Configure data boundary
This documentation provides details on how customers can configure Azure Resource Manager for use in a data boundary. The only data boundary configuration currently supported, aside from the default Global configuration, is for the European Union (EU). The EU Data Boundary is a geographically defined boundary within which Microsoft has committed to store and process Customer Data and pseudonymized personal data, and store Professional Services Data for Microsoft enterprise online services, including Azure, Dynamics 365, Power Platform, and Microsoft 365, subject to limited circumstances where personal data continue to be transferred outside the EU Data Boundary. For more information, see Overview of the EU Data Boundary.
Important
To store Professional Services Data in the EU Data Boundary for Azure, customers must configure Azure Resource Manager to the EU Data Boundary. This documentation provides details on how customers can configure Azure Resource Manager for use in the EU Data Boundary.
A data boundary can only be established in new tenants that have no existing subscriptions or deployed resources. Once a tenant is opted into a data boundary, the data boundary configuration cannot be removed or modified. Subscriptions and resources created under a tenant with a data boundary cannot be moved out of that tenant. Existing subscriptions and resources cannot be moved into a tenant with a data boundary. Each tenant is limited to one data boundary, and after the data boundary is configured, Azure Resource Manager will restrict resource deployments to regions within that boundary. A Global data boundary has no restrictions on the regions a resource can deploy to. Customers can opt their tenants into a data boundary by deploying a Microsoft.Resources/dataBoundaries resource at the tenant level.
The DataBoundaryTenantAdministrator built-in role is required to configure data boundary. For more information, see Permissions required.
To opt your tenant into an Azure EU Data Boundary:
- Create a new tenant within an EU country or region to configure a Microsoft Entra EU Data Boundary. For more information on how to create a new tenant within an EU country or region, see Create a new tenant in Microsoft Entra ID.
- Before creating any new subscriptions or resources, deploy a Microsoft.Resources/dataBoundaries resource with an EU configuration.
- Create a subscription and deploy Azure resources.
Permissions required
To configure data boundary, the DataBoundaryTenantAdministrator built-in role is required at the tenant scope. Use the following steps to assign the role:
- Elevate access to manage all Azure subscriptions and management groups. For more information, see Elevate access to manage all Azure subscriptions and management groups.
- With the User Access Administrator privilege, grant yourself the
DataBoundaryTenantAdministratorrole at the tenant scope (/) by using Azure CLI or Azure PowerShell or REST API.
DATA_BOUNDARY_TENANT_ADMINISTRATOR_ROLE_ID="d1a38570-4b05-4d70-b8e4-1100bcf76d12"
az role assignment create --assignee "{assignee}" --role DATA_BOUNDARY_TENANT_ADMINISTRATOR_ROLE_ID --scope "/"
For more information, see Assign Azure roles.
Create data boundary
Data boundary geo currently has two options:
| Data boundary geo | Description |
|---|---|
| Global | By default, all tenants have a global data boundary. |
| EU | Establish an EU data boundary. |
To opt in a tenant to data boundary, use the following commands.
az data-boundary create --data-boundary <data-boundary-geo> --default default
The --default switch is currently mandatory but will be phased out in the future.
For more information, see Azure CLI Reference.
Read data boundary
To get data boundary at specified scopes. The scopes include:
| Scope | Value |
|---|---|
| Tenant | (empty) |
| Subscription | subscriptions/{subscriptionId} |
| Resource group | subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName} |
az data-boundary show --scope <scope-path> --default default
Get data boundary of tenant:
az data-boundary show-tenant --default default
The --default switch is currently mandatory but will be phased out in the future.
For more information, see Azure CLI Reference.
Troubleshooting
The following table lists the data boundary related error messages:
| Error code | Error message | Explanation |
|---|---|---|
| NonEmptyTenantCannotChangeDataBoundary | Tenant <tenant-name> already contains subscriptions. Data boundary update for non-empty tenants is not supported. | Customers can only apply an Azure data boundary to a brand new tenant with no management groups, subscriptions, or resources. |
| AuthorizationFailed | The client <client-name> with object ID <object-id> does not have authorization to perform action Microsoft.Resources/dataBoundaries/write over scope <scope-name> or the scope is invalid. If access was recently granted, please refresh your credentials. |
Ensure you have the Data Boundary Administrator role at the tenant scope. See Permissions Required. |
| InvalidResourceLocation InvalidResourceGroupLocation |
Invalid resource group location <region-name>. The tenant ID for the given subscription is opted into the <data-boundary-geo> data boundary. The resource group location is restricted by the data boundary. List of regions in the data boundary is: <region-list>. | Once a data boundary applies to a tenant, users can only create resources in regions within the data boundary. For example, users cannot create resources in WestUS if an EU data boundary is applied to the tenant. To resolve this error, pick a region from the list returned in the error message. |
| InvalidSubscriptionMoveDataBoundary | Transfer action failed. Transfer of this subscription is not allowed due to data boundary restrictions on the tenant. | It is not possible to move a subscription if the source or target tenants have a non-global data boundary. Subscription move is blocked even if the source and target tenants have the same data boundary. |
Next steps
For more information, see Overview of the EU Data Boundary.