Data residency and customer data for Microsoft Entra multifactor authentication

Microsoft Entra ID stores customer data in a geographical location based on the address an organization provides when subscribing to a Microsoft online service such as Microsoft 365 or Azure. For information on where your customer data is stored, see Where your data is located in the Microsoft Trust Center.

Cloud-based Microsoft Entra multifactor authentication and MFA Server process and store personal data and organizational data. This article outlines what and where data is stored.

The Microsoft Entra multifactor authentication service has datacenters in the United States, Europe, and Asia Pacific. The following activities originate from the regional datacenters except where noted:

  • Multifactor authentication SMS and phone calls originate from datacenters in the customer's region and are routed by global providers. Phone calls using custom greetings always originate from data centers in the United States.
  • General purpose user authentication requests from other regions are currently processed based on the user's location.
  • Push notifications that use the Microsoft Authenticator app are currently processed in regional datacenters based on the user's location. Vendor-specific device services, such as Apple Push Notification Service or Google Firebase Cloud Messaging, might be outside the user's location.

Personal data stored by Microsoft Entra multifactor authentication

Personal data is user-level information that's associated with a specific person. The following data stores contain personal information:

  • Blocked users
  • Bypassed users
  • Microsoft Authenticator device token change requests
  • Multifactor authentication activity reports—store multifactor authentication activity from the multifactor authentication on-premises components: NPS Extension, AD FS adapter and MFA server.
  • Microsoft Authenticator activations

This information is retained for 90 days.

Microsoft Entra multifactor authentication doesn't log personal data such as usernames, phone numbers, or IP addresses. However, UserObjectId identifies authentication attempts to users. Log data is stored for 30 days.

Data stored by Microsoft Entra multifactor authentication

For Azure public clouds, excluding Azure AD B2C authentication, the NPS Extension, and the Windows Server 2016 or 2019 Active Directory Federation Services (AD FS) adapter, the following personal data is stored:

Event type Data store type
OATH token Multifactor authentication logs
One-way SMS Multifactor authentication logs
Voice call Multifactor authentication logs
Multifactor authentication activity report data store
Blocked users (if fraud was reported)
Microsoft Authenticator notification Multifactor authentication logs
Multifactor authentication activity report data store
Blocked users (if fraud was reported)
Change requests when the Microsoft Authenticator device token changes

For Microsoft Azure Government, Microsoft Azure operated by 21Vianet, Azure AD B2C authentication, the NPS extension, and the Windows Server 2016 or 2019 AD FS adapter, the following personal data is stored:

Event type Data store type
OATH token Multifactor authentication logs
Multifactor authentication activity report data store
One-way SMS Multifactor authentication logs
Multifactor authentication activity report data store
Voice call Multifactor authentication logs
Multifactor authentication activity report data store
Blocked users (if fraud was reported)
Microsoft Authenticator notification Multifactor authentication logs
Multifactor authentication activity report data store
Blocked users (if fraud was reported)
Change requests when the Microsoft Authenticator device token changes

Data stored by MFA Server

If you use MFA Server, the following personal data is stored.

Important

In September 2022, Microsoft announced deprecation of Azure Multifactor authentication Server. Beginning September 30, 2024, Azure Multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should migrate their users’ authentication data to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent Azure MFA Server update. For more information, see Azure MFA Server Migration.

Event type Data store type
OATH token Multifactor authentication logs
Multifactor authentication activity report data store
One-way SMS Multifactor authentication logs
Multifactor authentication activity report data store
Voice call Multifactor authentication logs
Multifactor authentication activity report data store
Blocked users (if fraud was reported)
Microsoft Authenticator notification Multifactor authentication logs
Multifactor authentication activity report data store
Blocked users (if fraud was reported)
Change requests when Microsoft Authenticator device token changes

Organizational data stored by Microsoft Entra multifactor authentication

Organizational data is tenant-level information that can expose configuration or environment setup. Tenant settings from the multifactor authentication pages might store organizational data such as lockout thresholds or caller ID information for incoming phone authentication requests:

  • Account lockout
  • Fraud alert
  • Notifications
  • Phone call settings

For MFA Server, the following pages might contain organizational data:

  • Server settings
  • One-time bypass
  • Caching rules
  • Multi-Factor Authentication Server status

Multifactor authentication activity reports for public cloud

Multifactor authentication activity reports store activity from on-premises components: NPS Extension, AD FS adapter, and MFA server. The multifactor authentication service logs are used to operate the service. The following sections show where activity reports and services logs are stored for specific authentication methods for each component in different customer regions. Standard voice calls may failover to a different region.

Note

The multifactor authentication activity reports contain personal data such as User Principal Name (UPN) and complete phone number.

MFA server and cloud-based MFA

Component Authentication method Customer region Activity report location Service log location
MFA server All methods Any United States MFA backend in United States
Cloud MFA All methods Any Microsoft Entra sign-in logs in region Cloud in-region

Multifactor authentication activity reports for sovereign clouds

The following table shows the location for service logs for sovereign clouds.

Sovereign cloud Sign-in logs Multifactor authentication activity report Multifactor authentication service logs
Microsoft Azure operated by 21Vianet China United States United States
Microsoft Government Cloud United States United States United States

Next steps

For more information about what user information is collected by cloud-based Microsoft Entra multifactor authentication and MFA Server, see Microsoft Entra multifactor authentication user data collection.