharePoint Online admin or Microsoft 365 Global admin on both the source and target tenants

+### Connect to both tenants

+1. Sign in to the Sharepoint Management Shell as a SharePoint Online admin or Microsoft 365 Global admin.

+2. Run the following entering the **source** tenant URL:

+ ```powershell

+ Connect-SPOService -url https://<TenantName>-admin.sharepoint.com

+ ```

+3. When prompted, sign in to the **source** tenant using your Admin username and password.

+

+4. Run the following entering the **target** tenant URL:

+ ```powershell

+ Connect-SPOService -url https://<TenantName>-admin.sharepoint.com

+ ```

+5. When prompted, sign in to the **target** tenant using your Admin username and password.

+>[!Important]

+>**Microsoft 365 Multi-Geo customers:** You must treat each geography as a separate tenant. Provide the correct geography-specific URLs throughout the migration process.

+## Step 2: [Establish trust between the source and target tenants](cross-tenant-onedrive-migration-step2.md)

+ Title: OneDrive Cross-Tenant User Data Migration Step 2

+recommendations: true

+audience: ITPro

+ms.localizationpriority: high

+- SPMigration

+- M365-collaboration

+- m365initiative-migratetom365

+search.appverid: MET150

+description: "Step 2 of the OneDrive Cross-tenant migration feature"

+# Step 2: Establishing trust between the source and target tenants

+This is Step 2 in a solution designed to complete a Cross-tenant OneDrive migration. To learn more, see [Cross-tenant OneDrive migration overview](cross-tenant-onedrive-migration.md).

+- Step 1: [Connect to the source and the target tenants](cross-tenant-onedrive-migration-step1.md)

+- **Step 2: [Establish trust between the source and the target tenant](cross-tenant-onedrive-migration-step2.md)**

+- Step 3: [Verify trust has been established](cross-tenant-onedrive-migration-step3.md)

+- Step 4: [Pre-create users and groups](cross-tenant-onedrive-migration-step4.md)

+- Step 5: [Prepare identity mapping](cross-tenant-onedrive-migration-step5.md)

+- Step 6: [Start a Cross-tenant OneDrive migration](cross-tenant-onedrive-migration-step6.md)

+- Step 7: [Post migration steps](cross-tenant-onedrive-migration-step7.md)

+After connecting to the source and target tenant, the next step in performing a cross-tenant OneDrive migration is establishing trust between the tenants.

+To establish trust, each SharePoint Online tenant administrator must run specific commands on both source and target tenants. Once the trust has been requested, the administrator of the target tenant will receive an email informing them that another tenant is trying to establish a trust relationship.

+>[!Note]

+>The "trust" command is specific to SharePoint Online. It only grants permission for the SharePoint administrator on the source tenant to execute OneDrive Migration operations to the identified target tenant.

+>

+>Granting trust *doesn't* give the administrator any visibility, permission, or ability to collaborate between the source tenant and the target tenant.

+>[!Important]

+>If you are Microsoft 365 Multi-Geo customer, you must establish trust between each geography involved in your migration project.

+>

+## Before you begin

+Before running the trust commands, obtain the cross-tenant host URLs for both the source and target tenants. You'll need these URLs when establishing the trust relationship between source-to-target and target-to-source.

+**To obtain the cross-tenant host URLs:**

+On both the source and target tenants, run:

+```powershell

+Get-SPOCrossTenantHostURL

+```

+ΓÇâ

+*Example:* Run command on Source tenant:

+ :::image type="content" source="../media/cross-tenant-migration/t2t-onedrive-hosturl-source.png" alt-text="example of how to obtain host url for source":::

+*Example:* Run command on target tenant:

+

+## Run the trust commands

+These commands send a request to the tenant with whom you want to establish trust.

+1. On the source tenant, run this command to send a trust request to the target tenant:

+```powershell

+Set-SPOCrossTenantRelationship -Scenario MnA -PartnerRole Target -PartnerCrossTenantHostUrl <TARGETCrossTenantHostUrl>

+

+```

+</br>

+2. On the target tenant, run this command to send a trust request to the source tenant:

+```powershell

+Set-SPOCrossTenantRelationship -Scenario MnA -PartnerRole Source -PartnerCrossTenantHostUrl <SOURCECrossTenantHostUrl>

+```

+

+### Parameter definitions

+|Parameter|Definition|

+|:--|:--|

+|PartnerRole|Roles of the partner tenant you're establishing trust with. Use *source* if partner tenant is the source of the OneDrive migrations, and *target* if the partner tenant is the Destination.

+|PartnerCrossTenantHostURL|The cross-tenant host URL of the partner tenant. The partner tenant can determine this for you by running: *Get-SPOCrossTenantHostURL* on each of the tenants.|

+## Sample trust email

+The following in an example of the email that is sent to global admins:

+**Subject:** SPO Tenant [https://a830edad9050849mnaus093022-my.sharepoint.com/] [setuporupdate] Organization Relation [Scenario=MnA, Role=Source] with us

+**Message:** SPO Tenant [https://a830edad9050849mnaus093022-my.sharepoint.com/] [setuporupdate] Organization Relation [Scenario=MnA, Role=Source] with us

+## Step 3: [Verify that trust has been established](cross-tenant-onedrive-migration-step3.md)

+ Title: OneDrive Cross-Tenant User Data Migration Step 3

+recommendations: true

+audience: ITPro

+ms.localizationpriority: high

+- SPMigration

+- M365-collaboration

+- m365initiative-migratetom365

+search.appverid: MET150

+description: "Step 3 of the OneDrive Cross-tenant migration feature"

+# Step 3: Verifying trust

+This is Step 3 in a solution designed to complete a Cross-tenant OneDrive migration. To learn more, see [Cross-tenant OneDrive migration overview](cross-tenant-onedrive-migration.md).

+- Step 1: [Connect to the source and the target tenants](cross-tenant-onedrive-migration-step1.md)

+- Step 2: [Establish trust between the source and the target tenant](cross-tenant-onedrive-migration-step2.md)

+- **Step 3: [Verify trust has been established](cross-tenant-onedrive-migration-step3.md)**

+- Step 4: [Pre-create users and groups](cross-tenant-onedrive-migration-step4.md)

+- Step 5: [Prepare identity mapping](cross-tenant-onedrive-migration-step5.md)

+- Step 6: [Start a Cross-tenant OneDrive migration](cross-tenant-onedrive-migration-step6.md)

+- Step 7: [Post migration steps](cross-tenant-onedrive-migration-step7.md)

+Before proceeding with your migration, you'll need to verify the trust is complete. A status of *GoodToProceed*, confirms that the trust is verified.

+## To verify trust has been established

+1. On the **source tenant** run:

+

+```powershell

+Verify-SPOCrossTenantRelationship -Scenario MnA -PartnerRole Target -PartnerCrossTenantHostUrl <TARGETCrossTenantHostUrl>

+```

+2. On the **target tenant** run:

+```powershell

+Verify-SPOCrossTenantRelationship -Scenario MnA -PartnerRole Source -PartnerCrossTenantHostUrl <SOURCECrossTenantHostUrl>

+```

+## Troubleshooting trust issues

+When verifying trust, possible values

+|Value|Description|

+|:--|:--|

+|NotEstablished|Trust hasn't been requested locally.|

+|NotEstablishedByPartner|Trust hasn't been requested by the partner|

+|DormantByPartner|PartnerΓÇÖs requested trust is within the seven days waiting period after creation.|

+|CouldNotContactPartner|Couldn't contact the partner to determine status.|

+|GoodToProceed|Verified to proceed.|

+## Step 4: [Pre-create users and groups](cross-tenant-onedrive-migration-step4.md)

+ Title: OneDrive Cross-Tenant User Data Migration Step 4

+recommendations: true

+audience: ITPro

+ms.localizationpriority: high

+- SPMigration

+- M365-collaboration

+- m365initiative-migratetom365

+search.appverid: MET150

+description: "Step 4 of the OneDrive Cross-tenant migration feature"

+# Step 4: Pre-creating users and groups

+This is Step 4 in a solution designed to complete a Cross-tenant OneDrive migration. To learn more, see [Cross-tenant OneDrive migration overview](cross-tenant-onedrive-migration.md).

+- Step 1: [Connect to the source and the target tenants](cross-tenant-onedrive-migration-step1.md)

+- Step 2: [Establish trust between the source and the target tenant](cross-tenant-onedrive-migration-step2.md)

+- Step 3: [Verify trust has been established](cross-tenant-onedrive-migration-step3.md)

+- **Step 4: [Pre-create users and groups](cross-tenant-onedrive-migration-step4.md)**

+- Step 5: [Prepare identity mapping](cross-tenant-onedrive-migration-step5.md)

+- Step 6: [Start a Cross-tenant OneDrive migration](cross-tenant-onedrive-migration-step6.md)

+- Step 7: [Post migration steps](cross-tenant-onedrive-migration-step7.md)

+## Identify users and groups to be migrated

+To ensure that OneDrive permissions are retained as part of the migration, a mapping file needs to be created to align users from the source tenant to the target tenant.

+1. Identify the full list of OneDrive sites that will be migrated from the source to the target tenant.

+2. Prepare a complete list of users and groups that will be migrated to the target tenant.

+## Pre-create users and groups on the target tenant

+1. Pre-create users and groups as needed in the target tenantΓÇÖs directory.

+2. All users whose OneDrive accounts are migrating to the target tenant must have new user identities created for them in the target tenant.

+3. All users whose OneDrive accounts are migrating to the target tenant must be assigned the appropriate OneDrive license.

+4. Any users who remain in the source tenant but need access to resources migrating to the target tenant should have new guest identities created for them in the target tenant.

+5. Pre-created users must be added as members of any appropriate security groups or unified groups before the OneDrive migration begins.

+6. If the user or group name already exists in the target tenant, create a user or group with a different name and make a note of it for the next step.

+7. We recommend that OneDrive site creations are restricted in the target tenant to prevent users from creating OneDrive sites.

+>[!Note]

+>To learn more on restricting OneDrive site creation, see [Disable OneDrive creation for some users](/sharepoint/manage-user-profiles#disable-onedrive-creation-for-some-users)

+## Step 5: [Prepare the identity mapping file](cross-tenant-onedrive-migration-step5.md)

+ Title: OneDrive Cross-Tenant User Data Migration Step 5

+recommendations: true

+audience: ITPro

+ms.localizationpriority: high

+- SPMigration

+- M365-collaboration

+- m365initiative-migratetom365

+search.appverid: MET150

+description: "Step 5 of the OneDrive Cross-tenant migration feature"

+# Step 5: Identity mapping

+This is Step 5 in a solution designed to complete a Cross-tenant OneDrive migration. To learn more, see [Cross-tenant OneDrive migration overview](cross-tenant-onedrive-migration.md).

+- Step 1: [Connect to the source and the target tenants](cross-tenant-onedrive-migration-step1.md)

+- Step 2: [Establish trust between the source and the target tenant](cross-tenant-onedrive-migration-step2.md)

+- Step 3: [Verify trust has been established](cross-tenant-onedrive-migration-step3.md)

+- Step 4: [Pre-create users and groups](cross-tenant-onedrive-migration-step4.md)

+- **Step 5: [Prepare identity mapping](cross-tenant-onedrive-migration-step5.md)**

+- Step 6: [Start a Cross-tenant OneDrive migration](cross-tenant-onedrive-migration-step6.md)

+- Step 7: [Post migration steps](cross-tenant-onedrive-migration-step7.md)

+## Create the identity mapping file

+In this step of the cross-tenant migration process, you're going to create a single CSV (comma separated values) file that contains the mapping of the users and groups on the source tenant to their corresponding users and groups on the target tenant.

+We recommend that you take the time to verify your mappings, ensuring they're accurate before starting any migrations to the target tenant.

+There's a one-to-one relationship in the identity mapping file. You can't map the same user to multiple users in the target tenant. For example, if you have instances where the admin is the owner of multiple OneDrive accounts, the ownership must be changed to match the corresponding user you wish to migrate from Source to Target. If you don't, those account files won't migrate.

+**Example:** In this example, the admin owns multiple OneDrive accounts.

+|Source Tenant Owner |Target Tenant User|

+|:--|:--|

+|admin@source.com  |new.userA@target.com|

+|admin@source.com |new.userB@target.com|

+|admin@source.com |new.userC@target.com|

+Cross-tenant migration supports this scenario:

+**Example**

+|Source Tenant Owner|Target Tenant User|

+|:--|:--|

+|userA@source.com|new.userA@target.com|

+|userB@source.com|new.userB@target.com|

+|userC@source.com|new.userC@target.com|

+### Create the CSV file

+There are six columns needed in your CSV file. The first three are your source values, each providing detail about where your data is currently located. The remaining three columns are the corresponding info on the target tenant. All six columns must be accounted for in the file. Create your file in Excel and save it as a .csv file.

+Users and groups are included in the same file. Depending on whether it's a user or group, what you enter in the column is different. In each of the columns enter values as shown in the examples. **Do NOT include column headings.**

+|Column|User|Group|

+|:--|:--|:--|

+|1|User|Group|

+|2|SourceTenantCompanyID|SourceTenantCompanyID|

+|3|SourceUserUpn|SourceGroupObjectID|

+|4|TargetUserUpn|TargetGroupObjectID|

+|5|TargetUserEmail|GroupName|

+|6|UserType|GroupType|

+>[!Important]

+>Do NOT include column headings in your CSV file. In the examples below we include them for illustrative purposes only.

+**Users**. Enter your values as shown in this example for guests:

+**Groups**. Enter your values as shown in this example for guests:

+</br>

+</br>

+*Example*:

+**Guest users**. You can map guest accounts in the source tenant to member accounts in the target tenant. You can also map a guest account in the source to a guest account in the target if the guest has been previously created. Enter your values as shown in this example for guests:

+</br>

+*Example of multiple users in CSV file:* </br>

+## Obtain the source tenant company ID

+To obtain Source Tenant Company ID:

+1. Sign in as Admin to your [Azure portal](https://ms.portal.azure.com/)

+2. Select or Search for **Azure Active Directory**.

+3. Scroll down on the left-hand panel and select **Properties**.

+4. Locate the **Tenant ID Field**. The required Tenant ID will be in that box.

+## To obtain source group object ID:

+1. Sign in to source tenant as Admin to [Azure Groups](https://ms.portal.azure.com).

+2. Search for your required group(s).

+3. Select the required Group instance and then **Copy to clipboard**. Paste this value in the sourceGroupObjectId column of your mapping CSV file.

+4. If you have multiple Groups to map, then repeat these steps for each group.

+### To obtain target group object ID:

+1. Sign in to Target tenant as Admin to [Azure Groups](https://ms.portal.azure.com)

+2. Search for your required group(s).

+3. Select the required group instance and then **Copy to clipboard**. Paste this value in the targetGroupObjectId column of your mapping CSV file.

+4. If you have multiple groups to map, then repeat the above process to obtain those specific targetGroupObjectId's.

+5. For the GroupName, use the same ID as the *TargetGroupObjectId* you obtained.

+

+## Upload the identity map

+Once the identity mapping file has been prepared, the SharePoint Administrator on the target tenant uploads the file to SharePoint. This will allow identity mapping to occur automatically as part of the cross-tenant migration.

+>[!Important]

+>Before you run the *Add-SPOTenantIdentityMap ΓÇôIdentityMapPath* command, save and close the identitymap.csv file on your Desktop/OneDrive/SharePoint. If the file remains open, you will receive the following error.

+>

+>*Add-SPOTenantIdentityMap: The process cannot access the file 'C:\Users\myuser\Test-Identity-Map.csv' because it is being used by another process.*

+1. To upload the identity Map on the target tenant, run the following command. For *-IdentityMapPath*, provide the full path and filename of the identity mapping CSV file.

+```powershell

+Add-SPOTenantIdentityMap ΓÇôIdentityMapPath <identitymap.csv>

+```

+>[!Important]

+>If you make or need to make any changes to your Identity Map during the lifecycle of the migration you must run the *Add-SPOTenantIdentityMap ΓÇôIdentityMapPath <identitymap.csv>* command **every time** a change is made to ensure those changes are applied to the migration.

+Uploading any new identity map will overwrite the current one. Make sure that any revision or addition includes ALL users and groups for the full migration. Your identity map should always include everyone you're wanting to migrate.

+To look at the mapping entries in the identity mapping file for a particular user, use the command *Get-SPOTenantIdentityMappingUser* with Field as *SourceUserKey* and Value as the UPN of the user you are moving.

+**Example:**

+```powershell

+get-spoTenantIdentityMappingUser -Field SourceUserKey -Value usera@Contoso.onmicrosoft.com

+```

+## Verify cross-tenant compatibility status

+Before starting any cross-tenant migrations, make sure that both SharePoint database schemas are up to date and compatible between source and target.

+To perform this check, run the below cmdlet on your Source tenant.

+```Powershell

+Get-SPOCrossTenantCompatibilityStatus ΓÇôPartnerCrossTenantHostURL [Target tenant hostname]

+Get-SPOCrossTenantCompatibilityStatus ΓÇôPartnerCrossTenantHostURL https://m365x12395529-my.sharepoint.com

+```

+- If the tenants are compatible, you can then proceed with the next step of starting cross-tenant migrations.

+- If the tenants are incompatible, your tenants will need to be patched/updated to ensure compatibility.

+>[!Note]

+>We recommend waiting a period of 24-hours. If your tenants are still reporting as *incompatible*, contact support.

+>[!Note]

+>We recommend performing the compatibility status check on a frequent basis and prior to starting ANY instances of cross tenant migrations. If the tenants are not compatible, this can result in cross-tenant migrations failing.

+## Step 6: [Start a OneDrive cross-tenant migration](cross-tenant-onedrive-migration-step6.md)

+ Title: OneDrive Cross-Tenant User Data Migration Step 6

+recommendations: true

+audience: ITPro

+ms.localizationpriority: high

+- SPMigration

+- M365-collaboration

+- m365initiative-migratetom365

+search.appverid: MET150

+description: "Step 6 of the OneDrive Cross-tenant migration feature"

+# Step 6: Start a OneDrive cross-tenant migration

+This is Step 6 in a solution designed to complete a Cross-tenant OneDrive migration. To learn more, see [Cross-tenant OneDrive migration overview](cross-tenant-onedrive-migration.md).

+- Step 1: [Connect to the source and the target tenants](cross-tenant-onedrive-migration-step1.md)

+- Step 2: [Establish trust between the source and the target tenant](cross-tenant-onedrive-migration-step2.md)

+- Step 3: [Verify trust has been established](cross-tenant-onedrive-migration-step3.md)

+- Step 4: [Pre-create users and groups](cross-tenant-onedrive-migration-step4.md)

+- Step 5: [Prepare identity mapping](cross-tenant-onedrive-migration-step5.md)

+- **Step 6: [Start a Cross-tenant OneDrive migration](cross-tenant-onedrive-migration-step6.md)**

+- Step 7: [Post migration steps](cross-tenant-onedrive-migration-step7.md)

+Now you're ready to start your OneDrive migration. Before starting any cross-tenant migration, do the following steps.

+1. Ensure you've verified the compatibility status. if you see a compatible status on your source tenant you may continue. Run:

+```powershell

+Get-SPOCrossTenantCompatibilityStatus ΓÇôPartnerCrossTenantHostURL [Target tenant hostname]

+```

+2. To start the migration, a SharePoint Online Admin or Microsoft 365 Global Admin of the source tenant must run the following command:

+```PowerShell

+Start-SPOCrossTenantUserContentMove -SourceUserPrincipalName <…> -TargetUserPrincipalName <…> -TargetCrossTenantHostUrl <…>

+```

+|Parameters|Description|

+|:--|:--|

+|SourceUserPrincipalName|User principal name of the user who owns the OneDrive on the Source tenant.|

+|TargetUserPrincipalName|User principal name of the user who owns the OneDrive on the Target tenant.|

+|TargetCrossTenantHostUrl|The Cross-tenant Host URL of the target tenant. To find the TargetCrossTenantHostUrl, run *Get-SPOCrossTenantHostUrl* on the tenant.|

+Example:

+```Powershell

+Start-SPOCrossTenantUserContentMove -SourceUserPrincipalName DiegoS@M365x016651.OnMicrosoft.com -TargetUserPrincipalName

+ Test-Diego@M365x946316.OnMicrosoft.com -TargetCrossTenantHostUrl https://m365x946316-my.sharepoint.com/

+```

+To Schedule a migration for a later time, you may use and append the above command with the one of the following parameters.

+These commands can be useful when planning bulk batches of OneDrive migrations. You can queue/migrate up to 4,000 OneDrive migrations per batch. If your user count exceeds 4,000, create separate batches, and schedule them to run once the current batch is close to completion.

+|Parameter|Description|

+|:--|:--|

+|PreferredMoveBeginDate|The migration will likely begin at this specified time. Time must be specified in Coordinated Universal Time (UTC).|

+|PreferredMoveEndDate|The migration will likely be completed by this specified time, on a best effort basis. Time must be specified in Coordinated Universal Time (UTC).|

+## OneDrive status pre-migration

+Before starting the migration, the users current source OneDrive status will be similar to the example below. This example is from the users source tenant, showing their current files and folders.

+## Cancelling a OneDrive migration

+You can stop the cross-tenant migration of a user's OneDrive by using the following command, provided the migration isn't In Progress or Success status.

+```powershell

+Stop-SPOCrossTenantUserContentMove ΓÇô SourceUserPrincipalName [UPN name of user who you wish to stop]

+Stop-SPOCrossTenantUserContentMove ΓÇô SourceUserPrincipalName DiegoS@M365x016651.OnMicrosoft.com

+```

+## Determining current status of a migration

+After starting your migration, you can check its status using the following command on either the source OR target tenant:

+**Source command format**

+```powershell

+Get-SPOCrossTenantUserContentMoveState -PartnerCrossTenantHostURL [Target URL]

+```

+Example:

+```Powershell

+Get-SPOCrossTenantUserContentMoveState -PartnerCrossTenantHostURL https://m365x946316-my.sharepoint.com/

+```

+**Target command:**

+```powershell

+Get-SPOCrossTenantUserContentMoveState -PartnerCrossTenantHostURL [Source URL]

+Get-SPOCrossTenantUserContentMoveState -PartnerCrossTenantHostURL https://m365x016551-my.sharepoint.com/

+```

+To find the status of a specific user's migration, use the *UserPrincipalName* parameter:

+```powershell

+Get-SPOCrossTenantUserContentMoveState -PartnerCrossTenantHostURL <PartnerCrossTenantHostURL> -SourceUserPrincipalName <UPN>

+Get-SPOUserAndContentMoveState -PartnerCrossTenantHostURL https://m365x946316-my.sharepoint.com -SourceUserPrincipalName DiegoS@M365x016651.OnMicrosoft.com

+```

+To get the status of the move based on a particular userΓÇÖs UPN but with more information, use the *-Verbose* parameter.

+Example:

+```PowerShell

+Get-SPOCrossTenantUserContentMoveState -PartnerCrossTenantHostURL https://ttesttenant-my.sharepoint.com -SourceUserPrincipalName User3@stesttenant.onmicrosoft.com -Verbose

+```

+## Migration States

+|Status|Description|

+|:--|:--|

+|NotStarted|The migration hasn't yet started.|

+|Scheduled|The migration is now in the queue and is scheduled to run when a slot becomes available.|

+|ReadytoTrigger|The Migration is in its pre-flight stage and will start the Migration shortly.|

+|InProgress|The migration is in progress in one of the following states: </br>- Validation </br>- Backup </br>- Restore </br>- Cleanup|

+|Success|The Migration has completed successfully.|

+|Rescheduled|The migration may not have completed and has been requeued for another pass.|

+|Failed |The migration failed to complete.|

+

+## Post-migration status checks

+**Target tenant:**

+After the migration has successfully completed, check the status of the user on the target tenant by logging into their new OneDrive account.

+**Source tenant:**

+Since the user has successfully migrated to the target tenant, they no longer have an active OneDrive account on the source.

+## Step 7: [Post migration steps](cross-tenant-onedrive-migration-step7.md)

+ Title: OneDrive Cross-Tenant User Data Migration Step 7

+recommendations: true

+audience: ITPro

+ms.localizationpriority: high

+- SPMigration

+- M365-collaboration

+- m365initiative-migratetom365

+search.appverid: MET150

+description: "Step 7 of the OneDrive Cross-tenant migration feature"

+# Step 7: Post migration steps

+This is Step 7 in a solution designed to complete a Cross-tenant OneDrive migration. To learn more, see [Cross-tenant OneDrive migration overview](cross-tenant-onedrive-migration.md).

+- Step 1: [Connect to the source and the target tenants](cross-tenant-onedrive-migration-step1.md)

+- Step 2: [Establish trust between the source and the target tenant](cross-tenant-onedrive-migration-step2.md)

+- Step 3: [Verify trust has been established](cross-tenant-onedrive-migration-step3.md)

+- Step 4: [Pre-create users and groups](cross-tenant-onedrive-migration-step4.md)

+- Step 5: [Prepare identity mapping](cross-tenant-onedrive-migration-step5.md)

+- Step 6: [Start a Cross-tenant OneDrive migration](cross-tenant-onedrive-migration-step6.md)

+- **Step 7: [Post migration steps](cross-tenant-onedrive-migration-step7.md)**

+## Removing trust relationship

+>[!Important]

+>Ensure you remove the Trust Relationship on both source and target tenants before your source tenant licenses expire. Once the licenses expire, the trust removal command will not work on source.

+1. On the source tenant, run this command to remove the trust relationship between Source and Target tenant.

+```powershell

+Remove-SPOCrossTenantRelationship -Scenario MnA -PartnerRole Target -PartnerCrossTenantHostUrl <TARGETCrossTenantHostUrl>

+```

+</br>

+2. On the target tenant, run this command to remove the trust relationship between the target and source tenant.

+```powershell

+Remove-SPOCrossTenantRelationship -Scenario MnA -PartnerRole Target -PartnerCrossTenantHostUrl <TARGETCrossTenantHostUrl>

+```

+### Parameter definitions

+|Parameter|Definition|

+|:--|:--|

+|PartnerRole|Roles of the partner tenant you're establishing trust with. Use *source* if partner tenant is the source of the OneDrive migrations, and *target* if the partner tenant is the destination.

+|PartnerCrossTenantHostURL|The cross-tenant host URL of the partner tenant. The partner tenant can determine this for you by running: *Get-SPOCrossTenantHostURL* on each of the tenants.|

+## Other post migration steps

+Once the migration is complete, OneDrive users must sign in using their new identity and resync their files to their devices on the target tenant.

+### OneDrive for Business

+With their new credentials, have users sign in to OneDrive using the Microsoft 365 app launcher or a web browser.

+### Permissions on OneDrive content

+Users with permission to access OneDrive content will continue to be able to access it, provided they were included in the identity mapping file

+### OneDrive Sync Client

+The user must sign in to the **OneDrive Sync Client** and their new OneDrive location using their new identity. Once you've completed that step, the files and folders will begin resyncing to the device.

+### Sharing Links

+The existing shared links for the migrated files will automatically redirect to the new target location.

+> Information in this article refers to **Cross-tenant OneDrive migration**. For mailbox migration, see [Cross-tenant mailbox migration](/microsoft-365/enterprise/cross-tenant-mailbox-migration).

+## Overview

+During mergers or divestitures, you commonly need the ability to move users OneDrive accounts into a new Microsoft 365 tenant. With Cross-tenant OneDrive migration, tenant administrators can use familiar tools like *SharePoint Online PowerShell* to transition users into their new organization.

+SharePoint administrators of two separate tenants can use the *Set-SPOCrossTenantRelationship* cmdlet to establish an organization relationship, and the *Start-SPOCrossTenantUserContentMove* command to begin cross-tenant OneDrive moves.

+>[!Note]

+>This feature is not supported for users of the Government Cloud, including GCC, Consumer, GCC High, or DoD.

+## Licensing

+**Cross Tenant User Data Migration** is available as an add-on to the following Microsoft 365 subscription plans for Enterprise Agreement customers. User licenses are per migration (onetime fee). Please contact your Microsoft account team for details.

+

+Microsoft 365 Business Basic/Business Standard/Business Premium/F1/F3/E3/A3/E5/A5; Office 365 F3/E1/A1/E3/A3/E5/A5; Exchange Online; SharePoint Online; OneDrive for Business.

+## Prerequisites and settings

+- **Microsoft SharePoint Online Powershell**. Confirm you have the most recent version installed. [Download SharePoint Online Management Shell from Official Microsoft Download Center](/download/details.aspx?id=35588)

+- **Turn off service encryption with Customer Key enabled.** Confirm that the source OneDrive tenant **doesn't** have Service encryption with Microsoft Purview Customer Key enabled. If enabled on Source tenant, the migration will fail. [Learn more on Service encryption with Microsoft Purview Customer Key](/microsoft-365/compliance/customer-key-overview)

+- Source OneDrive accounts must be set to Read/Write. If set to Read only, they'll fail.

+## Pre-create target accounts

+- Ensure all users and groups identified for migration have been pre-created on the target tenant.

+- Assign the appropriate licenses to each user on the target tenant.

+- We recommend that OneDrive site creation be restricted in the target tenant to prevent users from creating OneDrive sites. If a OneDrive site already exists for the user on the target tenant, the migration will fail. You can't overwrite an existing site.

+>[!Note]

+>To learn more about restricting OneDrive site creation, see [Disable OneDrive creation for some users](/sharepoint/manage-user-profiles#disable-onedrive-creation-for-some-users)

+## Path size limits

+Microsoft limits the number of characters in a path to not exceed 400 characters. This is the full path limit, not just the file name. In planning your migrations, review the length of OneDrive URL names in your target tenant. Failure often occurs when files or folder paths from the source, combined with the OneDrive URL on the target exceed the 400-character path limit.

+A migration will detect if you have exceeded the character limit. Work with the site owner to update the file/folder directory structure to reduce file path lengths.

+Any legal URL will be accepted when creating your Identity Map from Source to Target for your migrations. At this current time usernames/URLs that contain an apostrophe character ( **'** ) in a username/URL will fail with an "invalid character" error when attempting the migration.

+>[!Tip]

+>We recommend keeping your target OneDrive URL names short to avoid exceeding the character limit.

+## OneDrive account size limits

+Each OneDrive account can have a maximum of 2 TB of content or 1 million items.

+## Permissions

+All users and groups included in the identity mapping file that you uploaded to the target tenant will maintain permissions in the target tenant related to the migrated OneDrive site.

+## Legal holds

+OneDrive accounts with a Hold policy applied will be blocked from migration.

+To migrate these OneDrive accounts, remove the hold policy, migrate, then reapply the hold as needed on the target tenant.

+## Shared files

+After a OneDrive account is migrated, anyone clicking on a shared link to the old location will be redirected to the new one, provided they still have access to the destination.

+Those redirects remain until the source tenant is deprovisioned. The admin can also selectively remove redirects site-by-site.

+## How does it work?

+- **Step 1:** [Connect to the source and the target tenants](cross-tenant-onedrive-migration-step1.md).

+- **Step 2:** [Establish trust between the source and the target tenant](cross-tenant-onedrive-migration-step2.md)

+- **Step 3:** [Verify trust has been established](cross-tenant-onedrive-migration-step3.md)

+- **Step 4:** [Pre-create users and groups](cross-tenant-onedrive-migration-step4.md)

+- **Step 5:** [Prepare identity mapping](cross-tenant-onedrive-migration-step5.md)

+- **Step 6:** [Start a Cross-tenant OneDrive migration](cross-tenant-onedrive-migration-step6.md)

+- **Step 7:** [Post migration steps](cross-tenant-onedrive-migration-step7.md)

+## Step 1: [Connect to source and target tenants](cross-tenant-onedrive-migration-step1.md)

+# Delete a _Satellite Geography_ location in Microsoft 365 Multi-Geo

+If you no longer need a _Satellite Geography_ location, you can delete it from your _Tenant_ from the <a href="https://go.microsoft.com/fwlink/?linkid=2185219" target="_blank">SharePoint admin center</a>.

+> All user data in the _Satellite Geography_ location will be permanently deleted. This includes all OneDrive for Business content, SharePoint sites and Exchange mailboxes including Microsoft 365 Group mailboxes. You must migrate any data to another _Satellite Geography_ location or the _Primary Provisioned Geography_ location before you delete the _Satellite Geography_ location. This action cannot be undone.

+Only global administrators can delete _Satellite Geography_ locations.

+To delete a _Satellite Geography_ location

+1. On the map, select the _Satellite Geography_ location that you want to delete.

+ Title: Advanced Data Residency Commitments

+description: Advanced Data Residency Commitments

+f1.keywords:

+- NOCSH

+- it-pro

+- M365-subscription-management

+# Advanced Data Residency Commitments

+>[!NOTE]

+>If you have purchased a Multi-Geo subscription, then Microsoft will store certain customer data at rest in more than one Geography based on your configuration even if you have purchased the Microsoft 365 Advanced Data Residency add-on ("ADR").

+Microsoft makes commitments to store certain customer data at rest in the applicable _Local Region Geography_ or _Expanded Local Region Geography_ for [eligible customers](advanced-data-residency.md#eligibility) that purchase ADR. The commitments are specified below.

+## Exchange Online

+The following customer data will be stored at rest in the _Local Region Geography_ or _Expanded Local Region Geography_:

+- Exchange Online mailbox content, (e-mail body, calendar entries, and the content of e-mail attachments stored in the related _Local Region Geography_ or _Expanded Local Region Geography_.

+## SharePoint Online/OneDrive for Business

+The following customer data will be stored at rest in the _Local Region Geography_ or _Expanded Local Region Geography_:

+- SharePoint Online site content and the files stored within that site, and files uploaded to OneDrive for Business.

+## Microsoft Teams

+The following customer data will be stored at rest in the _Local Region Geography_ or _Expanded Local Region Geography_:

+- Microsoft Teams chat messages (including private messages, channel messages, meeting messages and images used in chats), and, for customers using Microsoft Stream (on SharePoint), meeting recordings.

+## Microsoft Defender for Office P1

+The following customer data will be stored at rest in the _Local Region Geography_ or _Expanded Local Region Geography_:

+- MDO P1 does not store any customer data within its service.

+- Exchange Online Protection (EOP). The following customer data will be stored at rest in the _Local Region Geography_ or _Expanded Local Region Geography_: Service configuration data and policies, quarantined email and attachments, junk email, grading analysis, block lists (url, tenant, user), spam domains, reports, and alerts

+## Office for the Web

+The following customer data will be stored at rest in the _Local Region Geography_ or _Expanded Local Region Geography_:

+- Office for the Web stores files on a storage host which has its applicable promises to _Local Region Geography_/_Expanded Local Geography_.

+## Viva Connections

+The following customer data will be stored in the _Local Region Geography_ or _Expanded Local Region Geography_:

+- Viva Connections Dashboard and Feed can have content sourced from SharePoint Online, Exchange Online and Microsoft Teams. All customer data sourced from these services covered by data residency commitments will be stored in the _Local Region Geography_ or _Expanded Local Region Geography_. Please refer to [Exchange Online](m365-dr-workload-exo.md), [SharePoint Online](m365-dr-workload-spo.md) and [Microsoft Teams](m365-dr-workload-teams.md) workload data residency pages for more details.

+## Viva Topics

+The following customer data will be stored at rest in the _Local Region Geography_ or _Expanded Local Region Geography_:

+- All the topics and customer data snippets discovered are stored within the relevant _Geographies_ in Exchange Online Substrate (site or arbitration mailboxes, and Substrate). All topic customer data is partitioned based on which _Local Region Geography_ or _Expanded Local Region Geography_ the data came from within your tenant.

+- Machine Learning ("ML") models are trained on public web data, and as such do not contain any customer data from your tenant. In the future it's possible we will use customer data to improve accuracy of the ML models, in which case the data handling of ML models will follow the same policies as any other customer content (including data residency, retention, access control, sensitivity)

+- Topic highlighting is computed dynamically when the SharePoint Online page is rendered by running a language model against the content of the page and linking it with the knowledge base of Topics. The Topics data is sourced from the Substrate in the _Local Region Geography_ or _Expanded Local Region Geography_.

+- The administration configuration data is stored within the _Local Region Geography_ or _Expanded Local Region Geography_.

+## Purview Audit (Standard)

+The following customer data will be stored at rest in the _Local Region Geography_ or _Expanded Local Region Geography_:

+- Service configuration data, audited Activities, audit Records, and audit log query permissions.

+## Purview Audit (Premium)

+The following customer data will be stored at rest in the _Local Region Geography_ or _Expanded Local Region Geography_:

+- In addition to the customer data stored as part of Purview Audit (Standard), configuration and Customer Data related to high-value crucial events.

+## Data lifecycle management - Data Retention

+The following customer data will be stored at rest in the _Local Region Geography_ or _Expanded Local Region Geography_:

+- Retention policy settings, retention label definitions

+- Customer Data stored in original locations for the following

+ - Exchange email

+ - SharePoint site

+ - OneDrive accounts

+ - Microsoft 365 Groups

+ - Exchange public folders

+ - Microsoft Teams chats and channel messages

+- Customer Data copied and stored in Exchange Online hidden mailboxes

+ - Teams channel messages

+ - Teams chats

+ - Teams private channel messages

+ - SharePoint Online, OneDrive for Business, Exchange Online and Microsoft Teams follow the data residency commitments for those services. Please refer to [Exchange Online](m365-dr-workload-exo.md), [SharePoint Online](m365-dr-workload-spo.md) and [Microsoft Teams](m365-dr-workload-teams.md) workload data residency pages for more details.

+- Training classifiers

+- Disposition data

+- Mappings between retention labels and Data Loss Prevention (DLP) policies.

+## Data lifecycle management - Records Management

+The following customer data will be stored at rest in the _Local Region Geography_ or _Expanded Local Region Geography_:

+- Record retention label definitions, file plan definitions, event-based retention policy settings, disposition review records and records of deletion

+## Information Protection - Sensitivity labels

+The following customer data will be stored at rest in the _Local Region Geography_ or _Expanded Local Region Geography_:

+- Label configuration

+- Labels definition

+- Label policies

+- Custom help page

+- Activity Explorer and Microsoft 365 unified audit logs

+- Label change justification records.

+## Information Protection - Data Loss Prevention (DLP)

+The following customer data will be stored at rest in the _Local Region Geography_ or _Expanded Local Region Geography_:

+- DLP admin configuration, DLP policies in Compliance Center, DLP monitored activities, violation history, Activity Explorer and Microsoft 365 unified audit logs, quarantine storage, DLP Alerts and DLP Alert management dashboard.

+## Information Protection - Office Message Encryption

+The following customer data will be stored at rest in the _Local Region Geography_ or _Expanded Local Region Geography_:

+- Encryption policies, admin settings and encrypted messages.

+## Insider Risk Management - Information Barriers

+The following customer data will be stored at rest in the _Local Region Geography_ or _Expanded Local Region Geography_:

+- Policy settings, risk indicators and admin settings.

+ Title: Data Residency Legacy Move Program

+description: Learn about the Data Residency Legacy Move Program

+f1.keywords:

+- NOCSH

+- it-pro

+- M365-subscription-management

+# Data Residency Legacy Move Program

+> [!NOTE]

+> Coinciding with the launch of the Microsoft 365 Advanced Data Residency add-on, the Move Program will no longer be offered during the launch of new local datacenter regions. Our most recent local datacenter region launch in Qatar (August 2022) is the final region to receive Move Program benefits. The following information is still valid for regions that were part of Move Program and all customers currently opted-in for migration will be processed. For more details, see [the ADR page](advanced-data-residency.md).

+## How to Request your Data Move - FINAL OPPORTUNITY

+With the launch of the Microsoft 365 Advanced Data Residency add-on and associated changes to the Move Program, we are providing a final opportunity for eligible commercial and public sector customers to receive a complimentary _Tenant_ migration into their local datacenter region. For a limited time, customers may only opt-in for complimentary migration from macro region into a local datacenter region that matches initial signup country. _Tenant_ migrations may take up to 24 months to complete, commencing at request deadline date. See table below for a list of eligible countries and associated dates.

+Eligible customers will see a page in the Microsoft 365 admin center which will allow them to request to have their applicable customer data moved to their new datacenter region.

+To access the page in the Microsoft 365 admin center, in the navigation pane on the left, expand **Settings**, and then click **Org Settings**. Select the tab **Organization profile**, then select the option **Data residency**.

+You will not see this section if your _Tenant_ is not eligible for the Microsoft 365 Move Program. If your organization has data residency requirements and you need to request migration, mark the checkbox and then Save.

+## When Can I Request a Move (final opt-in opportunity)

+|**Customers with signup country in**|**Request period begins**|**Request deadline**|

+|:--|:--|:--|

+| Japan <br/> | Nov. 1, 2022 <br/> | Apr. 30, 2023 <br/> |

+| Australia, New Zealand, Fiji <br/> | Nov. 1, 2022 <br/> | Apr. 30, 2023 <br/> |

+| India <br/> | Nov. 1, 2022 <br/> | Apr. 30, 2023 <br/> |

+| Canada <br/> | Nov. 1, 2022 <br/> | Apr. 30, 2023 <br/> |

+| United Kingdom <br/> | Nov. 1, 2022 <br/> | Apr. 30, 2023 <br/> |

+| South Korea <br/> | Nov. 1, 2022 <br/> | Apr. 30, 2023 <br/> |

+| France <br/> | Nov. 1, 2022 <br/> | Apr. 30, 2023 <br/> |

+| United Arab Emirates <br/> | Nov. 1, 2022 <br/> | Apr. 30, 2023 <br/> |

+| South Africa <br/> | Nov. 1, 2022 <br/> | Apr. 30, 2023 <br/> |

+| Switzerland, Liechtenstein <br/> | Nov. 1, 2022 <br/> | Apr. 30, 2023 <br/> |

+| Norway <br/> | Nov. 1, 2022 <br/> | Apr. 30, 2023 <br/> |

+| Germany <br/> | Nov. 1, 2022 <br/> | Apr. 30, 2023 <br/> |

+| Brazil <br/> | Nov. 1, 2022 <br/> | Apr. 30, 2023 <br/> |

+| Sweden <br/> | Nov. 1, 2022 <br/> | Apr. 30, 2023 <br/> |

+## Remaining Countries in the Move Program

+> [!NOTE]

+> Even though the Move Program is officially ending, we still have some in-flight geographies that we will see through to completion, based on the original 24-month migration commitment. Please refer to the table below for the remaining countries and their migration deadlines.

+|**Customers with signup country in**|**Original Opt-in: migration commitment date**|**Final Opt-in (above): migration commitment date**|

+|:--|:--|:--|

+| Germany <br/> | May 1, 2023 <br/> | May 1, 2025 <br/> |

+| Brazil <br/> | June 1, 2023 <br/> | May 1, 2025 <br/> |

+| Sweden <br/> | June 1, 2024 <br/> | May 1, 2025 <br/> |

+| Qatar <br/> | March 1, 2025 <br/> | Not Applicable <br/> |

+### Data Residency Option Moving Forward

+With the release of Advanced Data Residency, we are only providing a data residency option to eligible Microsoft 365 customers who are covered by the data centers listed in the _Local Region Geography_ on the [Overview and Definitions page](m365-dr-overview.md).

+### Migration Expectations

+Microsoft will use reasonable efforts to try to complete a legacy Move Program migration for customers who request a migration between November 1st, 2022 and April 30th 2023, by June 2025. Customers who requested a migration in the legacy Move Program prior to November 1st, 2022, will continue being migrated with reasonable efforts by Microsoft towards the intended completion date provided to them previously. However, Microsoft may not be able to complete the migration within this timeframe for all customers. For example, significantly larger or more complex customers or situations outside of Microsoft's control may require additional time to complete the migration. Customers utilizing the Advanced Data Residency feature for a data migration will instead follow the [Advanced Data Residency Migration Expectations](advanced-data-residency.md#migration-expectations).

+Data moves are a back-end service operation with minimal impact to end-users. We adhere to the [Microsoft Online Services Service Level Agreement (SLA)](https://go.microsoft.com/fwlink/p/?LinkId=523897) for availability so there is nothing that customers need to prepare for or to monitor during the move. Notification of any service maintenance is done if needed.

+During the migration process, Microsoft temporarily copies your address book data into Microsoft global resources where it is encrypted and only used to support business continuity and disaster recovery operations (BCDR). After Microsoft has completed the mailbox data moves, Microsoft deletes that temporary data from the global resources. Microsoft continues to invest in global and regional resources on a regular basis. In calendar year 2023, Microsoft plans to utilize regional resources for BCDR purposes during the migration process.

+## Data move general FAQ

+>[!NOTE]

+>The following Q&A content relates to Move Program customers **only**.

+Here are answers to general questions about moving applicable customer data at rest to a new datacenter geo.

+### What customers are eligible to request a move?

+<details><summary>Click to expand</summary>

+Existing Microsoft 365 commercial customers who selected a country eligible for the new datacenter geo will be able to request a move. The program exists only for _Tenants_ with an eligible country code assigned to the Microsoft 365 _Tenant_ to migrate applicable customer data at rest for eligible workloads to the corresponding Microsoft 365 datacenter geo. See [How to request your data move](request-your-data-move.md) to confirm country eligibility.

+</details>

+### How do we define Applicable Customer Data?

+<details><summary>Click to expand</summary>

+Applicable customer data is a term that refers to a subset of customer data defined in the [Microsoft Online Services Terms](https://aka.ms/ost):

+- Exchange Online mailbox content (email body, calendar entries, and the content of email attachments)

+- SharePoint Online site content and the files stored within that site

+- Files uploaded to OneDrive for Business

+- Teams chat data for group and private chats (files in Teams folders or placed in chat are managed by SharePoint Online and OneDrive for Business, respectively)

+</details>

+### What is in scope for Teams migration?

+<details><summary>Click to expand</summary>

+In addition to Exchange Online, SharePoint Online, and OneDrive for Business; Microsoft will migrate Teams data to the local datacenter.

+- Teams chat messages, including private messages and channel messages.

+- Teams images used in chats.

+Teams files are stored in SharePoint Online and Teams chat files are stored in OneDrive for Business. Voicemail, calendar, and contacts are stored in Exchange Online. In many cases, Exchange Online, SharePoint Online, and OneDrive for Business are already used by the customer in the local datacenter geo and are also part of the Microsoft 365 migration program for eligible customer countries.

+</details>

+### At what point is my migration complete so that my _Tenant's_ applicable customer data is being stored at rest in my new geo?

+<details><summary>Click to expand</summary>

+Due to shared dependencies between Exchange Online and SharePoint Online/OneDrive for Business, any migration cannot be considered

+completed until both services are migrated. Exchange Online and SharePoint Online/OneDrive for Business often migrate at separate times and independently from one another. Customer _Tenant_ admins receive confirmation in Message Center when each service migration is completed and can view the data location card in the Admin Center at any time to confirm the applicable customer data at rest location for

+each service.

+</details>

+### How do you make sure my customer data is safe during the move and that I won't experience downtime?

+<details><summary>Click to expand</summary>

+Data moves are a back-end service operation with minimal impact to end users. Features that can be impacted are listed in [During and after your data move](during-and-after-your-data-move.md). We adhere to the [Microsoft Online Services Service Level Agreement (SLA)](https://go.microsoft.com/fwlink/p/?LinkId=523897) for availability so there is nothing that customers need to prepare for or to monitor during the move.

+All Microsoft 365 services run the same versions in the datacenters, so you can be assured of consistent functionality. Your service is fully supported throughout the process.

+</details>

+### What is the impact of having different services located in different geos?

+<details><summary>Click to expand</summary>

+Some of the Microsoft 365 services may be located in different geos for some existing customers and for customers that are in the middle of the move process. Our services run independently of each other and there is no impact on the user experience if this is the case. However, for data residency purposes, a _Tenant_ migration cannot be considered as complete until both Exchange Online and SharePoint Online/OneDrive for Business are migrated to the same datacenter geo.

+</details>

+### Where is my applicable customer data located?

+<details><summary>Click to expand</summary>

+Customer _Tenant_ admins can view the data location card in the Admin Center at any time to confirm the applicable customer data at rest location for each service, specifically for their _Tenant_. We also publish the location of datacenter geos, datacenters, and location of Office 365 customer data on the [Microsoft 365 interactive datacenter maps](https://office.com/datamaps) as a reference for the current default applicable customer data at rest locations for new _Tenant_. You can verify the location of your customer data at rest via the Data Location section under your Organization Profile in the Microsoft 365 admin center.

+</details>

+### When will I be able to request a move?

+<details><summary>Click to expand</summary>

+Please refer to the [How to request your data move](request-your-data-move.md) page for supported timeframes for your datacenter geo.

+</details>

+### How can I request to be moved?

+<details><summary>Click to expand</summary>

+Eligible customers will see a page in their [Microsoft 365 admin center](https://admin.microsoft.com/). Please see [How to request your data move](request-your-data-move.md) for instructions on how to request a move.

+</details>

+### Can I change my selection after requesting a move?

+<details><summary>Click to expand</summary>

+It is not possible for us to remove you from the process after you submit your request.

+</details>

+### What happens if I do not request a move before the deadline?

+<details><summary>Click to expand</summary>

+We cannot accept requests for migration after the open enrollment period.

+</details>

+### What if I want to move my data in order to get better network performance?

+<details><summary>Click to expand</summary>

+Physical proximity to a Microsoft 365 datacenter is not a guarantee for a better networking performance. There are many factors and components that affect the network performance between the end user and the Microsoft 365 service. For more information about this and performance tuning, see [Network planning and performance tuning for Microsoft 365](network-planning-and-performance.md).

+</details>

+### Do all the services move their data on the same day?

+<details><summary>Click to expand</summary>

+Each service moves independently and will likely move their data at different times.

+</details>

+### Can I choose when I want my data to be moved?

+<details><summary>Click to expand</summary>

+Customers are not able to select a specific date, they cannot delay their move, and we cannot share a specific date or timeframe for the moves.

+</details>

+### Can you share when my data will be moved?

+<details><summary>Click to expand</summary>

+Data moves are a back-end operation with minimal impact to end users. The complexity, precision, and scale at which we need to perform data moves within a globally operated and automated environment prohibit us from sharing when a data move is expected to complete for your _Tenant_ or any other single _Tenant_. Customers will receive one confirmation in Message Center per participating service when its data move has completed.

+</details>

+### What happens if users access services while the data is being moved?

+<details><summary>Click to expand</summary>

+See [During and after your data move](during-and-after-your-data-move.md) for a complete list of features that may be limited during portions of the data move for each service.

+</details>

+### How do I know the move is complete?

+<details><summary>Click to expand</summary>

+Watch the Microsoft 365 Message Center for confirmation that the move of each service's data is complete. When each service's data is moved, we'll post a completion notice so you'll get three completion notices: one each for Exchange Online, SharePoint Online, and Skype for Business Online. You can also verify the location of your customer data at rest via the Data Location section under your Organization Profile in the Microsoft 365 admin center.

+</details>

+### I am a Microsoft 365 customer in one of the new datacenter geos, but when I signed up, I selected a different country. How can I be moved to the new datacenter geo?

+<details><summary>Click to expand</summary>

+It is not possible to change the signup country associated with your _Tenant_. Instead, you need to create a new Microsoft 365 _Tenant_ with a new subscription and manually move your users and data to the new _Tenant_.

+</details>

+### What happens if we are in process of email data migration to Microsoft 365 during the Exchange Online move?

+<details><summary>Click to expand</summary>

+This is a very common scenario and is fully supported. Cloud migration between datacenter geos does not interfere with any on-premises to cloud mailbox migrations.

+</details>

+### Can I pilot some users?

+<details><summary>Click to expand</summary>

+You can create a separate trial _Tenant_ to test connectivity, but the trial _Tenant_ can't be combined in any way with your existing _Tenant_.

+</details>

+### I don't want to wait for Microsoft to move my data. Can I just create a new _Tenant_ and move myself?

+<details><summary>Click to expand</summary>

+Yes, however the process will not be as seamless as if Microsoft were to perform the data move.

+If you create a new _Tenant_ after the new datacenter geo is available, the new _Tenant_ will be hosted in the new geo. This new _Tenant_ is completely separate from your previous _Tenant_ and you would be responsible for moving all user mailboxes, site content, domain names, and any other data. Note that you can't move the _Tenant_ name from one _Tenant_ to another. We recommend that you wait for the move program provided by Microsoft as we'll take care of moving all settings, data, and subscriptions for your users.

+</details>

+### My customer data has already been moved to a new datacenter geo. Can I move back?

+<details><summary>Click to expand</summary>

+No, this is not possible. Customers who have been moved to new geo datacenters cannot be moved back. As a customer in any geo, you will experience the same quality of service, performance, and security controls as you did before. [Microsoft 365 Multi Geo](https://aka.ms/multi-geo) is available to some customers as an add-on and lets a single _Tenant_ create multiple satellite geos and move user data to those geos with data residency commitments.

+</details>

+### Will Microsoft 365 _Tenants_ hosted in the new datacenters be available to users outside of the country?

+<details><summary>Click to expand</summary>

+Yes. Microsoft maintains a large global network with public Internet connections in more than 130 locations in 35 countries around the world with peering agreements with more than 2,700 Internet Service Providers (ISPs). Users will be able to access the datacenters from wherever they are on the Internet.

+</details>

+### My _Tenant_ has configured the Multi Geo add-on. Can I still enroll in my _Tenant_ in the Microsoft 365 Move Program? to change my default geo and move any user not in a satellite region to the new default geo?

+<details><summary>Click to expand</summary>

+Yes, your _Tenant_ is eligible to enroll but there are significant considerations as tenant-level move is not fully supported for customers that have configured [Multi-Geo](https://aka.ms/multi-geo).

+SharePoint Online and OneDrive for Business cannot migrate to the new datacenter geo at the _Tenant_ level through this program. The customer administrator can configure OneDrive for Business shares to move to any available region using Multi-Geo, but the default location for the _Tenant_ cannot be changed once Multi-Geo has been configured for a _Tenant_.

+For customers that opt-in for migration - we will move all Exchange Online mailboxes from your current default geo to your new local datacenter geo and update the default Exchange Online region. We will not move any EXO mailboxes configured in Multi Geo satellite regions to continue to respect satellite region data residency as you"ve intended. Teams chat service _Tenant_ migrations for customers with a Multi Geo configuration behave similarly to Exchange Online.

+</details>

+### I have public folders deployed in my _Tenant_. What will be the impact on public folder access during or after the move?

+<details><summary>Click to expand</summary>

+There is no impact to end users accessing public folders during or after the move of public folders. However, the public folders may not be available for administration in the Exchange Admin Center tool till all public folder mailboxes are moved in same region. Please check [this article](https://aka.ms/pfxrf) for more details.

+</details>

+ Title: Overview and Definitions

+description: Learn about Data Residency feature Overview and Definitions

+f1.keywords:

+- NOCSH

+- it-pro

+- M365-subscription-management

+# Overview and Definitions

+## Definitions

+To provide clarity to the descriptions below on data residency functionality and behavior, it's necessary to have clear terms and definitions in order to better understand the capabilities that Microsoft provides in this area.

+**Table 1: Definitions and Terms**

+| **Term** | **Definition** |

+|:--|:--|

+|Macro Region Geography <br/> |Macro Region Geography 1 ΓÇô EMEA, Macro Region Geography ΓÇô Asia Pacific, Macro Region Geography - Americas <br/> |

+|Macro Region Geography 1 - EMEA <br/> |Data centers in Austria, Finland, France, Ireland, Netherlands, Sweden <br/> |

+|Macro Region Geography 2 - Asia Pacific <br/> |Data centers in Hong Kong, Japan, Malaysia, Singapore, South Korea <br/> |

+|Macro Region Geography 3 - Americas <br/> |Data centers in Brazil, Chile, United States <br/> |

+|Local Region Geography <br/> |Australia, Brazil, Canada, France, Germany, India, Japan, Qatar, South Korea, Norway, South Africa, Sweden, Switzerland, United Arab Emirates, United Kingdom <br/> |

+|Expanded Local Region Geography <br/> |Poland, Italy, Indonesia, Israel, Spain, Mexico, Malaysia, Austria, Chile, New Zealand, Denmark, Greece, Taiwan <br/> |

+|Geography <br/> |_Local Region Geography, Expanded Local Region Geography_, or _Macro Region Geography_ <br/> |

+|Satellite Geography <br/> |If a customer subscribes to the Multi Geo service, then they can cause defined user customer data to be stored in other Geographies outside of the _Tenant_ _Primary Provisioned Geography_ <br/> |

+|AAD <br/> |Azure Active Directory <br/> |

+|Tenant <br/> |A _Tenant_ represents an organization in Azure Active Directory. It's a reserved Azure AD service instance that an organization receives and owns when it signs up for a Microsoft cloud service such as Azure or Microsoft 365. Each Azure AD _Tenant_ is distinct and separate from other Azure AD _Tenant's_ <br/> |

+|Default Geography <br/> |When an _AAD Tenant_ is created, a country is provided by the customer during the sign-up process. This country will determine the default Geography for all Microsoft 365 services. In some cases, not all services are able to provision in this single _Default Geography_. See _Microsoft 365 Service provisioning mapping_ below for a description. <br/> |

+|Microsoft 365 Service provisioning mapping <br/> |All Microsoft 365 Services will use the _Default Geography_ to determine where a given _Tenant's_ specified data will be provisioned and stored. <br/> |

+|Microsoft 365 Service provisioning country mapping <br/> |Please refer to [data maps](https://aka.ms/datamaps) to learn where a given service will provision specified customer data, based on the _Tenant Default Geography._ <br/> |

+|Primary Provisioned Geography <br/> |A given Microsoft 365 service will use the _Tenant Default Geography_ combined with the _Microsoft 365 Service provisioning country mapping_ to determine which _Geography_ to provision customer data into. <br/> |

+|Microsoft 365 Admin Center Data Location <br/> |To see the _Primary Provisioned Geography_ for Exchange Online, SharePoint Online and Microsoft Teams refer to Office 365 Admin Center in Settings; Org settings; Organization profile; Data location card. <br/> |

+|Microsoft 365 Multi-Geo Capabilities <br/> |Microsoft 365 Multi-Geo Capabilities allows a single _Tenant_ to store customer data-at-rest across multiple geographies rather than be limited to the single _Primary Provisioned Geography_. Please see the Multi-Geo description for more detail. <br/> |

+|Preferred Data Location (PDL) <br/> |Used for _Tenants_ with a Multi-Geo subscription. A property set by the administrator that indicates where the user or shared resource's s data should be stored at-rest. Please see the Multi-Geo description for more detail. <br/> |

+|Advanced Data Residency (ADR) <br/> |A new Microsoft 365 add-on service that guarantees customer data residency for a defined set of services. See section 3 <br/> |

+|Privacy and Security Product Terms <br/> |Privacy and Security Terms for Microsoft 365 services provides some customer data location related commitments. The document can be found <a href="https://www.microsoft.com/licensing/terms/en-US/product/PrivacyandSecurityTerms/EAEAS" target="_blank">here</a>. The extract of the relevant section (on November 1, 2022) is:<br>**Office 365 Services.** If Customer provisions its _Tenant_ in Australia, Brazil, Canada, the European Union, France, Germany, India, Japan, Norway, Qatar, South Africa, South Korea, Sweden, Switzerland, the United Kingdom, the United Arab Emirates, or the United States, Microsoft will store the following Customer Data at rest only within that Geo: (1) Exchange Online mailbox content (e-mail body, calendar entries, and the content of e-mail attachments), (2) SharePoint Online site content and the files stored within that site, (3) files uploaded to OneDrive for Business, and (4) Microsoft Teams chat messages (including private messages, channel messages, meeting messages and images used in chats), and for customers using Microsoft Stream (on SharePoint), meeting recordings.

+|Workloads <br/> |Often used to refer to a Microsoft 365 service such as but not limited to Exchange Online, SharePoint Online, Microsoft Teams, etc.|

+## Overview of Data Residency

+Microsoft 365 Cloud services run on our data centers around the world and provide services to customers around the world. Customer data may be stored in multiple data centers. Data residency refers to the geographic location where customer data is stored at rest. Data residency is important for government, public sector, education and regulated commercial entities to help ensure protection of personal and/or sensitive information. In many countries, customers are expected to comply with laws, regulations or industry standards that explicitly govern the location of data storage.

+Microsoft makes decisions on where to persistently store customer data based on two factors:

+1. The _Default Geography_ of the _Tenant_

+1. Available _Geographies_ for a given service

+### _Default Geography_ of the AAD _Tenant_

+When a customer creates a new AAD _Tenant_, the customer will enter a country during the creation process. This country is what defines the _Default Geography_ for the _Tenant_. There are multiple paths to creating _Tenants_. They can be created through AAD forms, they can be created when trying out new Microsoft 365 services (trials), etc. Once a _Tenant_ is created, the _Default Geography_ cannot be changed.

+### Available Geographies for a given service

+Microsoft 365 services are not deployed to all Microsoft data centers globally. The larger services, like Exchange Online, SharePoint Online and Microsoft Teams are universally deployed to all _Geographies_. Other services make decisions on where to deploy their services based on the number of customers, regional affiliations, and software architectures. When a customer first uses a service in this category, the provisioning logic will use the _Default Geography_ and the supported _Geographies_ to determine where to provision a given customer.

+Over time, a particular service may deploy their software to additional _Geographies_, so the provisioning locations for new customers can change over time, and this does not necessarily cause customer data to be moved to a new _Geography_.

+In order to understand where your data, for a given service is stored, your primarily tool for understanding this is in the _Tenant_ Admin Center. As a _Tenant_ administrator you can find the actual data location by navigating to Admin->Settings->Org Settings->Organization Profile->Data Location. Currently the data location is available for Exchange Online, SharePoint Online and Microsoft Teams. In addition to this resource, please see the [Data Maps page](o365-data-locations.md).

+Some examples:

+**Example 1:** For a _Tenant_ with the sign-up country as "France" that has a new subscription that includes Exchange Online, SharePoint Online and Microsoft Teams, then the customer data for those services will be provisioned into the French _Local Region Geography_. Why? Because those services are deployed into the French data centers and the _Tenant_ has a France sign up country.

+**Example 2:** For a _Tenant_ with the sign-up country as "Belgium" that has a new subscription that includes Exchange Online, SharePoint Online and Microsoft Teams, then the customer data for those services will be provisioned into the _Macro Region Geography 1 ΓÇô EMEA_. Why? Because there are no Microsoft 365 data centers in Belgium and the closest Geography is _Macro Region Geography 1 - EMEA_.

+**Example 3:** For a _Tenant_ with the sign-up country as "Japan" that has a new subscription that includes Microsoft Forms, then the customer data for Forms will be provisioned into the _Macro Region Geography 3 - Americas_. Why? Because Forms is only deployed in _Macro Region Geography 3 - Americas_ and _Macro Region Geography 1 ΓÇô EMEA_ (EU _Tenants_ only).

+**Example 4a:** For a _Tenant_ with the sign-up country as "Sweden" that has a new subscription that includes Microsoft Yammer, then the customer data for Yammer will be provisioned into the _Macro Region Geography 1 - EMEA_. Why? Because Yammer is deployed in _Macro Region Geography 1 - EMEA_ and Swedish _Tenants_ are best served out of that _Geography_.

+**Example 4b:** For a _Tenant_ with the sign-up country as "Sweden" that has a subscription that includes Microsoft Yammer from before Yammer was deployed to _Macro Regional Geography 1 - EMEA_, then the customer data for Yammer will be located in _Macro Region Geography 3 - Americas_. Why? Because, at that time, Yammer only had a single deployment for all customers at that time in _Macro Region Geography 3 - Americas_.

+### Migrations/Moves

+Once a Microsoft 365 service provisions a _Tenant_ into a particular _Geography_, there are five ways that this data could be moved to another _Geography_:

+1. The Microsoft 365 service decides to move the data to a new _Geography_ for service operations reasons, if there are no other policies in place to prevent the move.

+1. For _Local Geographies_ that have Microsoft data centers, and for _Tenants_ that have the same country, there are options to migrate data from the _Regional Geographies_ into the _Local Geographies_. This option is typically only available for 6 months after a _Local Region Geography_ has been established.

+1. If a _Tenant_ subscribes to the _Multi-Geo_ service, then _Tenants_ user's data for Exchange Online, SharePoint Online and Microsoft Teams can be assigned to _Satellite Geographies_.

+1. If a _Tenant_ has sign up country as a _Local Region Geography_ or _Expanded Local Region Geography_ and has a subscription to the _Advanced Data Residency_ service add-on, then the _Tenant_ data for the included services will be migrated from the _Regional Geography_ to the relevant _Local Region Geography_.

+1. At times Microsoft reopens Migration opt in from _Regional Geography_ to the relevant _Local Geographies_ or _Expanded Local Geographies_.

+### Durable commitments on data location

+There are three methods for ensuring that the _Tenant_ data location for a particular service does not change.

+1. Product Terms: Exchange Online, SharePoint Online, OneDrive for Business and Microsoft Teams provisioned in any _Local Region Geography_, or the European Union or the United States have a commitment for customer data residency expressed in the [Product Terms](https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all). For more information see the [Product Terms Data Residency page](m365-dr-product-terms-dr.md).

+1. _Multi Geo_ subscription: allows customers to assign data location for Exchange Online, SharePoint Online, OneDrive for Business and Microsoft Teams to any supported _Geography_. For more information see [Multi Geo Data Residency](microsoft-365-multi-geo.md).

+1. _Advanced Data Residency_ subscription guarantees data residency for an expanded set of Microsoft 365 services in any _Local Region Geography_ or _Expanded Local Region Geography_. For more information see the [Advanced Data Residency page](advanced-data-residency.md).

+**Table 2: Available Data Residency by Workload**

+|**Service Name**|**Product Terms**|**Multi-Geo**|**ADR**|

+|:--|:--|:--|:--|

+|Exchange Online <br/> |X¹ <br/> |X² <br/> |X³ <br/> |

+| SharePoint Online / OneDrive for Business <br/> |X¹ <br/> |X² <br/> |X² <br/> |

+| Microsoft Teams <br/> |X¹ <br/> |X² <br/> |X² <br/> |

+| Microsoft Defender for Office P1 <br/> |- <br/> |- <br/> |X² <br/> |

+| Office for the Web <br/> |- <br/> |- <br/> |X² <br/> |

+| Viva Connections <br/> |- <br/> |- <br/> |X² <br/> |

+| Viva Topics <br/> |- <br/> |- <br/> |X² <br/> |

+| Microsoft Purview <br/> |- <br/> |- <br/> |X² <br/> |

+1. Only available for _Local Region Geography_ countries, European Union and the United States.

+1. Available in _Local Region Geography_, _Expanded Local Region Geography_ and _Regional Geography countries/regions_

+1. Only available for _Local Region Geography_ and _Expanded Local Region Geography_ countries.

+>[!NOTE]

+>See the [Workload Data Residency Capabilities section](m365-dr-workload-exo.md) for more details on these topics.

+**Table 3: Available Data Residency by Country**

+| Country | Exchange Online | SharePoint Online | Teams | MDO P1 | Office for the web | Viva Connections | Viva Topics | Purview |

+| | | | | | | | | |

+| Australia | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| Brazil | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| Canada | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| European Union | P-M | P-M | P-M | - | - | - | - | - |

+| France | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| Germany | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| India | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| Japan | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| Qatar | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| South Korea | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| Norway | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| South Africa | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| Sweden | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| Switzerland | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| United Arab Emirates | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| United Kingdom | P-M-A | P-M-A | P-M-A | A | A | A | A | A |

+| United States | P-M | P-M | P-M | - | - | - | - | - |

+P: Product Terms Data Residency<br>

+M: Multi-Geo Data Residency<br>

+A: Advanced Data Residency

+### Country/Region specific Data Center city locations

+The following Regional Geographies can store data at rest.

+**Table 4: Regional Geographies**

+|**Regional Geographies** |**Locations where customer data may be stored** |

+|||

+|Macro Region Geography 1 - EMEA (Europe, Middle East and Africa) | Austria, Finland, France, Ireland, Netherlands, Sweden |

+|Macro Region Geography 2 - Asia Pacific | Hong Kong, Japan, Malaysia, Singapore, South Korea |

+|Macro Region Geography 3 - Americas | Brazil, Chile, United States |

+**Table 5: Current Local Geographies and Region specific Datacenter locations**

+|Country |Datacenter Location |

+|||

+|Australia |Sydney, Melbourne |

+|Brazil |Rio, Campinas |

+|Canada |Quebec City, Toronto |

+|European Union |Austria (Vienna), Finland (Helsinki), France (Paris, Marseille), Ireland (Dublin), Netherlands (Amsterdam), Sweden (Gävle, Sandviken, Staffanstorp) |

+|France |Paris, Marseille |

+|Germany |Frankfurt, Berlin |

+|India |Chennai, Mumbai, Pune |

+|Japan |Osaka, Tokyo |

+|South Korea |Busan, Seoul |

+|Norway |Oslo, Stavanger |

+|Qatar |Doha |

+|South Africa |Cape Town, Johannesburg |

+|Sweden |Gävle, Sandviken, Staffanstorp |

+|Switzerland |Geneva, Zurich |

+|United Arab Emirates |Dubai, Abu Dhabi |

+|United Kingdom |Durham, London, Cardiff |

+|United States |Boydton, Cheyenne, Chicago, Des Moines, Quincy, San Antonio, Santa Clara, San Jose |

+### FAQ

+#### How does Microsoft define data?

+<details><summary>Click to expand</summary>

+Review our [definitions for different types of customer data](https://go.microsoft.com/fwlink/p/?linkid=864390) on the Microsoft Trust Center. In the [Privacy & Security Terms](https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all), Microsoft makes contractual commitments regarding customer data/your _Tenant_ and user data. We refer to customer data as the customer data that is committed to be stored at rest only within a _Tenant's_ region according to the [Privacy & Security Terms](https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all).

+</details>

+#### Where are the exact addresses of the data centers?

+<details><summary>Click to expand</summary>

+Microsoft does not disclose the exact addresses of its data centers. We established this policy to help secure our data center facilities. However, we do list city locations. Please see Table 5 in the [Country/Region-specific Data Center City Locations](m365-dr-overview.md#countryregion-specific-data-center-city-locations) on the Overview and Definitions page to learn more.

+</details>

+#### Does the location of your customer data have a direct impact on your end users' experience?

+<details><summary>Click to expand</summary>

+The performance of Microsoft 365 is not simply proportional to a _Tenant_ user's distance to data center locations. Microsoft's continued investments in its global cloud network, global cloud infrastructure, and the Microsoft 365 services architecture help provide users with a singular, consistent experience independent of where customer data is stored at rest. If your users are experiencing performance issues, you should troubleshoot those in depth. Microsoft has published guidance for Microsoft 365 customers to plan for and optimize end-user performance on the [Office Support web site](network-planning-and-performance.md).

+</details>

+#### How does Microsoft help me comply with my national, regional, and industry-specific regulations?

+<details><summary>Click to expand</summary>

+To help a _Tenant_ comply with national, regional, and industry-specific requirements governing the collection and use of individuals' data, Microsoft 365 offers the most comprehensive set of compliance offerings of any global cloud productivity provider. Please review [our compliance offerings](/compliance/regulatory/offering-home) and more details in the [Microsoft Purview](https://go.microsoft.com/fwlink/p/?linkid=862317) section on the Microsoft Trust Center. Also, certain Microsoft 365 plans offer further compliance solutions to help a _Tenant_ manage their data, comply with legal and regulatory requirements, and monitor actions taken on their data.

+</details>

+#### Who can access your data and according to what rules?

+<details><summary>Click to expand</summary>

+ Microsoft implements strong measures to help protect a _Tenant's_ customer data from inappropriate access or use by unauthorized persons. This includes restricting access by Microsoft personnel and subcontractors, and carefully defining requirements for responding to government requests for customer data. However, you can access your _Tenant's_ customer data at any time and for any reason. More details are available on the [Microsoft Trust Center](https://go.microsoft.com/fwlink/p/?linkid=864392).

+</details>

+#### Does Microsoft access your data?

+<details><summary>Click to expand</summary>

+Microsoft automates most Microsoft 365 operations while intentionally limiting its own access to customer data. This helps us manage Microsoft 365 at scale and address the risks of internal threats to customer data. By default, Microsoft engineers have no standing administrative privileges and no standing access to customer data in Microsoft 365. A Microsoft engineer may have limited and logged access to customer data for a limited amount of time, but only when necessary for normal service operations and only when approved by a member of senior management at Microsoft (and, for customers who are licensed for the Customer Lockbox feature, by the customer).

+</details>

+#### How does Microsoft secure your data?

+<details><summary>Click to expand</summary>

+Microsoft has robust policies, controls, and systems built into Microsoft 365 to help keep your information safe. Review the [Microsoft 365 security section](https://go.microsoft.com/fwlink/p/?linkid=864393) on the Microsoft Trust Center to learn more.

+</details>

+#### Does Microsoft 365 encrypt your data?

+<details><summary>Click to expand</summary>

+Microsoft 365 uses service-side technologies that encrypt customer data at rest and in transit. For customer data at rest, Microsoft 365 uses volume-level and file-level encryption. For customer data in transit, Microsoft 365 uses multiple encryption technologies for communications between data centers and between clients and servers, such as Transport Layer Security (TLS) and Internet Protocol Security (IPsec). Microsoft 365 also includes customer-managed encryption features.

+</details>

+#### Where can I find data residency information for Microsoft Azure?

+<details><summary>Click to expand</summary>

+Please review the [Products available by region](https://go.microsoft.com/fwlink/p/?linkid=2093451) page to find data residency information for Microsoft Azure.

+</details>

+#### Why do I see my Microsoft 365 service requests for my data at rest connecting to servers in countries outside of my region?

+<details><summary>Click to expand</summary>

+On occasion, a customer request may be handled by servers in a different region than the location where a _Tenant's_ customer data is stored at rest. This may happen where network routing decisions choose a different server for the request processing, but in these cases such _Tenant's_ customer data is not moved to a new at rest location.

+</details>

+ Title: Overview of Product Terms Data Residency

+description: Learn about Product Terms Data Residency

+f1.keywords:

+- NOCSH

+- it-pro

+- M365-subscription-management

+# Overview of Product Terms Data Residency

+Microsoft Privacy and Security product terms included with Microsoft's Cloud product terms provides data residency commitment with the following scope:

+1. Online

+2. Commitments period: The length of the customers contract with Microsoft. Typically, this is 1-3 years.

+3. Country/regions included: Local Geographies, United States and the European Union.

+The language at time of writing this article is:

+- **Office 365 Services** If Customer provisions its tenant in Australia, Brazil, Canada, the European Union, France, Germany, India, Japan, Norway, Qatar, South Africa, South Korea, Sweden, Switzerland, the United Kingdom, the United Arab Emirates, or the United States, Microsoft will store the following Customer Data at rest only within that Geo: (1) Exchange Online mailbox content (e-mail body, calendar entries, and the content of e-mail attachments), (2) SharePoint Online site content and the files stored within that site, (3) files uploaded to OneDrive for Business, and (4) Microsoft Teams chat messages (including private messages, channel messages, meeting messages and images used in chats), and for customers using Microsoft Stream (on SharePoint), meeting recordings.

+- For current language, refer to the Privacy and Security Product Terms <a href="https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all" target="_blank">webpage</a> and view the section titled "Location of Customer Data at Rest for Core Online Services".

+For additional data residency capabilities, refer to the [_Multi-Geo_ service](microsoft-365-multi-geo.md) and/or the [_Advanced Data Residency_ service](advanced-data-residency.md).

+## Product Terms Data Residency Migration

+When Microsoft's data centers were launched in _Local Region Geographies_, it was possible for any _Tenant_ with the appropriate _Default Geography_ to opt in to move their data into the _Local Region Geographies_. This opt in period was open for six months after the Data Center was operational.

+Practically, this means that there are a number of tenants that didn't opt in to move and remain in the _Macro Region Geography_ data centers. On or about November 1, 2022 with the introduction of the Advanced Data Residency add-on, all tenants that remain in the _Macro Region Geography_ data centers will have another six month period to opt in for data migration to their _Local Region Geography_. See the [Legacy Move Program page](m365-dr-legacy-move-program.md#how-to-request-your-data-movefinal-opportunity) for more details.

+ Title: Data Residency for Exchange Online

+description: Learn about Data Residency for Exchange Online

+f1.keywords:

+- NOCSH

+- it-pro

+- M365-subscription-management

+# Data Residency for Exchange Online

+## Data Residency Commitments Available

+### Product Terms

+Required Conditions:

+Tenant has a sign up country included in Local Region Geography, the European Union or the United States.

+_For current language please refer to the Privacy and Security Product Terms <a href="https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all" target="_blank">**webpage**</a> and view the section titled "Location of Customer Data at Rest for Core Online Services"._

+**Commitment:**

+>[!NOTE]

+>If Customer provisions its tenant in Australia, Brazil, Canada, the European Union, France, Germany, India, Japan, Norway, Qatar, South Africa, South Korea, Sweden, Switzerland, United Arab Emirates, United Kingdom, or United States, Microsoft will store the following Customer Data at rest only within that Geo: Exchange Online mailbox content (e-mail body, calendar entries, and the content of e-mail attachments)

+### Advanced Data Residency add-on

+Required Conditions:

+1. Tenant has a sign-up country included in _Local Region Geography_ or _Expanded Local Region Geography_.

+1. Tenant has a valid Advanced Data Residency subscription for all users in the tenant

+1. The Exchange Online subscription customer data is provisioned in Local Geography or Expanded Local Geography

+**Commitment:**

+Please refer to the [ADR commitment page](m365-dr-commitments.md#exchange-online) to understand the specific commitments provided via Product Terms. Examples of the committed data include: all types of mailboxes, including user mailboxes, resource mailboxes, and archive mailboxes.

+### Multi-Geo add-on

+Required Conditions:

+1. Tenants have a valid Multi-Geo subscription that covers all users assigned to a _Satellite Geography_.

+1. Customer must have an active Enterprise Agreement.

+1. Total purchased Multi-Geo units must be greater than 5% of the total eligible seats in the tenant.

+**Commitment:**

+Customers may assign a Satellite Geography supported by Multi-Geo to a supported mailbox type. See the [Microsoft 365 Multi-Geo availability section](microsoft-365-multi-geo.md#microsoft-365-multi-geo-availability) of the Microsoft 365 Multi-Geo page for details. The Data at Rest for Office 365 Services for the mailbox as defined by the product terms shall be stored in the assigned Satellite Geography. Supported mailbox types includes Exchange Online user primary and archive mailboxes, resource mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes.

+## Multi-Geo Capabilities in Exchange Online

+Customers may assign a _Satellite Geography_ supported by Multi-Geo to a user. See the [Microsoft 365 Multi-Geo availability section](microsoft-365-multi-geo.md#microsoft-365-multi-geo-availability) of the Microsoft 365 Multi-Geo page for details. The user's Data at Rest for Office 365 Services as defined by the product terms shall be stored in the assigned _Satellite Geography_. This includes all types of Exchange Online mailboxes, including user mailboxes, resource mailboxes, Microsoft 365 Group mailboxes, shared mailboxes, and archive mailboxes.

+You can place mailboxes in _Satellite Geography_ locations by:

+1. Creating a new Exchange Online mailbox directly in a _Satellite Geography_ location.

+1. Moving an existing Exchange Online mailbox to a _Satellite Geography_ location by changing the user's preferred data location.

+1. Onboarding a mailbox from an on-premises Exchange organization directly into a _Satellite Geography_ location.

+### Mailbox placement and moves

+After Microsoft completes the prerequisite Multi-Geo configuration steps, Exchange Online will honor the PreferredDataLocation attribute on user objects in Azure AD.

+Exchange Online synchronizes the PreferredDataLocation property from AAD into the MailboxRegion property in the Exchange Online directory service. The value of MailboxRegion determines the _Macro Region Geography_ or _Local Region Geography_ where user mailboxes and any associated archive mailboxes will be placed. It is not possible to configure a user's primary mailbox and archive mailboxes to reside in different _Geography_ locations. Only one _Macro Region Geography_ or _Local Region Geography_ may be configured per user object.

+- When PreferredDataLocation is configured on a user with an existing mailbox, the mailbox will be put into a relocation queue and automatically moved to the specified _Macro Region Geography_ or _Local Region Geography_.

+- When PreferredDataLocation is configured on a user without an existing mailbox, when you provision the mailbox, it will be provisioned into the specified _Macro Region Geography_ or _Local Region Geography_.

+- When PreferredDataLocation is not specified on a user, when you provision the mailbox, it will be provisioned in the _Primary Provisioned Geography_.

+- If the PreferredDataLocation code is incorrect (e.g. a typo of NAN instead of NAM), the mailbox will be provisioned in the _Primary Provisioned Geography_.

+>[!NOTE]

+>Multi-geo capabilities and Skype for Business Online regionally hosted meetings both use the PreferredDataLocation property on user objects to locate services. If you configure PreferredDataLocation values on user objects for regionally hosted meetings, the mailbox for those users will be automatically moved to the specified _Macro Region Geography_ or _Local Region Geography_ after Multi-Geo is enabled on the Microsoft 365 tenant.

+### Feature limitations for Multi-Geo in Exchange Online

+- Security and compliance features (for example, auditing and eDiscovery) that are available in the Exchange admin center (EAC) aren't available in Multi-Geo organizations. Instead, you need to use the Microsoft 365 Security & Compliance Center to configure security and compliance features.

+- Outlook for Mac users may experience a temporary loss of access to their Online Archive folder while you move their mailbox to a new _Geography_ location. This condition occurs when the user's the primary and archive mailboxes are in different _Geography_ locations, because cross-geo mailbox moves may complete at different times.

+- Users can't share mailbox folders across _Geography_ locations in Outlook on the web (formerly known as Outlook Web App or OWA). For example, a user in the European Union can't use Outlook on the web to open a shared folder in a mailbox that's located in the United States. However, Outlook on the Web users can open other mailboxes in different _Geography_ locations by using a separate browser window as described in Open another person's mailbox in a separate browser window in Outlook Web App.

+>[!NOTE]

+>Cross-geo mailbox folder sharing is supported in Outlook on Windows.

+- Public folders are supported in Multi-Geo organizations. However, the public folders must remain in the _Primary Provisioned Geography_ location. You can't move public folders to satellite geo locations.

+- In a Multi-Geo environment, cross-geo mailbox auditing is not supported. For example, if a user is assigned permissions to access a shared mailbox in a different _Geography_ location, mailbox actions performed by that user are not logged in the mailbox audit log of the shared mailbox. Exchange admin audit events are also only available for the default location. For more information, see Manage mailbox auditing.

+### Administering Exchange Multi-Geo

+#### Administering Exchange Online mailboxes in a Multi-Geo environment

+Exchange Online PowerShell is required to view and configure Multi-Geo properties in your Microsoft 365 environment. To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).

+You need the [Microsoft Azure Active Directory PowerShell Module](https://social.technet.microsoft.com/wiki/contents/articles/28552.microsoft-azure-active-directory-powershell-module-version-release-history.aspx) v1.1.166.0 or later in v1.x to see the **PreferredDataLocation** property on user objects. User objects synchronized via AAD Connect into AAD cannot have their **PreferredDataLocation** value directly modified via AAD PowerShell. Cloud-only user objects can be modified via AAD PowerShell. To connect to Azure AD PowerShell, see [Connect to PowerShell](connect-to-microsoft-365-powershell.md).

+In Exchange Online Multi-Geo environments, you don't need to do any manual steps to add Geographies to your tenant. After you receive the Message Center post that says multi-geo is ready for Exchange Online, all available Geographies will be ready and configured for you to use.

+#### Connect directly to a geo location using Exchange Online PowerShell

+Typically, Exchange Online PowerShell will connect to _Primary Provisioned Geography_ location. But, you can also connect directly to _Satellite Geography_ locations. Because of performance improvements, we recommend connecting directly to the _Satellite Geography_ location when you only manage users in that location.

+The requirements for installing and using the Exchange Online PowerShell module are described in **[Install and maintain the Exchange Online PowerShell module](/powershell/exchange/exchange-online-powershell-v2#install-and-maintain-the-exchange-online-powershell-module)**.

+To connect Exchange Online PowerShell to a specific _Geography_ location, the ConnectionUri parameter is different than the regular connection instructions. The rest of the commands and values are the same.

+Specifically, you need to add the ?email=\<emailaddress\> value to end of the ConnectionUri value. \<emailaddress\> is the email address of **any** mailbox in the target _Geography_ location. Your permissions to that mailbox or the relationship to your credentials are not a factor; the email address simply tells Exchange Online PowerShell where to connect.

+

+Microsoft 365 or Microsoft 365 GCC customers typically don't need to use the _ConnectionUri_ parameter to connect to Exchange Online PowerShell. But, to connect to a specific _Geography_ location, you do need to use ConnectionUri parameter so you can use ?email=\<emailaddress\> in the value.

+

+#### Connect to a _Geography_ location in Exchange Online PowerShell

+The following connection instructions work for accounts that are or aren't configured for multi-factor authentication (MFA).

+1. In a Windows PowerShell window, load the EXO V2 module by running the following command:

+ ```powershell

+ Import-Module ExchangeOnlineManagement

+ ```

+

+1. In the following example, admin@contoso.onmicrosoft.com is the admin account, and the target geo location is where the mailbox olga@contoso.onmicrosoft.com resides.

+

+ ```powershell

+ Connect-ExchangeOnline -UserPrincipalName admin@contoso.onmicrosoft.com -ConnectionUri https://outlook.office365.com/powershell?email=olga@contoso.onmicrosoft.com

+ ```

+

+1. Enter the password for the admin@contoso.onmicrosoft.com in the prompt that appears. If the account is configured for MFA, you also need to enter the security code.

+

+#### View the available _Geography_ locations that are configured in your Exchange Online organization

+To see the list of configured _Geography_ locations in Microsoft 365 Multi-Geo, run the following command in Exchange Online PowerShell:

+ ```powershell

+Get-OrganizationConfig | Select -ExpandProperty AllowedMailboxRegions | Format-Table

+```

+

+#### View the _Primary Provisioned Geography_ location for your Exchange Online organization

+To view your tenant's _Primary Provisioned Geography_ location, run the following command in Exchange Online PowerShell:

+ ```powershell

+Get-OrganizationConfig | Select DefaultMailboxRegion

+```

+#### Find the _Geography_ location of a mailbox

+The **Get-Mailbox** cmdlet in Exchange Online PowerShell displays the following multi-geo related properties on mailboxes:

+- **Database**: The first 3 letters of the database name correspond to the _Geography_ code, which tells you where the mailbox is currently located. For Online Archive Mailboxes the **ArchiveDatabase** property should be used.

+- **MailboxRegion**: Specifies the _Geography_ location code that was set by the admin (synchronized from PreferredDataLocation in Azure AD).

+- **MailboxRegionLastUpdateTime**: Indicates when MailboxRegion was last updated (either automatically or manually).

+To see these properties for a mailbox, use the following syntax:

+```powershell

+Get-Mailbox -Identity <MailboxIdentity> | Format-List Database,MailboxRegion*

+```

+ For example, to see the _Geography_ location information for the mailbox chris@contoso.onmicrosoft.com, run the following command:

+ ```powershell

+Get-Mailbox -Identity chris@contoso.onmicrosoft.com | Format-List Database, MailboxRegion*

+```

+ The output of the command looks like this:

+ ```powershell

+Database : EURPR03DG077-db007

+MailboxRegion : EUR

+MailboxRegionLastUpdateTime : 2/6/2018 8:21:01 PM

+```

+

+ > [!NOTE]

+ >If the _Geography_ location code in the database name doesn't match **MailboxRegion** value, the mailbox will be automatically be put into a relocation queue and moved to the _Geography_ location specified by the **MailboxRegion** value (Exchange Online looks for a mismatch between these property values).

+#### Move an existing cloud-only mailbox to a specific geo location

+A cloud-only user is a user not synchronized to the tenant via AAD Connect. This user was created directly in Azure AD. Use the **Get-MsolUser** and **Set-MsolUser** cmdlets in the Azure AD Module for Windows PowerShell to view or specify the _Geography_ location where a cloud-only user's mailbox will be stored.

+To view the **PreferredDataLocation** value for a user, use this syntax in Azure AD PowerShell:

+```powershell

+Get-MsolUser -UserPrincipalName <UserPrincipalName> | Format-List UserPrincipalName,PreferredDataLocation

+```

+For example, to see the **PreferredDataLocation** value for the user michelle@contoso.onmicrosoft.com, run the following command:

+```powershell

+Get-MsolUser -UserPrincipalName michelle@contoso.onmicrosoft.com | Format-List

+```

+To modify the **PreferredDataLocation** value for a cloud-only user object, use the following syntax in Azure AD PowerShell:

+```powershell

+Set-MsolUser -UserPrincipalName <UserPrincipalName> -PreferredDataLocation <GeoLocationCode>

+```

+For example, to set the **PreferredDataLocation** value to the European Union (EUR) geo for the user michelle@contoso.onmicrosoft.com, run the following command:

+```powershell

+Set-MsolUser -UserPrincipalName michelle@contoso.onmicrosoft.com -PreferredDataLocation EUR

+```

+> [!NOTE]

+>

+> - As mentioned previously, you cannot use this procedure for synchronized user objects from on-premises Active Directory. You need to change the **PreferredDataLocation** value in Active Directory and synchronize it using AAD Connect. For more information, see [Azure Active Directory Connect sync: Configure preferred data location for Microsoft 365 resources](/azure/active-directory/connect/active-directory-aadconnectsync-feature-preferreddatalocation).

+>

+> - How long it takes to relocate a mailbox to a new geo location depends on several factors:

+>

+> - The size and type of mailbox.

+> - The number of mailboxes being moved.

+> - The availability of move resources.

+#### Move an inactive mailbox to a specific _Geography_

+

+You can't move inactive mailboxes that are preserved for compliance purposes (for example, mailboxes on Litigation Hold) by changing their **PreferredDataLocation** value. To move an inactive mailbox to a different _Geography_, do the following steps:

+1. Recover the inactive mailbox. For instructions, see [Recover an inactive mailbox](/microsoft-365/compliance/recover-an-inactive-mailbox).

+1. Prevent the Managed Folder Assistant from processing the recovered mailbox by replacing \<MailboxIdentity\> with the name, alias, account, or email address of the mailbox and running the following command in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell):

+ ```powershell

+ Set-Mailbox <MailboxIdentity> -ElcProcessingDisabled $true

+ ```

+1. Assign an **Exchange Online Plan 2** license to the recovered mailbox. This step is required to place the mailbox back on Litigation Hold. For instructions, see [Assign licenses to users](/microsoft-365/admin/manage/assign-licenses-to-users).

+1. Configure the **PreferredDataLocation** value on the mailbox as described in the previous section.

+1. After you've confirmed that the mailbox has moved to the new geo location, place the recovered mailbox back on Litigation Hold. For instructions, see [Place a mailbox on Litigation Hold](/microsoft-365/compliance/create-a-litigation-hold#place-a-mailbox-on-litigation-hold).

+1. After verifying that the Litigation Hold is in place, allow the Managed Folder Assistant to process the mailbox again by replacing \<MailboxIdentity\> with the name, alias, account, or email address of the mailbox and running the following command in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell):

+ ```powershell

+ Set-Mailbox <MailboxIdentity> -ElcProcessingDisabled $false

+ ```

+1. Make the mailbox inactive again by removing the user account that's associated with the mailbox. For instructions, see [Delete a user from your organization](/admin/add-users/delete-a-user). This step also releases the Exchange Online Plan 2 license for other uses.

+**Note**: When you move an inactive mailbox to a different geo location, you might affect content search results or the ability to search the mailbox from the former geo location. For more information, see [Searching and exporting content in Multi-Geo environments](/microsoft-365/compliance/set-up-compliance-boundaries#searching-and-exporting-content-in-multi-geo-environments).

+

+#### Create new cloud mailboxes in a specific _Geography_ location

+To create a new mailbox in a specific _Geographic_ location, you need to do either of these steps:

+- Configure the **PreferredDataLocation** value as described in the previous [Move an existing cloud-only mailbox to a specific _Geographic_ location](#move-an-existing-cloud-only-mailbox-to-a-specific-geo-location) section _before_ you create the mailbox in Exchange Online. For example, configure the **PreferredDataLocation** value on a user before you assign a license.

+- Assign a license at the same time you set the **PreferredDataLocation** value.

+To create a new cloud-only licensed user (not AAD Connect synchronized) in a specific _Geographic_ location, use the following syntax in Azure AD PowerShell:

+```powershell

+New-MsolUser -UserPrincipalName <UserPrincipalName> -DisplayName "<Display Name>" [-FirstName <FirstName>] [-LastName <LastName>] [-Password <Password>] [-LicenseAssignment <AccountSkuId>] -PreferredDataLocation <GeoLocationCode>

+```

+This example create a new user account for Elizabeth Brunner with the following values:

+- User principal name: ebrunner@contoso.onmicrosoft.com

+- First name: Elizabeth

+- Last name: Brunner

+- Display name: Elizabeth Brunner

+- Password: randomly-generated and shown in the results of the command (because we're not using the _Password_ parameter)

+- License: `contoso:ENTERPRISEPREMIUM` (E5)

+- Location: Australia (AUS)

+```powershell

+New-MsolUser -UserPrincipalName ebrunner@contoso.onmicrosoft.com -DisplayName "Elizabeth Brunner" -FirstName Elizabeth -LastName Brunner -LicenseAssignment contoso:ENTERPRISEPREMIUM -PreferredDataLocation AUS

+```

+For more information about creating new user accounts and finding LicenseAssignment values in Azure AD PowerShell, see [Create user accounts with PowerShell](create-user-accounts-with-microsoft-365-powershell.md) and [View licenses and services with PowerShell](view-licenses-and-services-with-microsoft-365-powershell.md).

+> [!NOTE]

+> If you are using Exchange Online PowerShell to enable a mailbox and need the mailbox to be created directly in the _Geographic_ location that's specified in **PreferredDataLocation**, you need to use an Exchange Online cmdlet such as **Enable-Mailbox** or **New-Mailbox** directly against the cloud service. If you use the **Enable-RemoteMailbox** cmdlet in on-premises Exchange PowerShell, the mailbox will be created in the _Primary Provisioned Geography_ location.

+#### Onboard existing on-premises mailboxes in a specific _Geography_ location

+You can use the standard onboarding tools and processes to migrate a mailbox from an on-premises Exchange organization to Exchange Online, including the [Migration dashboard in the EAC](https://support.office.com/article/d164b35c-f624-4f83-ac58-b7cae96ab331), and the [New-MigrationBatch](/powershell/module/exchange/new-migrationbatch) cmdlet in Exchange Online PowerShell.

+The first step is to verify a user object exists for each mailbox to be onboarded, and verify the correct **PreferredDataLocation** value is configured in Azure AD. The onboarding tools will respect the **PreferredDataLocation** value and will migrate the mailboxes directly to the specified geo location.

+Or, you can use the following steps to onboard mailboxes directly in a specific _Geographic_ location using the [New-MoveRequest](/powershell/module/exchange/new-moverequest) cmdlet in Exchange Online PowerShell.

+1. Verify the user object exists for each mailbox to be onboarded and that **PreferredDataLocation** is set to the desired value in Azure AD. The value of **PreferredDataLocation** will be synchronized to the **MailboxRegion** attribute of the corresponding mail user object in Exchange Online.

+1. Connect directly to the specific _Satellite Geography_ location using the connection instructions from earlier in this topic.

+1. In Exchange Online PowerShell, store the on-premises administrator credentials that's used to perform a mailbox migration in a variable by running the following command:

+ ```powershell

+ $RC = Get-Credential

+ ```

+1. In Exchange Online PowerShell, create a new **New-MoveRequest** similar to the following example:

+ ```powershell

+ New-MoveRequest -Remote -RemoteHostName mail.contoso.com -RemoteCredential $RC -Identity user@contoso.com -TargetDeliveryDomain <YourAppropriateDomain>

+ ```

+1. Repeat step #4 for every mailbox you need to migrate from on-premises Exchange to the satellite geo location you are currently connected to.

+1. If you need to migrate additional mailboxes to different satellite geo locations, repeat steps 2 through 4 for each specific location.

+## Multi-Geo reporting

+

+> [!NOTE]

+> The multi-geo reporting feature is currently in Preview, is not available in all organizations, and is subject to change.

+**Multi-Geo Usage Reports** in the Microsoft 365 admin center displays the user count by _Geographic_ location. The report displays user distribution for the current month and provides historical data for the past 6 months.

+## Migration

+Because it takes time to move each user to the new datacenter _Geography_ for a single tenant, some users will still be in the old datacenter _Geography_ during the move, while others will be in the new datacenter _Geography_. This means that some features that involve accessing multiple mailboxes may not fully work during a period of the move process, which can last weeks. These features are described in the following sections.

+### Open "Shared Folder" in Outlook Web Access

+Some users open a shared mail folder from another mailbox (that the user has read or write permissions to) in Outlook Web Access using the "Shared Folder" feature. The following table describes how access to shared folders works during a mailbox move. Please note that users with full permissions to a shared mailbox can open the mailbox by using Outlook Web Access during the move.

+| Configuration | Description |

+|:--|:--|

+|User has mailbox folder permission to another mailbox <br/> |Potentially limited. <br/> If User A and Mailbox B aren't in the same _Geography_ during the tenant move, User A can't open Mailbox B's folder in Outlook Web Access if User A only has permission to a specific folder in Mailbox B. <br/> To add a shared folder, right-click the user name in the left navigation panel and select **Add shared folder**. <br/> |

+|User with full mailbox permission to another mailbox <br/> |Fully supported. <br/> If User A has "Full Access" permission to Mailbox B, then User A can click the shared folder in the left navigation panel in Outlook Web Access to open a window showing Mailbox B. A user can open a shared mailbox using Outlook Web Access during the move without any adverse impact. The limitation only applies to folder-level sharing in a mailbox.

+The process of email data migration to Microsoft 365 during the Exchange Online is a common scenario and is supported. Cloud migration between datacenter geos does not interfere with any on-premises to cloud mailbox migrations.

+### How can I determine customer data location?

+You can find the actual data location in Tenant Admin Center. As a tenant administrator you can find the actual data location, for committed data, by navigating to Admin->Settings->Org Settings->Organization Profile->Data Location.

+ Title: Data Residency for Microsoft Defender for Office P1

+description: Learn about Data Residency for Microsoft Defender for Office P1

+f1.keywords:

+- NOCSH

+- it-pro

+- M365-subscription-management

+# Data Residency for Microsoft Defender for Office P1

+## Overview

+Service documentation: [Office 365 Security including Microsoft Defender for Office 365 and Exchange Online Protection](/microsoft-365/security/office-365-security/defender-for-office-365)

+Capability Summary: Protects email and collaboration from zero-day malware, phish, and business email compromise. MDO P1 builds on Exchange Online Protection (EOP).

+## Data Residency commitments available

+### Advanced Data Residency add-on

+Required Conditions:

+1. _Tenant_ has a sign-up country included in _Local Region Geography_ or _Expanded Local Region Geography_.

+1. _Tenant_ has a valid Advanced Data Residency subscription for all users in the _Tenant_

+1. The MDO P1 subscription customer data is provisioned in _Local Region Geography_ or _Expanded Local Region Geography_.

+**Commitment:**

+Please refer to the [ADR Commitment page](m365-dr-commitments.md#microsoft-defender-for-office-p1) for the specific customer data at rest commitment for Microsoft Defender for Office P1.

+Other Information

+In addition, processing of data that is required to analyze threats and inspect suspicious emails, documents, messages, and links is done in a sandbox environment and performed within the _Local Region Geography_ or _Expanded Local Region_.

+## Exchange Online Protection

+### Overview

+Service documentation: [Exchange Online Protection (EOP) overview](/microsoft-365/security/office-365-security/exchange-online-protection-overview)

+Capability summary: Exchange Online Protection (EOP) is the cloud-based filtering service that protects your organization against spam, malware, and other email threats.

+### Data Residency commitments available

+#### Advanced Data Residency add-on

+Required Conditions:

+1. _Tenant_ has a sign up country included in _Local Region Geography_ or _Expanded Local Region Geography_.

+1. _Tenant_ has a valid Advanced Data Residency subscription for all users in the _Tenant_

+1. The EOP subscription customer data is provisioned in _Local Region Geography_ or _Expanded Local Region Geography_

+**Commitment:**

+Please refer to the [Advanced Data Residency Commitment](m365-dr-commitments.md) page for the specific customer data at rest commitment for Exchange Online Protection.

+## Migration

+EOP customer data migrates during the Exchange Online migration. MDO P1 does not have customer data to migrate.

+## How can I determine customer data location?

+We are in the process of updating the actual data location in the _Tenant_ Admin Center. When this change is complete you will be able to see the actual data location, for committed workloads, by navigating to Admin|Settings|Org Settings|Organization Profile|Data Location. Until that change is visible, you can view the Exchange Online data location information in order to understand where your in scope customer data is stored for this service.

+ Title: Data Residency for Office for the Web

+description: Data Residency for Office for the Web

+f1.keywords:

+- NOCSH

+- it-pro

+- M365-subscription-management

+# Data Residency for Office for the Web

+## Overview

+Service documentation: [Office for the web service description - Service Descriptions](/office365/servicedescriptions/office-online-service-description/office-online-service-description)

+Capability summary: Office for the web (formerly Office Web Apps) opens Word, Excel, and PowerPoint documents in your web browser. Office for the web makes it easier to work and share Office files from anywhere with an internet connection, from almost any device. Microsoft 365 customers with Word, Excel, or PowerPoint can view, create, and edit files on the go.

+## Data Residency commitments available

+### Advanced Data Residency add-on

+Required Conditions:

+1. _Tenant_ has a sign-up country included in _Local Region Geography_ or _Expanded Local Region Geography_.

+1. _Tenant_ has a valid _Advanced Data Residency_ subscription for all users in the _Tenant_.

+1. The Office for the Web subscription customer data is provisioned in _Local Region Geography_ or _Expanded Local Region Geography_.

+**Commitment:**

+Please refer to the [ADR Commitment page](m365-dr-commitments.md#office-for-the-web) for the specific customer data at rest commitment for Office for the Web.

+### Migration

+The cache for documents are not migrated to the new _Geography_, and will be reestablished as users work on documents.

+### How can I determine customer data location?

+We are in the process of updating the actual data location in _Tenant_ Admin Center. When this change is complete the tenant will be able to see the actual data location, for in scope data, by navigating to Admin|Settings|Org Settings|Organization Profile|Data Location. Until that change is visible, you can view the Exchange Online data or SharePoint Online location information in order to understand where the in scope data is stored for this service.

+ Title: Data Residency for Other Microsoft 365 Services

+description: Learn about Data Residency for Other Microsoft 365 Services

+f1.keywords:

+- NOCSH

+- it-pro

+- M365-subscription-management

+# Data Residency for Other Microsoft 365 Services

+## Data Residency commitments available

+Use the following guidance to determine where your data is located. Please reference your _tenant_ _Default Geography_.

+### Azure Active Directory (AAD)

+Please refer to [Azure Active Directory Data Locations](https://aka.ms/aaddatamap).

+### Forms

+Tenants in EU member Countries maintain data in _Macro Region Geography 1 ΓÇô EMEA_. All other tenants have customer data stored in the United States.

+### Intune

+Refer to endpoint.microsoft.com, Tenant Administration | Tenant Status for existing tenants. If you do not have an existing tenant, create a trial tenant and provision Intune.

+- Microsoft will not store Intune customer data at rest outside the stated geo, except if:

+- It is necessary for Microsoft to provide customer support, troubleshoot the service, or comply with legal requirements.

+- The customer configures an account to enable such storage of customer data, including through the use of the following:

+- Features that are designed to operate globally, such as Content Delivery Network (CDN), which provides a global caching service and stores customer data at edge locations around the world.

+- For Azure Active Directory: Please refer to [Azure Active Directory Data Locations](https://aka.ms/aaddatamap).

+- Preview, beta, or other prerelease services, which typically store customer data in the United States but may store it globally. Regardless, Microsoft does not control or limit the Geo from which customers or their end users may access customer data. Similarly, where customer data in other services is subsequently integrated into Intune, the originating customer data will continue to be stored subject to the other service's own Geo commitments (if any); only the copy of the customer data integrated into Intune will be stored in the stated Geo for Intune.

+### Office for Mobile

+Customer data for this service comes from other services, like Exchange Online and SharePoint Online. There is no customer data stored outside of those services with the exception of the mobile device.

+### OneNote Services

+OneNote stores customer data in OneDrive for Business. It does however have an API that can cause persistent caches to be made outside of the Geography where OneDrive for Business stores customer data.

+### Planner

+Please see the [Static data location information for select workloads](#static-data-location-information-for-select-workloads) section.

+### Power Apps for Microsoft 365

+Please refer to [Dynamics 365 availability and data locations | Microsoft Learn](/dynamics365/get-started/availability).

+### Stream

+You can find this information from the "?" option in the Stream UI, if you have it running and then click on "About Microsoft Stream" and see where your data is stored. If needed, create a trial tenant.

+### Viva Insights ΓÇô Advanced, Mgr, Leader

+Please see the [Static data location information for select workloads](#static-data-location-information-for-select-workloads) section. The data region for Manager/Leader and Advanced is determined by the _Default Geography_ of the _tenant_, not individual users.

+### Viva Insights ΓÇô Personal

+Customer data is processed and stored in the employee's Exchange Online mailbox. Data residency for Personal insights in Viva Insights is based on the employee's mailbox location. For more information, see [Personal insights in Viva Insights privacy guide for admins](/viva/insights/personal/overview/privacy-guide-admins?branch=main#summary-of-key-points).

+### Viva Learning

+Please see the [Static data location information for select workloads](#static-data-location-information-for-select-workloads) section.

+### Whiteboard

+Please refer to [Manage data for Microsoft Whiteboard | Microsoft Learn](/whiteboard/manage-data-organizations).

+### Yammer

+Please refer to [Data Residency - Yammer | Microsoft Learn](/yammer/manage-security-and-compliance/data-residency).

+## Static data location information for select workloads

+1. Macro Region Geography 1 ΓÇô EMEA / European Union

+1. Macro Region Geography 2 - Asia Pacific

+1. Macro Region Geography 3 ΓÇô Americas

+1. Australia

+1. Canada

+1. Japan

+| Country Code | Country Name | Viva Insights Advanced | Viva Learning | Planner |

+| | | | | |

+| AF | Afghanistan | APC²| APC²| APC²|

+| AX | Aland Islands | APC²| AMER³| EUR¹|

+| AL | Albania | EUR¹| EUR¹| EUR¹|

+| DZ | Algeria | EUR¹| EUR¹| EUR¹|

+| AS | American Samoa | APC²| APC²| APC²|

+| AD | Andorra | EUR¹| EUR¹| EUR¹|

+| AO | Angola | EUR¹| EUR¹| EUR¹|

+| AI | Anguilla | AMER³| AMER³| AMER³|

+| AQ | Antarctica | AMER³| EUR¹| AMER³|

+| AG | Antigua and Barbuda | AMER³| AMER³| AMER³|

+| AR | Argentina | AMER³| AMER³| AMER³|

+| AM | Armenia | EUR¹| EUR¹| EUR¹|

+| AW | Aruba | AMER³| AMER³| AMER³|

+| AU | Australia | APC²| AUS⁴| AUS⁴|

+| AT | Austria | EUR¹| EUR¹| EUR¹|

+| AZ | Azerbaijan | EUR¹| EUR¹| EUR¹|

+| BS | Bahamas | AMER³| AMER³| AMER³|

+| BH | Bahrain | EUR¹| EUR¹| EUR¹|

+| BD | Bangladesh | APC²| APC²| APC²|

+| BB | Barbados | AMER³| AMER³| AMER³|

+| BY | Belarus | EUR¹| EUR¹| EUR¹|

+| BE | Belgium | EUR¹| EUR¹| EUR¹|

+| BZ | Belize | AMER³| AMER³| AMER³|

+| BJ | Benin | EUR¹| EUR¹| EUR¹|

+| BM | Bermuda | AMER³| AMER³| AMER³|

+| BT | Bhutan | APC²| APC²| APC²|

+| BO | Bolivia | AMER³| AMER³| AMER³|

+| BQ | Bonaire | AMER³| AMER³| AMER³|

+| BA | Bosnia and Herzegovina | EUR¹| EUR¹| EUR¹|

+| BW | Botswana | EUR¹| EUR¹| EUR¹|

+| BV | Bouvet Island | AMER³| EUR¹| AMER³|

+| BR | Brazil | AMER³| AMER³| AMER³|

+| IO | British Indian Ocean Territory | APC²| APC²| APC²|

+| VG | British Virgin Islands | AMER³| AMER³| AMER³|

+| BN | Brunei Darussalam | APC²| APC²| APC²|

+| BG | Bulgaria | EUR¹| EUR¹| EUR¹|

+| BF | Burkina Faso | EUR¹| EUR¹| EUR¹|

+| BI | Burundi | EUR¹| EUR¹| EUR¹|

+| KH | Cambodia | APC²| APC²| APC²|

+| CM | Cameroon | EUR¹| EUR¹| EUR¹|

+| CA | Canada | AMER³| AMER³| CAN⁵|

+| CV | Cape Verde | EUR¹| EUR¹| EUR¹|

+| KY | Cayman Islands | AMER³| AMER³| AMER³|

+| CF | Central African Republic | EUR¹| EUR¹| EUR¹|

+| TD | Chad | EUR¹| EUR¹| EUR¹|

+| CL | Chile | AMER³| AMER³| AMER³|

+| CN | China | APC²| APC²| APC²|

+| CX | Christmas Island | APC²| APC²| APC²|

+| CC | Cocos (Keeling) Islands | APC²| APC²| APC²|

+| CO | Colombia | AMER³| AMER³| AMER³|

+| KM | Comoros | EUR¹| EUR¹| EUR¹|

+| CG | Congo (Brazzaville) | EUR¹| EUR¹| EUR¹|

+| CD | Congo, (Kinshasa) | EUR¹| EUR¹| EUR¹|

+| CK | Cook Islands | APC²| APC²| APC²|

+| CR | Costa Rica | AMER³| AMER³| AMER³|

+| CI | C├┤te d'Ivoire | EUR¹| EUR¹| EUR¹|

+| HR | Croatia | EUR¹| EUR¹| EUR¹|

+| CW | Cura├ºao | AMER³| EUR¹| AMER³|

+| CY | Cyprus | EUR¹| EUR¹| EUR¹|

+| CZ | Czech Republic | EUR¹| EUR¹| EUR¹|

+| DK | Denmark | EUR¹| EUR¹| EUR¹|

+| DJ | Djibouti | EUR¹| EUR¹| EUR¹|

+| DM | Dominica | AMER³| AMER³| AMER³|

+| DO | Dominican Republic | AMER³| AMER³| AMER³|

+| EC | Ecuador | AMER³| AMER³| AMER³|

+| EG | Egypt | EUR¹| EUR¹| EUR¹|

+| SV | El Salvador | AMER³| AMER³| AMER³|

+| GQ | Equatorial Guinea | EUR¹| EUR¹| EUR¹|

+| ER | Eritrea | EUR¹| EUR¹| EUR¹|

+| EE | Estonia | EUR¹| EUR¹| EUR¹|

+| ET | Ethiopia | EUR¹| EUR¹| EUR¹|

+| FK | Falkland Islands (Malvinas) | AMER³| AMER³| AMER³|

+| FO | Faroe Islands | EUR¹| EUR¹| EUR¹|

+| FM | Federated States of Micronesia | APC²| APC²| APC²|

+| FJ | Fiji | APC²| APC²| AUS⁴|

+| FI | Finland | EUR¹| EUR¹| EUR¹|

+| FR | France | EUR¹| EUR¹| EUR¹|

+| GF | French Guiana | AMER³| AMER³| AMER³|

+| PF | French Polynesia | APC²| APC²| APC²|

+| TF | French Southern Territories | AMER³| EUR¹| AMER³|

+| GA | Gabon | EUR¹| EUR¹| EUR¹|

+| GM | Gambia | EUR¹| EUR¹| EUR¹|

+| GE | Georgia | EUR¹| EUR¹| EUR¹|

+| DE | Germany | EUR¹| EUR¹| EUR¹|

+| GH | Ghana | EUR¹| EUR¹| EUR¹|

+| GI | Gibraltar | EUR¹| EUR¹| EUR¹|

+| GR | Greece | EUR¹| EUR¹| EUR¹|

+| GL | Greenland | AMER³| AMER³| AMER³|

+| GD | Grenada | AMER³| AMER³| AMER³|

+| GP | Guadeloupe | AMER³| AMER³| AMER³|

+| GU | Guam | APC²| APC²| APC²|

+| GT | Guatemala | AMER³| AMER³| AMER³|

+| GG | Guernsey | EUR¹| EUR¹| EUR¹|

+| GN | Guinea | EUR¹| EUR¹| EUR¹|

+| GW | Guinea-Bissau | EUR¹| EUR¹| EUR¹|

+| GY | Guyana | AMER³| AMER³| AMER³|

+| HT | Haiti | AMER³| AMER³| AMER³|

+| HM | Heard and Mcdonald Islands | AMER³| AMER³| AMER³|

+| VA | Holy See (Vatican City State) | EUR¹| EUR¹| EUR¹|

+| HN | Honduras | AMER³| AMER³| AMER³|

+| HK | Hong Kong, SAR China | APC²| APC²| APC²|

+| HU | Hungary | EUR¹| EUR¹| EUR¹|

+| IS | Iceland | EUR¹| EUR¹| EUR¹|

+| IN | India | APC²| APC²| APC²|

+| ID | Indonesia | APC²| APC²| APC²|

+| IQ | Iraq | EUR¹| EUR¹| EUR¹|

+| IE | Ireland | EUR¹| EUR¹| EUR¹|

+| IM | Isle of Man | EUR¹| EUR¹| EUR¹|

+| IL | Israel | EUR¹| EUR¹| EUR¹|

+| IT | Italy | EUR¹| EUR¹| EUR¹|

+| JM | Jamaica | AMER³| AMER³| AMER³|

+| JP | Japan | APC²| APC²| JPN⁶|

+| JE | Jersey | EUR¹| EUR¹| EUR¹|

+| JO | Jordan | EUR¹| EUR¹| EUR¹|

+| KZ | Kazakhstan | EUR¹| EUR¹| EUR¹|

+| KE | Kenya | EUR¹| EUR¹| EUR¹|

+| KI | Kiribati | APC²| APC²| APC²|

+| KP | Korea (North) | APC²| APC²| APC²|

+| KR | Korea (South) | APC²| APC²| APC²|

+| XK | Kosovo | EUR¹| AMER³| EUR¹|

+| KW | Kuwait | EUR¹| EUR¹| EUR¹|

+| KG | Kyrgyzstan | EUR¹| APC²| EUR¹|

+| LA | Lao PDR | APC²| APC²| APC²|

+| LV | Latvia | EUR¹| EUR¹| EUR¹|

+| LB | Lebanon | EUR¹| EUR¹| EUR¹|

+| LS | Lesotho | EUR¹| EUR¹| EUR¹|

+| LR | Liberia | EUR¹| EUR¹| EUR¹|

+| LY | Libya | EUR¹| EUR¹| EUR¹|

+| LI | Liechtenstein | EUR¹| EUR¹| EUR¹|

+| LT | Lithuania | EUR¹| EUR¹| EUR¹|

+| LU | Luxembourg | EUR¹| EUR¹| EUR¹|

+| MO | Macao, SAR China | APC²| APC²| APC²|

+| MG | Madagascar | EUR¹| EUR¹| EUR¹|

+| MW | Malawi | EUR¹| EUR¹| EUR¹|

+| MY | Malaysia | APC²| APC²| APC²|

+| MV | Maldives | APC²| APC²| APC²|

+| ML | Mali | EUR¹| EUR¹| EUR¹|

+| MT | Malta | EUR¹| EUR¹| EUR¹|

+| MH | Marshall Islands | APC²| APC²| APC²|

+| MQ | Martinique | AMER³| AMER³| AMER³|

+| MR | Mauritania | EUR¹| EUR¹| EUR¹|

+| MU | Mauritius | EUR¹| EUR¹| EUR¹|

+| YT | Mayotte | EUR¹| EUR¹| EUR¹|

+| MX | Mexico | AMER³| AMER³| AMER³|

+| MC | Monaco | EUR¹| EUR¹| EUR¹|

+| MD | Moldova | EUR¹| EUR¹| EUR¹|

+| MN | Mongolia | APC²| APC²| APC²|

+| ME | Montenegro | EUR¹| EUR¹| EUR¹|

+| MS | Montserrat | AMER³| AMER³| AMER³|

+| MA | Morocco | EUR¹| EUR¹| EUR¹|

+| MZ | Mozambique | EUR¹| EUR¹| EUR¹|

+| MM | Myanmar | APC²| APC²| APC²|

+| NA | Namibia | EUR¹| EUR¹| EUR¹|

+| NR | Nauru | APC²| APC²| APC²|

+| NP | Nepal | APC²| APC²| APC²|

+| NL | Netherlands | EUR¹| EUR¹| EUR¹|

+| AN | Netherlands Antilles | AMER³| AMER³| AMER³|

+| NC | New Caledonia | APC²| APC²| APC²|

+| NZ | New Zealand | APC²| APC²| AUS⁴|

+| NI | Nicaragua | AMER³| AMER³| AMER³|

+| NE | Niger | EUR¹| EUR¹| EUR¹|

+| NG | Nigeria | EUR¹| EUR¹| EUR¹|

+| NU | Niue | APC²| APC²| APC²|

+| NF | Norfolk Island | APC²| APC²| APC²|

+| MP | Northern Mariana Islands | APC²| APC²| APC²|

+| NO | Norway | EUR¹| EUR¹| EUR¹|

+| OM | Oman | EUR¹| APC²| EUR¹|

+| PK | Pakistan | EUR¹| APC²| EUR¹|

+| PW | Palau | APC²| APC²| APC²|

+| PS | Palestinian Authority | APC²| EUR¹| APC²|

+| PA | Panama | AMER³| AMER³| AMER³|

+| PG | Papua New Guinea | APC²| APC²| APC²|

+| PY | Paraguay | AMER³| AMER³| AMER³|

+| PE | Peru | AMER³| AMER³| AMER³|

+| PH | Philippines | APC²| APC²| APC²|

+| PN | Pitcairn | APC²| APC²| APC²|

+| PL | Poland | EUR¹| EUR¹| EUR¹|

+| PT | Portugal | EUR¹| EUR¹| EUR¹|

+| PR | Puerto Rico | AMER³| AMER³| AMER³|

+| QA | Qator | EUR¹| EUR¹| EUR¹|

+| MK | Republic of Macedonia | EUR¹| EUR¹| EUR¹|

+| RE | R├⌐union | EUR¹| EUR¹| EUR¹|

+| RO | Romania | EUR¹| EUR¹| EUR¹|

+| RU | Russian Federation | EUR¹| EUR¹| EUR¹|

+| RW | Rwanda | EUR¹| EUR¹| EUR¹|

+| SH | Saint Helena | EUR¹| EUR¹| EUR¹|

+| KN | Saint Kitts and Nevis | AMER³| AMER³| AMER³|

+| LC | Saint Lucia | AMER³| AMER³| AMER³|

+| PM | Saint Pierre and Miquelon | AMER³| AMER³| AMER³|

+| VC | Saint Vincent and Grenadines | AMER³| AMER³| AMER³|

+| BL | Saint-Barth├⌐lemy | AMER³| EUR¹| AMER³|

+| MF | Saint-Martin (French part) | AMER³| EUR¹| AMER³|

+| WS | Samoa | APC²| APC²| APC²|

+| SM | San Marino | EUR¹| EUR¹| EUR¹|

+| ST | Sao Tome and Principe | EUR¹| EUR¹| EUR¹|

+| SA | Saudi Arabia | EUR¹| EUR¹| EUR¹|

+| SN | Senegal | EUR¹| EUR¹| EUR¹|

+| RS | Serbia | EUR¹| EUR¹| EUR¹|

+| SC | Seychelles | EUR¹| EUR¹| EUR¹|

+| SL | Sierra Leone | EUR¹| EUR¹| EUR¹|

+| SG | Singapore | APC²| APC²| APC²|

+| SX | Sint Maarten | AMER³| EUR¹| AMER³|

+| SK | Slovakia | EUR¹| EUR¹| EUR¹|

+| SI | Slovenia | EUR¹| EUR¹| EUR¹|

+| SB | Solomon Islands | APC²| APC²| APC²|

+| SO | Somalia | EUR¹| EUR¹| EUR¹|

+| ZA | South Africa | EUR¹| EUR¹| EUR¹|

+| GS | South Georgia and the South Sandwich Islands | AMER³| EUR¹| AMER³|

+| SS | South Sudan | EUR¹| EUR¹| EUR¹|

+| ES | Spain | EUR¹| EUR¹| EUR¹|

+| LK | Sri Lanka | APC²| APC²| APC²|

+| SR | Suriname | AMER³| AMER³| AMER³|

+| SJ | Svalbard and Jan Mayen Islands | EUR¹| EUR¹| EUR¹|

+| SZ | Swaziland | EUR¹| EUR¹| EUR¹|

+| SE | Sweden | EUR¹| EUR¹| EUR¹|

+| CH | Switzerland | EUR¹| EUR¹| EUR¹|

+| TW | Taiwan, Republic of China | APC²| APC²| APC²|

+| TJ | Tajikistan | EUR¹| APC²| EUR¹|

+| TH | Thailand | APC²| APC²| APC²|

+| TL | Timor-Leste | APC²| EUR¹| APC²|

+| TG | Togo | EUR¹| EUR¹| EUR¹|

+| TK | Tokelau | APC²| APC²| APC²|

+| TO | Tonga | APC²| APC²| APC²|

+| TT | Trinidad and Tobago | AMER³| AMER³| AMER³|

+| TN | Tunisia | EUR¹| EUR¹| EUR¹|

+| TR | Turkey | EUR¹| EUR¹| EUR¹|

+| TM | Turkmenistan | EUR¹| APC²| EUR¹|

+| TC | Turks and Caicos Islands | AMER³| AMER³| AMER³|

+| TV | Tuvalu | APC²| APC²| APC²|

+| UG | Uganda | EUR¹| EUR¹| EUR¹|

+| UA | Ukraine | EUR¹| EUR¹| EUR¹|

+| AE | United Arab Emirates | EUR¹| EUR¹| EUR¹|

+| GB | United Kingdom | EUR¹| EUR¹| EUR¹|

+| TZ | United Republic of Tanzania | EUR¹| EUR¹| EUR¹|

+| US | United States of America | AMER³| AMER³| AMER³|

+| UY | Uruguay | AMER³| AMER³| AMER³|

+| UM | US Minor Outlying Islands | APC²| APC²| APC²|

+| UZ | Uzbekistan | EUR¹| APC²| EUR¹|

+| VU | Vanuatu | APC²| APC²| APC²|

+| VE | Venezuela (Bolivarian Republic) | AMER³| AMER³| AMER³|

+| VN | Vietnam | APC²| APC²| APC²|

+| VI | Virgin Islands, US | AMER³| AMER³| AMER³|

+| WF | Wallis and Futuna Islands | APC²| APC²| APC²|

+| EH | Western Sahara | EUR¹| EUR¹| EUR¹|

+| YE | Yemen | EUR¹| EUR¹| EUR¹|

+| ZM | Zambia | EUR¹| EUR¹| EUR¹|

+| ZW | Zimbabwe | EUR¹| EUR¹| EUR¹|

+ Title: Data Residency for Microsoft Purview

+description: Data Residency for Microsoft Purview

+f1.keywords:

+- NOCSH

+- it-pro

+- M365-subscription-management

+# Data Residency for Microsoft Purview

+Data residency commitments for the Purview set of services, as described below, are available with the Advanced Data Residency add-on.

+The required conditions for the related commitments for the services described below are:

+1. _Tenant_ has a sign up country included in _Local Region Geography_ or _Expanded Local Region Geography_.

+1. _Tenant_ has a valid Advanced Data Residency subscription for all users in the _Tenant_.

+1. The Purview service Customer Data is provisioned in _Local Region Geography_ or _Expanded Local Region Geography_.

+## Migration

+Customer Data supporting Purview services is closely aligned with the Exchange Online and SharePoint Online services, and the bulk of the data migrated, if required to fulfill the data residency commitments for the Purview services, will be handled by those services. In the cases where supporting Customer Data is maintained in an Azure Service, for example, the migration of that data is tied to the migration of the underlying Exchange Online/SharePoint Online data.

+## How can I determine Customer Data location?

+We are in the process of updating the actual data location in _Tenant_ Admin Center. When this change is complete you will be able to see the actual data location, for committed data, by navigating to Admin->Settings->Org Settings->Organization Profile->Data Location. Until that change is visible, you can view the Exchange Online data location information in order to understand where your committed data is stored for this service.

+### Purview Audit (Standard)

+#### Summary

+Service documentation: [Microsoft Purview auditing solutions](/microsoft-365/compliance/auditing-solutions-overview)

+Capability summary: Microsoft Purview Audit (Standard) provides you with the ability to log and search your data for audit activities and power your forensics, IT, and compliance efforts and legal investigations.

+#### Data Residency commitments available

+Commitment:

+Please refer to the [ADR Commitment page](m365-dr-commitments.md#purview-audit-standard) for the specific Customer Data at rest commitment for Purview Audit (Standard).

+### Purview Audit (Premium)

+#### Summary

+Service documentation: [Microsoft Purview auditing solutions](/microsoft-365/compliance/auditing-solutions-overview)

+Capability summary: Microsoft Purview Audit (Premium) builds on the capabilities of Audit (Standard) by providing audit log retention policies, longer retention of audit records, capability to identify high-value crucial events, and higher bandwidth access to the Office 365 Management Activity API.

+#### Data Residency commitments available

+Commitment:

+Please refer to the [ADR Commitment page](m365-dr-commitments.md#purview-audit-premium) for the specific Customer Data at rest commitment for Purview Audit (Premium).

+### Data lifecycle management - Data Retention

+#### Summary

+ADR applies to the following services within Purview Data lifecycle management, Data Retention:

+- Manual retention labels

+- Basic org-wide or location-wide retention policies

+- Rules-based automatic retention policies

+- Machine Learning-based retention

+- Teams message retention policies

+Service documentation: [Learn about retention policies & labels](/microsoft-365/compliance/retention)

+For more detailed information about how retention settings work for different workloads, see the following articles:

+- [Learn about retention for Exchange](/microsoft-365/compliance/retention-policies-exchange)

+- [Learn about retention for SharePoint and OneDrive](/microsoft-365/compliance/retention-policies-sharepoint)

+- [Learn about retention for Microsoft Teams](/microsoft-365/compliance/retention-policies-teams)

+Capability summary: Lets you retain or delete content with policy management for email, documents, and Teams.

+#### Data Residency commitments available

+Commitment:

+Please refer to the [ADR Commitment page](m365-dr-commitments.md#data-lifecycle-managementdata-retention) for the specific Customer Data at rest commitment for Data lifecycle management - Data Retention.

+### Data lifecycle management - Records Management

+#### Summary

+Service documentation: [Learn about Microsoft Purview Records Management](/microsoft-365/compliance/records-management)

+Capability summary: Organizations of all types require a records-management solution to manage regulatory, legal, and business-critical records across their corporate data. Records management for Microsoft Purview helps an organization manage their legal obligations, provides the ability to demonstrate compliance with regulations, and increases efficiency with regular disposition of items that are no longer required to be retained, no longer of value, or no longer required for business purposes.

+#### Data Residency commitments available

+Commitment:

+Please refer to the [ADR Commitment page](m365-dr-commitments.md#data-lifecycle-managementrecords-management) for the specific Customer Data at rest commitment for Data lifecycle management - Records Management.

+### Information Protection - Sensitivity labels

+#### Summary

+ADR applies to the following services within Purview Information Protection, Sensitivity labels:

+- Manual, default, and mandatory sensitivity labeling in Office 365

+- Automatic sensitivity labeling in Office 365 apps

+- Automatic sensitivity labels in Exchange, SharePoint, and OneDrive

+- Sensitivity labels based on advanced classification

+- Sensitivity labeling for containers in Office 365

+Service documentation:

+- [Learn about sensitivity labels](/microsoft-365/compliance/sensitivity-labels)

+- [Get started with Activity explorer](/microsoft-365/compliance/data-classification-activity-explorer)

+Capability summary: Sensitivity labels from Microsoft Purview Information Protection let you classify and protect your organization's data, while making sure that user productivity and their ability to collaborate isn't hindered.

+#### Data Residency commitments available

+Commitment:

+Please refer to the [ADR Commitment page](m365-dr-commitments.md#information-protectionsensitivity-labels) for the specificCustomer Data at rest commitment for Information Protection - Sensitivity labels.

+### Information Protection - Data Loss Prevention (DLP)

+#### Summary

+ADR applies to the following services within Purview Information Protection, Data Loss Prevention (DLP):

+- Office 365 Data Loss Prevention (DLP) for emails and files

+- DLP for Teams chat

+Service documentation: [Learn about data loss prevention](/microsoft-365/compliance/dlp-learn-about-dlp)

+Capability summary:

+Organizations have sensitive information under their control such as financial data, proprietary data, credit card numbers, health records, or social security numbers. To help protect this sensitive data and reduce risk, they need a way to prevent their users from inappropriately sharing it with people who shouldn't have it. This practice is called data loss prevention (DLP).

+In Microsoft Purview, you implement data loss prevention by defining and applying DLP policies. With a DLP policy, you can identify, monitor, and automatically protect sensitive items across:

+- Microsoft 365 services such as Teams, Exchange, SharePoint, and OneDrive

+- Office applications such as Word, Excel, and PowerPoint

+- Windows 10, Windows 11 and macOS (Catalina 10.15 and higher) endpoints

+- non-Microsoft cloud apps

+- on-premises file shares and on-premises SharePoint.

+DLP detects sensitive items by using deep content analysis, not by just a simple text scan. Content is analyzed for primary data matches to keywords, by the evaluation of regular expressions, by internal function validation, and by secondary data matches that are in proximity to the primary data match. Beyond that DLP also uses machine learning algorithms and other methods to detect content that matches your DLP policies.

+#### Data Residency commitments available

+Commitment:

+Please refer to the [ADR Commitment page](m365-dr-commitments.md#information-protectiondata-loss-prevention-dlp) for the specific Customer Data at rest commitment for Information Protection - Data Loss Prevention (DLP).

+### Information Protection - Office Message Encryption

+#### Summary

+ADR applies to the following services within Purview Information Protection, Office Message Encryption:

+- Basic Office Message Encryption

+- Advanced Office Message Encryption

+Service documentation: [Office 365 Message Encryption - Microsoft Purview](/microsoft-365/compliance/ome)

+Capability summary: With Office 365 Message Encryption, your organization can send and receive encrypted email messages between people inside and outside your organization. Office 365 Message Encryption works with Outlook.com, Yahoo!, Gmail, and other email services. Email message encryption helps to ensure that only intended recipients can view message content.

+#### Data Residency commitments available

+Commitment:

+Please refer to the [ADR Commitment page](m365-dr-commitments.md#information-protectionoffice-message-encryption) for the specific Customer Data at rest commitment for Information Protection - Office Message Encryption.

+### Insider Risk Management - Information Barriers

+#### Summary

+Service documentation: [Learn about information barriers](/microsoft-365/compliance/information-barriers)

+Capability summary: Microsoft Purview Information Barriers (IB) is a compliance solution that allows you to restrict two-way communication and collaboration between groups and users in Microsoft Teams, SharePoint, and OneDrive. Often used in highly regulated industries, IB can help to avoid conflicts of interest and safeguard internal information between users and organizational areas.

+#### Data Residency commitments available

+Commitment:

+Please refer to the [ADR Commitment page](m365-dr-commitments.md#insider-risk-managementinformation-barriers) for the specific Customer Data at rest commitment for Insider Risk Management - Information Barriers.

+ Title: Data Residency for SharePoint Online and OneDrive for Business

+description: Data Residency for SharePoint Online and OneDrive for Business

+f1.keywords:

+- NOCSH

+- it-pro

+- M365-subscription-management

+# Data Residency for SharePoint Online and OneDrive for Business

+## **Data Residency Commitments Available**

+### Product Terms

+Required Conditions:

+- _Tenant_ has a sign up country included in _Local Region Geography_, the European Union or the United States.

+**Commitment:**

+_For current language please refer to the [Privacy and Security Product Terms](https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all) and view the section titled "Location of Customer Data at Rest for Core Online Services"._

+### Advanced Data Residency add-on

+Required Conditions:

+1. _Tenant_ has a sign up country included in _Local Region Geography_ or _Expanded Local Region Geography_.

+1. _Tenant_ has a valid Advanced Data Residency subscription for all users in the _Tenant_.

+1. The SharePoint Online subscription customer data is provisioned in _Local Region Geography_ or _Expanded Local Region Geography_.

+**Commitment:**

+Please refer to the [ADR Commitment page](m365-dr-commitments.md#sharepoint-onlineonedrive-for-business) for the specific customer data at rest commitment for SharePoint Online and OneDrive for Business.

+### Multi-Geo add-on

+Required Conditions:

+1. _Tenants_ have a valid Multi-Geo subscription that covers all users assigned to a _Satellite Geography_

+1. Customer must have an active Enterprise Agreement.

+1.Total purchased Multi-Geo units must be greater than 5% of the total eligible seats in the _Tenant_.

+**Commitment:**

+Customers can assign users of SharePoint Online/OneDrive for Business to any _Satellite Geography_ supported by Multi-Geo (see Section 4.1.3). The following customer data will be stored in the relevant _Satellite Geography_:

+SharePoint Online site content and the files stored within that site, and files uploaded to OneDrive for Business.

+## **Multi-Geo Capabilities in SharePoint Online / OneDrive for Business**

+Multi-Geo capabilities in OneDrive and SharePoint Online enable control of shared resources like SharePoint team sites and Microsoft 365 Group mailboxes stored at rest in a specified _Macro Region Geography_ or _Local Region Geography_.

+Each user, Group mailbox, and SharePoint site have a Preferred Data Location (PDL) which denotes the _Macro Region Geography_ or _Local Region Geography_ (location where related data is to be stored. Users' personal data (Exchange mailbox and OneDrive) along with any Microsoft 365 Groups or SharePoint sites that they create can be stored in the specified _Macro Region Geography_ or _Local Region Geographies_ location to meet data residency requirements. You can specify different administrators for each _Macro Region Geography_ or _Local Region Geographies_ location.

+Users get a seamless experience when using Microsoft 365 services, including Office applications, OneDrive, and Search. See User experience in a Multi-Geo environment for details.

+### **OneDrive**

+Each user's OneDrive can be provisioned in or moved by an administrator to a _Satellite Geography_ location in accordance with the user's PDL. Personal files are then kept in that _Satellite Geography_ location, though they can be shared with users in other _Macro Region Geography_ or _Local Region Geography_ locations.

+### **SharePoint Sites and Groups**

+Management of the Multi-Geo feature is available through the SharePoint admin center.

+When a user creates a SharePoint group-connected site in a multi-geo environment, their PDL is used to determine the _Macro Region Geography_ or _Local Region Geography_ location where the site and its associated Group mailbox are created. (If the user's PDL value hasn't been set, or has been set to _Macro Region Geography_ or _Local Region Geography_ location that hasn't been configured as a _Satellite Geography_ location, then the site and mailbox are created in the _Primary Provisioned Geography_.)

+Microsoft 365 services other than Exchange, OneDrive, SharePoint, and Teams are not available with Multi-Geo. However, Microsoft 365 Groups that are created by these services will be configured with the PDL of the creator and their Exchange Group mailbox, SharePoint site are provisioned in the corresponding _Macro Region Geography_ or _Local Region Geography_.

+### **Managing the Multi-Geo environment**

+Setting up and managing your Multi-Geo environment is done through the SharePoint admin center.

+#### **SharePoint storage quotas in multi-geo environments**

+By default, all _Geography_ locations of a multi-geo environment share the available _Tenant_ storage quota.

+With the SharePoint geo storage quota setting, you can manage the storage quota for each _Geography_ location. When you allocate a storage quota for a _Geography_ location, it becomes the maximum amount of storage available for that _Geography_ location, and is deducted from the available _Tenant_ storage quota. The remaining available _Tenant_ storage quota is then shared across the configured _Geography_ locations for which a specific storage quota has not been allocated.

+The SharePoint storage quota for any _Geography_ location can be allocated by the SharePoint Online administrator by connecting to the _Primary Provisioned Geography_. _Geography_ administrators for _Satellite Geography_ locations can view the storage quota but cannot allocate it.

+#### **Configure a storage quota for a _Geography_ location**

+Use the [Microsoft SharePoint Online Management Shell](https://www.microsoft.com/download/details.aspx?id=35588) and connect to the _Primary Provisioned Geography_ location to allocate the storage quota for a _Geography_ location.

+To allocate Storage Quota for a location, run cmdlet:

+```powershell

+Set-SPOGeoStorageQuota -GeoLocation <geolocationcode> -StorageQuotaMB <value>

+```

+To view Storage Quota for the current _Geography_ location, run:

+```powershell

+Get-SPOGeoStorageQuota

+```

+To view Storage Quota for all _Geography_ locations, run:

+```powershell

+Get-SPOGeoStorageQuota -AllLocations

+```

+To remove the allocated storage quota for a _Geography_ location, set `StorageQuota value = 0`:

+```powershell

+Set-SPOGeoStorageQuota -GeoLocation <geolocationcode> -StorageQuotaMB 0

+```

+### Move a OneDrive site

+#### Move a OneDrive site to a different _Geography_ location

+With OneDrive _Geography_ move, you can move a user's OneDrive to a different _Geography_ location. OneDrive _Geography_ move is performed by the SharePoint Online administrator or the Microsoft 365 global administrator. Before you start a OneDrive _Geography_ move, be sure to notify the user whose OneDrive is being moved and recommend they close all files for the duration of the move. (If the user has a document open using the Office client during the move, then upon move completion the document will need to be saved to the new location.) The move can be scheduled for a future time, if desired.

+The OneDrive service uses Azure Blob Storage to store content. The Storage blob associated with the user's OneDrive will be moved from the source to destination _Geography_ location within 40 days of destination OneDrive being available to the user. The access to the user's OneDrive will be restored as soon as the destination OneDrive is available.

+During OneDrive _Geography_ move window (about 2-6 hours) the user's OneDrive is set to read-only. The user can still access their files via the OneDrive sync app or their OneDrive site in SharePoint Online. After OneDrive _Geography_ move is complete, the user will be automatically connected to their OneDrive at the destination _Geography_ location when they navigate to OneDrive in the Microsoft 365 app launcher. The sync app will automatically begin syncing from the new location.

+The procedures in this article require the [Microsoft SharePoint Online PowerShell Module](https://www.microsoft.com/download/details.aspx?id=35588).

+#### Communicating to your users

+When moving OneDrive sites between _Geography_ locations, it's important to communicate to your users what to expect. This can help reduce user confusion and calls to your help desk. Email your users before the move and let them know the following information:

+-When the move is expected to start and how long it is expected to take

+-What _Geography_ location their OneDrive is moving to, and the URL to access the new location

+-They should close their files and not make edits during the move.

+-File permissions and sharing will not change as a result of the move.

+-What to expect from the user experience in a multi-geo environment

+Be sure to send your users an email when the move has successfully completed informing them that they can resume working in OneDrive.

+#### Scheduling OneDrive site moves

+You can schedule OneDrive site moves in advance (described later in this article). We recommend that you start with a small number of users to validate your workflows and communication strategies. Once you are comfortable with the process, you can schedule moves as follows:

+-You can schedule up to 4,000 moves at a time.

+-As the moves begin, you can schedule more, with a maximum of 4,000 pending moves in the queue and any given time.

+-The maximum size of a OneDrive that can be moved is 1 terabyte (1 TB).

+#### **Moving a OneDrive site**

+To perform a OneDrive _Geography_ move, the _Tenant_ administrator must first set the user's Preferred Data Location (PDL) to the appropriate _Geography_ location. Once the PDL is set, wait for at least 24 hours for the PDL update to sync across the _Geography_ locations before starting the OneDrive _Geography_ move.

+When using the _Geography_ move cmdlets, connect to SPO Service at the user's current OneDrive _Geography_ location, using the following syntax:

+```powershell

+Connect-SPOService -url https://<tenantName>-admin.sharepoint.com

+```

+For example: To move OneDrive of user 'Matt@contosoenergy.onmicrosoft.com', connect to EUR SharePoint Admin center as the user's OneDrive is in EUR _Geography_ location:

+```powershell

+Connect-SPOService -url https://contosoenergyeur-admin.sharepoint.com

+```

+#### **Validating the environment**

+

+Before you start a OneDrive _Geography_ move, we recommend that you validate the environment.

+To ensure that all _Geography_ locations are compatible, run:

+```powershell

+Get-SPOGeoMoveCrossCompatibilityStatus

+```

+You will see a list of your _Geography_ locations and whether content can be moved between will be denoted as "Compatible". If the command returns "Incompatible" please retry validating the status at a later date.

+If a OneDrive contains a subsite, for example, it cannot be moved. You can use the Start-SPOUserAndContentMove cmdlet with the -ValidationOnly parameter to validate if the OneDrive is able to be moved:

+```powershell

+Start-SPOUserAndContentMove -UserPrincipalName <UPN> -DestinationDataLocation <DestinationDataLocation> -ValidationOnly

+```

+ This will return Success if the OneDrive is ready to be moved or Fail if there is a legal hold or subsite that would prevent the move. Once you have validated that the OneDrive is ready to move, you can start the move.

+#### **Start a OneDrive geo move**

+To start the move, run:

+```powershell

+Start-SPOUserAndContentMove -UserPrincipalName <UserPrincipalName> -DestinationDataLocation <DestinationDataLocation>

+```

+Using these parameters:

+- _UserPrincipalName_ ΓÇô UPN of the user whose OneDrive is being moved.

+- _DestinationDataLocation_ ΓÇô Geo-Location where the OneDrive needs to be moved. This should be same as the user's preferred data location.

+For example, to move the OneDrive of matt@contosoenergy.onmicrosoft.com from EUR to AUS, run:

+```powershell

+Start-SPOUserAndContentMove -UserPrincipalName matt@contosoenergy.onmicrosoft.com -DestinationDataLocation AUS

+```

+To schedule a _Geography_ move for a later time, use one of the following parameters:

+- _PreferredMoveBeginDate_ ΓÇô The move will likely begin at this specified time. Time must be specified in Coordinated Universal Time (UTC).

+- _PreferredMoveEndDate_ ΓÇô The move will likely be completed by this specified time, on a best effort basis. Time must be specified in Coordinated Universal Time (UTC).

+#### **Cancel a OneDrive _Geography_ move**

+

+You can stop the _Geography_ move of a user's OneDrive, provided the move is not in progress or completed by using the cmdlet:

+```powershell

+Stop-SPOUserAndContentMove ΓÇô UserPrincipalName <UserPrincipalName>

+```

+Where _UserPrincipalName_ is the UPN of the user whose OneDrive move you want to stop.

+#### **Determining current status**

+You can check the status of a OneDrive _Geography_ move in or out of the _Geography_ that you're connected to by using the Get-SPOUserAndContentMoveState cmdlet.

+The move statuses are described in the following table.

+|Status|Description|

+|||

+|NotStarted|The move has not started|

+|InProgress (_n_/4)|The move is in progress in one of the following states: <ul><li>Validation (1/4)</li><li>Backup (2/4)</li><li>Restore (3/4)</li><li>Cleanup (4/4)</li></ul>|

+|Success|The move has completed successfully.|

+|Failed|The move failed.|

+To find the status of a specific user's move, use the _UserPrincipalName_ parameter:

+```powershell

+Get-SPOUserAndContentMoveState -UserPrincipalName <UPN>

+```

+To find the status of all of the moves in or out of the _Geography_ location that you're connected to, use the _MoveState_ parameter with one of the following values: NotStarted, InProgress, Success, Failed, All.

+```powershell

+Get-SPOUserAndContentMoveState -MoveState <value>

+```

+You can also add the _Verbose_ parameter for more verbose descriptions of the move state.

+#### **User Experience**

+Users of OneDrive should notice minimal disruption if their OneDrive is moved to a different _Geography_ location. Aside from a brief read-only state during the move, existing links and permissions will continue to work as expected once the move is completed.

+#### **User's OneDrive**

+While the move is in progress the user's OneDrive is set to read-only. Once the move is completed, the user is directed to their OneDrive in the new _Geography_ location when they navigate to OneDrive the Microsoft 365 app launcher or a web browser.

+#### **Permissions on OneDrive content**

+Users with permissions to OneDrive content will continue to have access to the content during the move and after it's complete.

+#### **OneDrive sync app**

+The OneDrive sync app will automatically detect and seamlessly transfer syncing to the new OneDrive location once the OneDrive _Geography_ move is complete. The user does not need to sign-in again or take any other action. (Version 17.3.6943.0625 or later of the sync app required.)

+If a user updates a file while the OneDrive _Geography_ move is in progress, the sync app will notify them that file uploads are pending while the move is underway.

+#### **Sharing links**

+Upon OneDrive _Geography_ move completion, the existing shared links for the files that were moved will automatically redirect to the new _Geography_ location.

+#### **OneNote Experience**

+OneNote win32 client and UWP (Universal) App will automatically detect and seamlessly sync notebooks to the new OneDrive location once OneDrive _Geography_ move is complete. The user does not need to sign-in again or take any other action. The only visible indicator to the user is notebook sync would fail when OneDrive _Geography_ move is in progress. This experience is available on the following OneNote client versions:

+- OneNote win32 ΓÇô Version 16.0.8326.2096 (and later)

+- OneNote UWP ΓÇô Version 16.0.8431.1006 (and later)

+- OneNote Mobile App ΓÇô Version 16.0.8431.1011 (and later)

+#### **Teams app**

+Upon OneDrive _Geography_ move completion, users will have access to their OneDrive files on the Teams app. Additionally, files shared via Teams chat from their OneDrive prior to _Geography_ move will continue to work after move is complete.

+#### **OneDrive Mobile App (iOS)**

+Upon OneDrive _Geography_ move completion, the user would need to sign out and sign in again on the iOS Mobile App to sync to the new OneDrive location.

+#### **Existing followed groups and sites**

+Followed sites and groups will show up in the user's OneDrive regardless of their _Geography_ location. Sites and groups hosted in another _Geography_ location will open in a separate tab.

+#### **Delve Geo URL updates**

+Users will be sent to the Delve _Geography_ corresponding to their PDL only after their OneDrive has been moved to the new _Geography_.

+### **Move a SharePoint site**

+#### **Move a SharePoint site to a different _Geography_ location**

+With SharePoint site _Geography_ move, you can move SharePoint sites to other _Geography_ locations within your Multi-Geo environment.

+The following types of site can be moved between _Geography_ locations:

+- Microsoft 365 group-connected sites, including those sites associated with Microsoft Teams

+- Modern sites without a Microsoft 365 group association

+- Classic SharePoint sites

+- Communication sites

+You must be a Global Administrator or SharePoint Administrator to move a site between _Geography_ locations.

+There is a read-only window during the SharePoint site _Geography_ move of approximately 4-6 hours, depending on site-contents

+#### **Best practices**

+- Try a SharePoint site move on a test site to get familiar with the procedure.

+- Validate whether the site can be moved prior to scheduling or performing the move.

+- When possible schedule cross-geo sites moves for outside business hours to reduce user impact.

+- Communicate with impacted users prior to the sites move.

+#### **Communicating to your users**

+When moving SharePoint sites between _Geography_ locations, it's important to communicate to the sites' users (generally anyone with the ability to edit the site) what to expect. This can help reduce user confusion and calls to your help desk. Email your sites' users before the move and let them know the following information:

+- When the move is expected to start and how long it is expected to take

+- What _Geography_ location their site is moving to, and the URL to access the new location

+- They should close their files and not make edits during the move.

+- File permissions and sharing will not change because of the move.

+- What to expect from the user experience in a multi-geo environment

+Be sure to send your sites' users an email when the move has successfully completed informing them that they can resume working on their sites.

+#### **Scheduling SharePoint site moves**

+You can schedule SharePoint site moves in advance (described later in this article). You can schedule moves as follows:

+- You can schedule up to 4,000 moves at a time.

+- As the moves begin, you can schedule more, with a maximum of 4,000 pending moves in the queue and any given time.

+- The maximum size of a SharePoint site that can be moved is 1 terabyte (1 TB).

+To schedule a SharePoint site _Geography_ move for a later time, include one of the following parameters when you start the move:

+- PreferredMoveBeginDate ΓÇô The move will likely begin at this specified time.

+- PreferredMoveEndDate ΓÇô The move will likely be completed by this specified time, on a best effort basis.

+Time must be specified in Coordinated Universal Time (UTC) for both parameters.

+#### **Moving the site**

+SharePoint site _Geography_ move requires that you connect and perform the move from the SharePoint Admin URL in the _Geography_ location where the site is.

+For example, if the site URL is `https://contosohealthcare.sharepoint.com/sites/Turbines`, connect to the SharePoint Admin URL at `https://contosohealthcare-admin.sharepoint.com`:

+```powershell

+Connect-SPOService -Url https://contosohealthcare-admin.sharepoint.com

+```

+#### **Validating the environment**

+We recommend that before scheduling any site move, you perform a validation to ensure that the site can be moved.

+We do not support moving sites with:

+- Business Connectivity Services

+- InfoPath forms

+- Information Rights Management (IRM) templates applied

+To ensure all _Geography_ locations are compatible, run `Get-SPOGeoMoveCrossCompatibilityStatus`. This will display all your _Geography_ locations and whether the environment is compatible with the destination _Geography_ location.

+To perform a validation-only check on your site, use `Start-SPOSiteContentMove` with the `-ValidationOnly` parameter to validate if the site is able to be moved. For example:

+```PowerShell

+Start-SPOSiteContentMove -SourceSiteUrl <SourceSiteUrl> -ValidationOnly -DestinationDataLocation <DestinationLocation>

+```

+This will return _Success_ if the site is ready to be moved or _Fail_ if any of blocked conditions are present.

+#### **Start a SharePoint site _Geography_ move for a site with no associated Microsoft 365 group**

+

+By default, initial URL for the site will change to the URL of the destination _Geography_ location. For example:

+`https://Contoso.sharepoint.com/sites/projectx` to `https://ContosoEUR.sharepoint.com/sites/projectx`

+For sites with no Microsoft 365 group association, you can also rename the site by using the `-DestinationUrl` parameter. For example:

+<https://Contoso.sharepoint.com/sites/projectx> to `https://ContosoEUR.sharepoint.com/sites/projecty`

+To start the site move, run:

+```powershell

+Start-SPOSiteContentMove -SourceSiteUrl <siteURL> -DestinationDataLocation <DestinationDataLocation> -DestinationUrl <DestinationSiteURL>

+```

+#### **Start a SharePoint site _Geography_ move for a Microsoft 365 group-connected site**

+ To move a Microsoft 365 group-connected site, the Global Administrator or SharePoint Administrator must first change the Preferred Data Location (PDL) attribute for the Microsoft 365 group.

+To set the PDL for a Microsoft 365 group:

+```PowerShell

+Set-SPOUnifiedGroup -PreferredDataLocation <PDL> -GroupAlias <GroupAlias>

+Get-SPOUnifiedGroup -GroupAlias <GroupAlias>

+```

+Once you have updated the PDL, you can start the site move:

+```PowerShell

+Start-SPOUnifiedGroupMove -GroupAlias <GroupAlias> -DestinationDataLocation <DestinationDataLocation>

+```

+#### **Cancel a SharePoint site _Geography_ move**

+You can stop a SharePoint site _Geography_ move, provided the move is not in progress or completed by using the Stop-SPOSiteContentMove cmdlet.

+#### **Determining the status of a SharePoint site _Geography_ move**

+You can determine the status of a site move in our out of the _Geography_ that you are connected to by using the following cmdlets:

+- [Get-SPOSiteContentMoveState](/powershell/module/sharepoint-online/get-spositecontentmovestate) (non-Group-connected sites)

+- [Get-SPOUnifiedGroupMoveState](/powershell/module/sharepoint-online/get-spounifiedgroupmovestate) (Group-connected sites)

+Use the `-SourceSiteUrl` parameter to specify the site for which you want to see move status.

+The move statuses are described in the following table.

+****

+|Status|Description|

+|||

+|Ready to Trigger|The move has not started.|

+|Scheduled|The move is in queue but has not yet started.|

+|InProgress (n/4)|The move is in progress in one of the following states: Validation (1/4), Back up (2/4), Restore (3/4), Cleanup (4/4).|

+|Success|The move has completed successfully.|

+|Failed|The move failed.|

+|

+You can also apply the `-Verbose` option to see additional information about the move.

+#### **User experience**

+Site users should notice minimal disruption when their site is moved to a different _Geography_ location. Aside from a brief read-only state during the move, existing links and permissions will continue to work as expected once the move is completed.

+#### **Site**

+While the move is in progress, the site is set to read-only. Once the move is completed, the user is directed to the new site in the new _Geography_ location when they click on bookmarks or other links to the site.

+#### **Permissions**

+Users with permissions to site will continue to have access to the site during the move and after it's complete.

+#### **Sync app**

+The sync app will automatically detect and seamlessly transfer syncing to the new site location once the site move is complete. The user does not need to sign in again or take any other action. (Version 17.3.6943.0625 or later of the sync app required.)

+If a user updates a file while the move is in progress, the sync app will notify them that file uploads are pending while the move is underway.

+#### **Sharing links**

+When the SharePoint site _Geography_ move completes, the existing shared links for the files that were moved will automatically redirect to the new _Geography_ location.

+#### **Most Recently Used files in Office (MRU)**

+The MRU service is updated with the site url and its content URLs once the move completes. This applies to Word, Excel, and PowerPoint.

+#### **OneNote experience**

+OneNote win32 client and UWP (Universal) App will automatically detect and seamlessly sync notebooks to the new site location once site move is complete. The user does not need to sign in again or take any other action. The only visible indicator to the user is notebook sync would fail when site move is in progress. This experience is available on the following OneNote client versions:

+-OneNote win32 ΓÇô Version 16.0.8326.2096 (and later)

+-OneNote UWP ΓÇô Version 16.0.8431.1006 (and later)

+-OneNote Mobile App ΓÇô Version 16.0.8431.1011 (and later)

+#### **Teams (applicable to Microsoft 365 group connected sites)**

+When the SharePoint site _Geography_ move completes, users will have access to their Microsoft 365 group site files on the Teams app. Additionally, files shared via Teams chat from their site prior to _Geography_ move will continue to work after move is complete.

+SharePoint site _Geography_ move does not support moving Private Channels from one _Geography_ to another. Private channels remain in the original _Geography_.

+#### **SharePoint Mobile App (iOS/Android)**

+The SharePoint Mobile App is cross _Geography_ compatible and able to detect the site's new _Geography_ location.

+#### **SharePoint workflows**

+SharePoint 2013 workflows have to be republished after the site move. SharePoint 2010 workflows should continue to function normally.

+#### **Apps**

+If you are moving a site with apps, you must reinstantiate the app in the site's new _Geography_ location as the app and its connections may not be available in the destination _Geography_ location.

+#### **Power Automate**

+In most cases, Power Automate Flows will continue to work after a SharePoint site _Geography_ move. We recommend that you test them once the move has completed.

+#### **Power Apps**

+Power Apps need to be recreated in the destination location.

+#### **Data movement between geo locations**

+SharePoint uses Azure Blob Storage for its content, while the metadata associated with sites and its files is stored within SharePoint. After the site is moved from its source _Geography_ location to its destination _Geography_ location, the service will also move its associated Blob Storage. Blob Storage moves complete in approximately 40 days. This will not have any impact to users interaction with the data.

+You can check the Blob Storage move status using the [Get-SPOCrossGeoMoveReport](/powershell/module/sharepoint-online/get-spocrossgeomovereport) cmdlet.

+****

+### **Enabling SharePoint Multi-Geo in your _Satellite Geography_ location**

+This article is for Global or SharePoint administrators who have created a Multi-Geo _Satellite Geography_ location **before** SharePoint Multi-Geo capabilities became generally available on March 27, 2019, and who have not enabled SharePoint Multi-Geo in their _Satellite Geography_ location(s).

+>[!NOTE]

+>If you have added a new _Geography_ location **after March 27th, 2019**, you do not need to perform these instructions, as your new _Geography_ location will already be enabled for OneDrive and SharePoint Multi-Geo.

+These instructions will allow you to enable SharePoint in your _Satellite Geography_ location, so your Multi-Geo satellite users can take advantage of both OneDrive and SharePoint Multi-Geo capabilities in O365.

+>[!IMPORTANT]

+>Please note that this is a one way enablement. Once you set SPO mode, you will not be able to revert your _Tenant_ to OneDrive only Multi-Geo mode without an escalation with support.

+#### **To set a _Geography_ location into SPO Mode**

+To set a _Geography_ location into SPO mode, connect to the _Geography_ location you want to set in SPO Mode:

+1. Open your SharePoint Online Management Shell

+2. Connect-SPOService -URL "https://$tenantGeo-admin.sharepoint.com" -Credential $credential

+3. Set-SPOMultiGeoExperience</br></br>

+

+4. This operation usually takes about an hour while we perform various publish backs in the service and re-stamp your _Tenant_. After at least 1 hour, please perform a Get-SPOMultiGeoExperience. This will show you whether this _Geography_ location is in SPO mode.</br></br>

+

+>[!Note]

+>Certain caches in the service update every 24 hours, so it is possible that for a period of up to 24 hours, your _Satellite Geography_ may intermittently behave as if it was still in ODB mode. This does not cause any technical issues.

+## Migration

+When SharePoint Online is moved, data for the following services is also moved:

+

+- OneDrive for Business

+- Microsoft 365 Video services

+- Office in a browser

+- Microsoft 365 Apps for enterprise

+- Visio Pro for Microsoft 365

+After we've completed moving your SharePoint Online data, you might see some of the following effects.

+

+### Microsoft 365 Video Services

+- The data move for video takes longer than the moves for the rest of your content in SharePoint Online.

+- After the SharePoint Online content is moved, there will be a time frame when videos aren't able to be played.

+- We're removing the trans-coded copies from the previous datacenter and transcoding them again in the new datacenter.

+### Search

+In the course of moving your SharePoint Online data, we migrate your search index and search settings to a new location. Until we've **completed** the move of your SharePoint Online data, we continue to serve your users from the index in the original location. In the new location, search automatically starts crawling your content after we've completed moving your SharePoint Online data. From this point and onwards we serve your users from the migrated index. Changes to your content that occurred after the migration aren't included in the migrated index until crawling picks them up. Most customers don't notice that results are less fresh right after we've completed moving their SharePoint Online data, but some customers might experience reduced freshness in the first 24-48 hours.

+

+The following search features are affected:

+

+- Search results and Search Web Parts: Results don't include changes that occurred after the migration until crawling picks them up.

+- Delve: Delve doesn't include changes that occurred after the migration until crawling picks them up.

+- Popularity and Search Reports for the site: Counts for Excel reports in the new location only include migrated counts and counts from usage reports that have run after we completed moving your SharePoint Online data. Any counts from the interim period are lost and can't be recovered. This period is typically a couple of days. Some customers might experience shorter or longer losses.

+- Video Portal: View counts and statistics for the Video Portal depend on the statistics for Excel Reports, so view counts and statistics for the Video Portal are lost for the same time period as for the Excel reports.

+- eDiscovery: Items that changed during the migration aren't shown until crawling picks up the changes.

+- Data Loss Protection (DLP): Policies aren't enforced on items that change until crawling picks up the changes.

+As part of the migration, the _Primary Provisioned Geography_ will change and all new content will be stored at rest in the new _Primary Provisioned Geography_. Existing content will move in the background with no impact to you for up to 90 days after the first change to the SharePoint Online data location in the admin center.

+## How can I determine customer data location?

+You can find the actual data location in _Tenant_ Admin Center. As a _Tenant_ administrator you can find the actual data location, for committed data, by navigating to Admin->Settings->Org Settings->Organization Profile->Data Location. If you do not have a _Tenant_ created, you can have a _Tenant_ created when signing up for a M365 trial.

+ Title: Data Residency for Microsoft Teams

+description: Learn about data residency for Microsoft Teams

+f1.keywords:

+- NOCSH

+- it-pro

+- M365-subscription-management

+# Data Residency for Microsoft Teams

+## Data Residency Commitments Available

+### Product Terms

+Required Conditions:

+1. _Tenant_ has a sign up country included in _Local Region Geography_, the European Union or the United States.

+**Commitment:**

+_For current language please refer to the [Privacy and Security Product Terms](https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all) and view the section titled "Location of Customer Data at Rest for Core Online Services"._

+### Advanced Data Residency add-on

+Required Conditions:

+1. _Tenant_ has a sign-up country included in _Local Region Geography_ or _Expanded Local Region Geography_.

+1. _Tenant_ has a valid Advanced Data Residency subscription for all users in the _Tenant_

+1. The Microsoft Teams subscription customer data is provisioned in _Local Region Geography_ or _Expanded Local Region Geography_.

+**Commitment:**

+Please refer to the [ADR Commitment page](m365-dr-commitments.md#microsoft-teams) to understand the specific commitments provided via Product Terms. Examples of the committed data include:

+- Chat/ channel messages and team structure: Every team in Microsoft Teams is backed by an Microsoft 365 Modern Group and its SharePoint site and Exchange mailbox. Private chats (including group chats), messages sent as part of a conversation in a channel, and the structure of teams and channels are stored in an Azure powered chat service. The data is also stored in a hidden folder in the user and group mailboxes to enable information protection features.

+- Images and Media: Media used in chats (except for Giphy GIFs which are not stored but are a reference link to the original Giphy URL) are stored in an Azure based Media Service deployed to the same locations as the chat service.

+- Meeting Recordings: For users of Microsoft Stream (on SharePoint) Meeting Recordings are stored in the OneDrive for Business storage of the user that initiates the recording.

+### Multi-Geo add-on

+Required Conditions:

+1. _Tenants_ have a valid Multi-Geo subscription that covers all users assigned to a _Satellite Geography_

+1. Customer must have an active Enterprise Agreement.

+1. Total purchased Multi-Geo units must be greater than 5% of the total eligible seats in the _Tenant_.

+**Commitment:**

+Customers can assign users of Microsoft Teams to any _Satellite Geography_ supported by Multi-Geo. The following customer data will be stored in the relevant _Satellite Geography_: Teams chat data that consists of chat messages, including private messages, channel messages, and images used in chats.

+## Multi-Geo Capabilities in Microsoft Teams

+Multi-Geo capabilities in Teams enable Teams chat data to be stored at rest in a specified _Macro Region Geography_ or _Local Region Geography_ location. Chat data consists of chat messages, including private messages, channel messages, and images used in chats.

+Teams uses the Preferred Data Location (PDL) for users and groups to determine where to store data. If the PDL isn't set or is invalid, data is stored in the tenant's _Primary Provisioned Geography_ location.

+>[!NOTE]

+>Multi-Geo capabilities in Teams rolled out in July 2021. Your chat and channel messages will be automatically migrated to the correct _Macro Region Geography_ or _Local Region Geography_ location over the next few quarters. Any new PDL changes will be processed after the _Tenant_ has completed the initial sync, and new PDL changes beyond that will be queued and processed in the order they are received.

+### User chat

+User chat includes one-to-one, one-to-many, and private meeting messages.

+When a new user is created, Teams reads the user's PDL and stores all their chat data in that _Macro Region Geography_ or _Local Region Geography_ location.

+For existing users, if an administrator adds or modifies the PDL for a user, that user's chat data is added to a migration queue to be moved to the specified _Macro Region Geography_ or _Local Region Geography_ location.

+The storage location for a one-to-one or one-to-many chat is based on the PDL of the person who created the chat. If that user's PDL is changed, the chat will be migrated to the new _Macro Region Geography_ or _Local Region Geography_ location. The storage location for a meeting chat is based on the PDL of the meeting organizer.

+To find the current location of a user's Teams data, connect to Teams PowerShell and run the following command:

+```PowerShell

+Get-MultiGeoRegion -EntityType User -EntityId <UPN>

+```

+### Channel messages

+Each Microsoft 365 group has a Preferred Data Location (PDL) which denotes the _Geography_ location where related data is to be stored. Teams uses the PDL for the group associated with each team to determine where to store channel messaging data for that team. This includes private channels and chat that occurs within a channel meeting.

+When a user creates a new team, that user's PDL determines what PDL is assigned to the Microsoft 365 group. The group PDL determines where that team's data is stored. If that user's PDL later changes, the group's PDL isn't changed.

+For existing teams, if an administrator adds or modifies the PDL for the Microsoft 365 group that backs a team, that team's channel messaging data is added to a migration queue to be moved to the specified _Macro Region Geography_ or _Local Region Geography_ location.

+Changing the PDL of the Microsoft 365 group queues the Teams data to migrate to the chosen _Macro Region Geography_ or _Local Region Geography_ location. However, this doesn't migrate the SharePoint site or files associated with the Group automatically. You must move the site separately by following the procedures in Move a SharePoint site to a different _Geography_ location. Be sure to do both steps to avoid Teams data and SharePoint data for one group in different locations.

+To find the current location of a team's data, connect to Teams PowerShell and run the following command:

+```PowerShell

+Get-MultiGeoRegion -EntityType Group -EntityId <GroupObjectId>

+```

+### User Experience

+Teams Multi-Geo is seamless to the end user. Once you change the PDL of a user or a group, the respective data will queue for migration and the migration will occur automatically with no impact to the user or their Teams client even if they're active while the migration occurs.

+### Migration

+**Files Tab**

+After the migration is complete the Files tab may take additional time (up to 7 seconds) to fully load when the user first attempts to use it.

+**Read-only period**

+Teams chat services moves each thread individually. The thread is locked in a read-only state during the move, which lasts a few seconds per thread. Threads remain accessible during the migration.

+**In-scope for Migration**

+In addition to Exchange Online, SharePoint Online, and OneDrive for Business; Microsoft will migrate Teams data to the local datacenter.

+- Teams chat messages, including private messages and channel messages.

+- Teams images used in chats.

+Teams files are stored in SharePoint Online and Teams chat files are stored in OneDrive for Business. Voicemail, calendar, and contacts are stored in Exchange Online. In many cases, Exchange Online, SharePoint Online, and OneDrive for Business are already used by the customer in the local datacenter _Geography_ and are also part of the Microsoft 365 migration program for eligible customer countries.

+### How can I determine customer data location?

+You can find the actual data location in _Tenant_ Admin Center. As a _Tenant_ administrator you can find the actual data location, for committed data, by navigating to Admin|Settings|Org Settings|Organization Profile|Data Location.

+ Title: Data Residency for Viva Connections

+description: Data Residency for Viva Connections

+f1.keywords:

+- NOCSH

+- it-pro

+- M365-subscription-management

+# Data Residency for Viva Connections

+## Overview

+Service documentation: [Overview: Viva Connections](/viva/connections/viva-connections-overview)

+Capability Summary: Microsoft Viva Connections is your gateway to a modern employee experience designed to keep everyone engaged and informed. Viva Connections is a customizable app in Microsoft Teams that gives everyone a personalized destination to discover relevant news, conversations, and the tools they need to succeed. Data storage is related to the following Viva Connections Components: Dashboard and feed.

+## Data Residency Commitments Available

+### Advanced Data Residency add-on

+Required Conditions:

+1. _Tenant_ has a sign-up country included in _Local Region Geography_ or _Expanded Local Region Geography_.

+1. _Tenant_ has a valid Advanced Data Residency subscription for all users in the _Tenant_.

+1. The Viva Connections subscription customer data is provisioned in _Local Region Geography_ or _Expanded Local Region Geography_.

+**Commitment:**

+Please refer to the [ADR Commitment page](m365-dr-commitments.md#viva-connections) for the specific customer data at rest commitment for Viva Connections.

+### Migration

+Data is stored within Exchange Online, SharePoint Online and Microsoft Teams. Migration processes are handled by the applicable/relevant workloads.

+### How can I determine customer data location?

+We are in the process of updating the actual data location in _Tenant_ Admin Center. When this change is complete you will be able to see the actual data location, for committed data, by navigating to Admin->Settings->Org Settings->Organization Profile->Data Location. Until that change is visible, you can view the Exchange Online, SharePoint Online and Microsoft Teams data location information in order to understand where your committed data is stored for this service.

+ Title: Data Residency for Viva Topics

+description: Data Residency for Viva Topics

+f1.keywords:

+- NOCSH

+- it-pro

+- M365-subscription-management

+# Data Residency for Viva Topics

+## Summary

+Service documentation: [Microsoft Viva Topics overview](/viva/topics/topic-experiences-overview)

+Capability summary: Viva Topics uses Microsoft Artificial Intelligence technology, Microsoft 365, Microsoft Graph, Search, and other components and services to bring knowledge to your users in the Microsoft 365 apps they use everyday, starting with SharePoint modern pages, Outlook, Microsoft Search, and Search in Word, PowerPoint, and Excel.

+## Data Residency Commitments Available

+### Advanced Data Residency add-on

+Required Conditions:

+1. _Tenant_ has a sign-up country included in _Local Region Geography_ or _Expanded Local Region Geography_.

+1. _Tenant_ has a valid Advanced Data Residency subscription for all users in the _Tenant_.

+1. The Viva Topics subscription customer data is provisioned in _Local Region Geography_ or _Expanded Local Region Geography_.

+**Commitment:**

+Please refer to the [ADR Commitment page](m365-dr-commitments.md#viva-topics) for the specific customer data at rest commitment for Viva Topics.

+## Migration

+Data is stored is maintained within Exchange Online, SharePoint Online and Microsoft Teams. Migration processes are handled by the applicable/relevant workloads.

+## How can I determine customer data location?

+We are in the process of updating the actual data location in _Tenant_ Admin Center. When this change is complete you will be able to see the actual data location, for committed data, by navigating to Admin->Settings->Org Settings->Organization Profile->Data Location. Until that change is visible, you can view the Exchange Online data location information in order to understand where your committed data is stored for this service.

+ Title: User Testing in Multi-Geo

+description: Learn about user testing in Multi-Geo

+f1.keywords:

+- NOCSH

+- it-pro

+- M365-subscription-management

+# User Testing in Multi-Geo

+In Azure Active Directory (Azure AD) there are two types of user objects: cloud only users and synchronized users. Please follow the appropriate instructions for your type of user.

+>[!TIP]

+>We recommend that you begin validations with a test user or small group of users before rolling out multi-geo to your broader organization.

+## Synchronize user's Preferred Data Location using Azure AD Connect

+If your company's users are synchronized from an on-premises Active Directory system to Azure AD, their PreferredDataLocation must be populated in AD and synchronized to Azure AD.

+Follow the process in <a href="/azure/active-directory/hybrid/how-to-connect-sync-feature-preferreddatalocation" target="_blank">Azure Active Directory Connect sync: Configure preferred data location for Microsoft 365 resources</a> to configure Preferred Data Location sync from your on-premises Active Directory Domain Services (AD DS) to Azure AD.

+We recommend that you include setting the user's Preferred Data Location as a part of your standard user creation workflow.

+>[!IMPORTANT]

+>For new users with no OneDrive provisioned, license the account and wait at least 48 hours after a user's PDL is synchronized to Azure AD for the changes to propagate before the user logs in to OneDrive for Business. (Setting the preferred data location before the user logs in to provision their OneDrive for Business ensures that the user's new OneDrive will be provisioned in the correct location.)

+## Setting Preferred Data Location for cloud only users

+If your company's users are not synchronized from an on-premises Active Directory system to Azure AD, meaning they are created in Microsoft 365 or Azure AD, then the PDL must be set using the Microsoft Azure Active Directory Module for Windows PowerShell.

+The procedures in this section require the <a href="https://www.powershellgallery.com/packages/MSOnline/1.1.166.0" target="_blank">Microsoft Azure Active Directory Module for Windows PowerShell Module</a>. If you already have this module installed, please ensure you update to the latest version.

+[Connect and sign in](connect-to-microsoft-365-powershell.md) with a set of global administrator credentials for your _Tenant_.

+Use the [Set-MsolUser](/powershell/module/msonline/set-msoluser) cmdlet to set the preferred data location for each of your users. For example:

+```PowerShell

+Set-MsolUser -UserPrincipalName Robyn.Buckley@Contoso.com -PreferredDatalocation EUR

+```

+You can check to confirm that the preferred data location was updated properly by using the Get-MsolUser cmdlet. For example:

+```PowerShell

+Get-MsolUser -UserPrincipalName Robyn.Buckley@Contoso.com.PreferredDatalocation

+```

+We recommend that you include setting the user's Preferred Data Location as a part of your standard user creation workflow.

+>[!IMPORTANT]

+>or new users with no OneDrive provisioned, license the account and wait at least 48 hours after a user's PDL is set for the changes to propagate before the user logs in to OneDrive. (Setting the preferred data location before the user logs in to provision their OneDrive for Business ensures that the user's new OneDrive will be provisioned in the correct location.)

+## OneDrive for Business Provisioning and the effect of PDL

+If the user already has a OneDrive for Business site created in the _Tenant_, setting their PDL will not automatically move their existing OneDrive. To move a user's OneDrive, see [OneDrive for Business Geo Move](move-onedrive-between-geo-locations.md).

+> [!NOTE]

+> Exchange Online automatically relocates the user's mailbox if the PLD changes and the MailboxRegion no longer matches the Mailbox Database Geo Location code. For more information, see [Administering Exchange Online mailboxes in a multi-geo environment](administering-exchange-online-multi-geo.md).

+If the user does not have a OneDrive for Business site within the _Tenant_, OneDrive for Business will be provisioned for them in accordance to their PDL value, assuming the PDL for the user matches one of the company's satellite locations.

+The Microsoft 365 Multi-Geo Capabilities add-on provides customers with the ability to expand their Microsoft 365 presence to multiple geographic regions or counties within a single existing Microsoft 365 _Tenant_. Multi-Geo enables customers to manage data-at-rest locations at a granular level for their users, SharePoint sites, Microsoft 365 Groups, and Microsoft Teams teams level. Multi-Geo is targeted to customers who have a need to store customer data in multiple geographies at the same time to satisfy their data residency requirements and whose needs may change over time.

+Microsoft 365 Multi-Geo is designed to meet customers' data residency requirements and allow for collaboration between and amongst the customers satellite location and preferred data locations. If customer requires performance optimization functionalities for Microsoft 365, see <a href="https://support.office.com/article/e5f1228c-da3c-4654-bf16-d163daee8848" target="_blank">Network planning and performance tuning for Microsoft 365</a> or contact your support group.

+>[!NOTE]

+>Exchange Online, SharePoint Online, OneDrive for Business and Microsoft Teams are available for Multi-Geo configuration. See the data residency commitment sections for [Exchange Online](m365-dr-workload-exo.md), [SharePoint Online and OneDrive for Business](m365-dr-workload-spo.md), and [Microsoft Teams](m365-dr-workload-teams.md#data-residency-commitments-available) for more details.

+In a Multi-Geo environment, your Microsoft 365 _Tenant_ consists of a central location (where your Microsoft 365 subscription was originally provisioned) and one or more satellite locations. In a Multi-Geo enabled _Tenant_, the information about geo locations, groups, and user information, is mastered in Azure Active Directory (Azure AD). Because your _Tenant_ information is mastered centrally and synchronized into each geo location, sharing and experiences involving anyone from your company contain global awareness.

+Microsoft 365 Multi-Geo is available as an add-on to the following Microsoft 365 subscription plans for Enterprise Agreement customers. Customers must purchase a number of Multi-Geo licenses equal to or greater than 5% of their total eligible seats. User subscription licenses must be on the same Enterprise Agreement as the Multi-Geo Services licenses. Please contact your Microsoft account team for details.

+Note that the _Multi-Geo Capabilities in Microsoft 365_ plan are a user-level add-on license. You need a license for each user that you want to host in a _Satellite Geography_ location. You can add additional licenses over time as you add users in _Satellite Geography_ locations.

+There are no Multi-Geo licenses specific to shared resources such as SharePoint Sites, Microsoft 365 Groups, or Microsoft Teams teams. If enough Multi-Geo user licenses have been acquired, then customers are eligible to use Multi-Geo with SharePoint Sites, Microsoft 365 Groups, and Microsoft Teams teams without limitation.

+Follow these steps to get started with Multi-Geo:

+1. Work with your account team to add the _Multi-Geo Capabilities in Microsoft 365_ service plan. They will guide you to add the number of licenses needed. Multi-Geo feature is available to Enterprise Agreement customers.

+2. Before you can start using Microsoft 365 Multi-Geo, Microsoft needs to configure your Exchange Online _Tenant_ for Multi-Geo support. This one-time configuration process is triggered after you order the _Multi-Geo Capabilities in Microsoft 365_ service plan and the licenses show up in your _Tenant_. You will receive workload-specific notifications in the [Microsoft 365 message center](https://support.office.com/article/38FB3333-BFCC-4340-A37B-DEDA509C2093) once your _Tenant_ has completed the configuration process for each workload, and you then may begin configuring and using your Microsoft 365 Multi-Geo capabilities. The time required to configure a _Tenant_ for Multi-Geo support varies from _Tenant_ to _Tenant_, but most _Tenants_ finish within a month after receipt of the feature licenses. Larger or more complex _Tenants_ may require more time to complete the configuration process. Please contact your account team for details on your specific _Tenant_ should you require it.

+3. Read [Plan your multi-geo environment](plan-for-multi-geo.md).

+4. Learn about [administering a multi-geo environment](administering-a-multi-geo-environment.md) and [how your users will experience the environment](multi-geo-user-experience.md).

+5. When you are ready to set up Microsoft 365 Multi-Geo, [configure your tenant for multi-geo](multi-geo-tenant-configuration.md).

+6. [Set up search](configure-search-for-multi-geo.md).

+

+> [!NOTE]

+> For more information on the Microsoft 365 services that support Multi-Geo please see the [EXO](m365-dr-workload-exo.md), [ODSP](m365-dr-workload-spo.md) and [Teams](m365-dr-workload-teams.md) workload data residency pages for more details.

+When users in a multi-geo environment create a Microsoft 365 group, the group preferred data location (PDL) is automatically set to that of the user. Global, SharePoint, and Exchange Administrators can create groups in any _Geography_ they select.

+To create a Microsoft 365 group with the PDL that you specify, go to the <a href="https://go.microsoft.com/fwlink/?linkid=2185219" target="_blank">SharePoint admin center</a> in the _Geography_ location where you want to create the group site.

+Your group site will be provisioned in the _Geography_ location corresponding to the SharePoint admin center from which you initiated the site creation request.

+Using Exchange PowerShell

+Connect to Exchange Online PowerShell and pass the parameter _-MailBoxRegion_ with the geo location code.

+For example:

+> [!NOTE]

+[eDiscovery (Premium) capabilities](../compliance/overview-ediscovery-20.md) allow a Multi-Geo eDiscovery administrator to search all of the _Geographies_ without needing to utilize a "Region" security filter. Data is exported to the Azure instance of the _Primary Provisioned Geography_ location of the multi-geo _Tenant_.

+Without eDiscovery (Premium) capabilities, an eDiscovery manager or administrator of a Multi-Geo _Tenant_ will be able to conduct eDiscovery only in the _Primary Provisioned Geography_ location of that _Tenant_. To support the ability to conduct eDiscovery for _Satellite Geography_ locations, a new compliance security filter parameter named "Region" is available via PowerShell. This parameter can be used by _Tenants_ whose _Primary Provisioned Geography_ location is in North America, Europe, or Asia Pacific. eDiscovery (Premium) is recommended for _Tenants_ whose _Primary Provisioned Geography_ location is not in North America, Europe, or Asia Pacific and who need to perform eDiscovery across _Satellite Geography_ locations.

+The Microsoft 365 global administrator must assign eDiscovery Manager permissions to allow others to perform eDiscovery and assign a "Region" parameter in their applicable Compliance Security Filter to specify the _Geography_ for conducting eDiscovery as _Satellite Geography_ location, otherwise, no eDiscovery will be carried out for the _Satellite Geography_ location. Only one "Region" security filter per user is supported.

+When the eDiscovery Manager or Administrator role is set for a particular _Satellite Geography_ location, the eDiscovery Manager or Administrator will only be able to perform eDiscovery search actions against the SharePoint sites and OneDrive sites located in that _Satellite Geography_ location. If an eDiscovery Manager or Administrator attempts to search SharePoint or OneDrive sites outside the specified _Satellite Geography_ location, no results will be returned. Also, when the eDiscovery Manager or Administrator for a _Satellite Geography_ location triggers an export, data is exported to the Azure instance of that region. This helps organizations stay in compliance by not allowing content to be exported across controlled borders.

+> If it's necessary for an eDiscovery Manager to search across multiple SharePoint _Satellite Geography_ locations, another user account will need to be created for the eDiscovery Manager which specifies the alternate _Satellite Geography_ location where the OneDrive or SharePoint sites are located.

+# Microsoft 365 Multi-Geo _Tenant_ configuration

+Before you configure your _Tenant_ for Microsoft 365 Multi-Geo, be sure you have read [Plan for Microsoft 365 Multi-Geo](plan-for-multi-geo.md).

+To follow the steps in this article, you'll need a list of the _Geography_ locations that you want to enable as _Satellite Geography_ locations, and the test users that you want to provision for those locations.

+Not all Multi-Geo workloads require customer driven configuration.

+## Configuring Exchange Online for Multi-Geo

+There is no customer driven configuration required to prepare Exchange Online in a Multi-Geo enabled _Tenant_. A customer may use all Geographies with Exchange Online as soon as Multi-Geo has been enabled within Exchange Online for their _Tenant_.

+## Configuring Microsoft Teams for Multi-Geo

+There is no customer driven configuration required to prepare Microsoft Teams in a Multi-Geo enabled tenant. A customer may use all Geographies with Microsoft Teams as soon as Multi-Geo has been enabled within Microsoft Teams for their _Tenant_.

+## Configuring SharePoint Online and OneDrive for Business for Multi-Geo

+If you want to store data in a particular Geography, then that Geography must be configured for SharePoint Online and OneDrive ahead of time.

+Once Multi-Geo has been enabled for your _Tenant_ in SharePoint Online and OneDrive for Business, the **Geo Locations** tab will become available in the OneDrive for Business and SharePoint Online admin centers. If you do not see the **Geo Locations** tab, then your _Tenant_ has not yet finished being enabled for Multi-Geo.

+To add each Satellite Geography location for SharePoint and OneDrive where you want to store data:

+1. Open the SharePoint admin center. and go to **Geo locations**.

+Provisioning may take from a few hours up to 72 hours, depending on the size of your _Tenant_. Once provisioning of a _Satellite Geography_ location has completed, you will receive an email confirmation. When the new _Geography_ location appears in blue on the map on the Geo locations tab in the OneDrive and SharePoint admin center, then you can proceed to set users' preferred data location to that _Geography_ location.

+> Your new _Satellite Geography_ location will be set up with default settings. This will allow you to configure that _Satellite Geography_ location as appropriate for your local compliance needs.

+# User experience in a Multi-Geo environment

+Here's what your users will see in a OneDrive for Business Multi-Geo configuration:

+## Exchange Online mailbox

+A user's Exchange Online mailbox is provisioned to their preferred data location, and is automatically relocated if their PDL changes. Users can use Outlook and Outlook on the web normally with no change in user experience in a Multi-Geo environment.

+SharePoint Online Hub sites enhance the discovery and engagement with content for employees, while creating a complete and consistent representation of projects, departments or regions. In a Multi-Geo environment, sites from satellite locations can easily be associated with a hub site regardless the hub site's _Geography_ location. Users can search and get results across the hub through a single search experience, regardless of the geo location of the sites.

+The app launcher is multi-geo aware and will direct each tile to the appropriate geo location of the workload. The SharePoint Online and OneDrive for Business tiles will point the user to the location corresponding to the user's provisioned geo location. This means that is the user has a OneDrive for Business in the central location, their SharePoint Online tile will point them to SP Home in the central location but their group site will be provisioned in the location corresponding to their PDL.

+Office applications such as Microsoft Word, Excel, and PowerPoint will automatically detect the correct OneDrive for Business geo-location for each user when they log in. Users do not need to enter the geo-specific URL for their OneDrive for Business or SharePoint Online sites.

+## OneDrive for Business sync app

+The OneDrive for Business sync app (version 17.3.6943.0625 and later) will automatically detect the correct OneDrive _Geography_ location for the user. Sync app support includes the ability to sync groups-based sites regardless of their _Geography_ location. The Groove sync client is not supported for Multi-Geo.

+## OneDrive for Business location

+Users will have their OneDrive for Business provisioned in their preferred data location. If a user navigates to a OneDrive for Business URL that contains an incorrect _Geography_ location (such as a bookmark from a previous geo location), they are automatically redirected to the OneDrive for Business in the appropriate geo location.

+## OneDrive for Business iOS and Android

+The OneDrive iOS and Android mobile apps will show you your OneDrive for Business files and files shared with you regardless of their _Geography_ location. Search from the OneDrive for Business mobile apps will show relevant results from all _Geography_ locations. Download the latest version of these apps.

+## OneDrive for Business Mobile Client

+The OneDrive for Business Mobile Client is Multi-Geo aware and will display pertinent content and results from all _Geography_ locations.

+Each _Geography_ location has its own search index and Search Center. When a user searches, the query is sent to all the _Geography_ locations, and the returned results are merged and then ranked so the user gets unified results. Users get results from all _Geography_ locations regardless of their own _Geography_ location. See [Configure Search for OneDrive for Business Multi-Geo](configure-search-for-multi-geo.md) for specifics.

+- OneDrive for Business

+- Office Delve

+- SharePoint Online Home

+## SharePoint Online Home

+In SharePoint Online Multi-Geo, your SharePoint Online home is hosted in the location where the user resides as determined by their OneDrive for Business location. For example: if the user has their OneDrive for Business hosted in a European satellite location, their SharePoint Online Home will be rendered from Europe. SharePoint Online home includes all content relevant to the user regardless of its _Geography_ location.

+All of these components will show up for the user regardless of the _Geography_ location where the content is hosted, so long as the user has permissions to said content.

+Admins may configure Featured links in SharePoint Online home as appropriate to each _Geography_ location. This allows the admin to feature in the SP Home for each region the links that are appropriate for users in the region.

+The People Picker experience shows all users regardless of their _Geography_ location. This allows a user to share with another user in their same geo or in any other of your _Tenant's_ _Geography_ locations. Content from different _Geography_ locations will show up in the **Shared with Me** view in the user's OneDrive for Business, Word, Excel, PowerPoint, and Office.com and can be accessed with Single Sign-On experience regardless of which _Geography_ location it is hosted in.

+## Microsoft Teams Experience

+Microsoft Teams is a Multi-Geo service. OneDrive for Business files and recently viewed files are shown regardless of the user's _Geography_ location. @ mentions work with users from all _Geography_ locations.

+User profile information is mastered in the user's _Geography_ location. When selecting a user, you will be directed to the appropriate _Geography_ location for the user, where you will see their full profile details.

+If Office Delve is turned off, you will see the classic profile experience in SharePoint Online, which is not Multi-Geo aware.