Respond to personal data deletion requests (Microsoft Entra ID)
The European Union (EU) General Data Protection Regulation (GDPR) gives significant rights to individuals regarding their data. Refer to the Microsoft Learn General Data Protection Regulation Summary for an overview of GDPR, including terminology, an action plan, and readiness checklists to help you meet your obligations under GDPR when using Microsoft products and services.
You can learn more about GDPR and how Microsoft helps support it and our customers who are affected by it.
- The Microsoft Trust Center provides general information, compliance best practices, and documentation helpful to GDPR accountability, such as Data Protection Impact Assessments, Data Subject Requests, and data breach notification.
- The Service Trust portal provides information about how Microsoft services help support compliance with GDPR.
Note
This article provides instructions for deleting personal data from the device or service and can help you meet your obligations under GDPR. For general information about GDPR, see the GDPR section of the Microsoft Trust Center and the GDPR section of the Service Trust portal.
The right of erasure allows data subjects to request the removal of their personal data from an organization's customer data. This personal data includes system-generated logs but excludes audit logs.
In addition, when a user leaves your organization, an admin must determine whether to delete data and resources that the user created as part of their Power Automate flows. Other personal data is automatically deleted when the user's account is deleted from Microsoft Entra ID.
The following table shows which personal data is automatically deleted, and which data an admin must manually review and delete, for users who authenticate by using Microsoft Entra ID.
Requires manual review and deletion | Automatically deleted when the user is deleted from Microsoft Entra ID |
---|---|
|
|
* Each of these resources contains "Created By" and "Modified By" records that include personal data. For security reasons, these records are retained until the resource is deleted.
** For environments that include a Dataverse database, environment permissions (that is, which users are assigned to the Environment Maker and Admin roles) are stored as records in Dataverse. Learn more about running data requests against Dataverse customer data.
The following table summarizes where to find and delete a user's personal data in Power Automate.
- Website access: Sign in to the Power Apps admin center or Power Platform admin center.
- PowerShell access: Use Power Apps Admin PowerShell cmdlets.
Resources containing personal data | Website access | PowerShell access | Automated deletion |
---|---|---|---|
System-generated logs | Office 365 Service Trust Portal | ||
Environment | Power Automate admin center | Power Apps cmdlets | |
Environment permissions* | Power Automate admin center | Power Apps cmdlets | |
Run history | Deleted through the 28-day retention policy | ||
Activity feed | Deleted through the 28-day retention policy | ||
User jobs | |||
Flows | Power Automate maker portal** | ||
Flow permissions | Power Automate maker portal | ||
User details | Power Apps cmdlets | ||
Connections | Power Automate maker portal | ||
Connection permissions | Power Automate maker portal | ||
Custom connector | Power Automate maker portal | ||
Custom connector permissions | Power Automate maker portal | ||
Approval history | Power Apps maker portal* |
* For environments that include a Dataverse database, environment permissions and model-driven app permissions are stored as records in Dataverse. Learn more about running data requests against Dataverse customer data.
** An admin can access these resources from the Power Automate maker portal only if the admin has been assigned access from the Power Automate admin center.
Run data deletion requests
Important
To avoid data corruption, follow these steps in order.
- Reassign and copy the user's flows.
- Delete the user's approval history.
- Delete connections created by the user.
- Delete the user's permissions to shared connections.
- Delete custom connectors created by the user.
- Delete the user's permissions to shared custom connectors.
- Delete or reassign environments created by the user.
- Delete gateway settings.
- Delete the user's details.
- Delete the user from Microsoft Entra ID.
Reassign and copy the user's flows
If a departing user or a user who has requested the deletion of their personal data has created flows that are widely used in your organization, don't delete them. Instead, copy them, assign the copies to new owners, and establish new connections. When the flows are copied, personal identifier linkages to the departing user are deleted.
- Sign in to Power Platform admin center.
- Select the environment that contains the user's flows.
- Select Resources > Flows, and then select a flow to reassign.
- Select Manage sharing, and add yourself as an owner.
- Select Save.
- Sign in to Power Automate.
- Select My flows > Team flows.
- In the list of flows, select the vertical ellipsis (⋮) for the flow that you want to copy, and then select Save As.
- Establish any connections that are required, and then select Continue.
- Enter a new name for the flow, and then select Save.
- Turn on the copied flow.
- Delete the original flow.
- Select the ellipsis (…), and then select Delete.
- Select Delete again when you're prompted.
Delete the user's approval history
Approval responses include personal information in the form of approval assignments and comments.
Sign in to Power Automate or PowerApps.
On the left navigation pane, select Data, and then select Tables.
Select the All tab.
Find the Approvals table, and select the vertical ellipsis (⋮).
Select Edit or Edit in new tab.
Alternatively, select Edit data in Excel to work in Excel and delete the records there.
If the Owner column doesn't appear, select the +<number> more column heading, select Owner, and then select Save.
Select the Owner column heading, and then select Filter by.
Enter the name of the user whose data you want to delete, and then select Delete records.
Go back to the main table list that you found in step 3, and repeat steps 4 through 8 for each of the following tables:
- Approval Requests
- Approval Response
- Basic Approval Model Data
- Await All Approval Model
- Await All Action Approval model
- Approval step
- Action Approval Model
To learn more, go to Responding to Data Subject Rights (DSR) requests for Microsoft Dataverse customer data.
Delete connections created by the user
Connections include references to the user who created them. Users can delete their own connections by using PowerShell cmdlets. In addition, admins can use the cmdlets to delete users' connections. Learn more about Power Apps PowerShell cmdlets.
The following PowerShell script deletes connections that were created by the user who runs the script:
Add-PowerAppsAccount
#Retrieves all connections for the calling user and deletes them
Get-AdminPowerAppConnection | Remove-Connection
The following PowerShell script deletes connections that were created by the user who has the specified userID
value:
Add-PowerAppsAccount
$deleteDsrUserId = "{userID}"
#Retrieves all connections for the specified userID and deletes them
Get-AdminPowerAppConnection -CreatedBy $deleteDsrUserId | Remove-AdminConnection
Delete the user's permissions to shared connections
Users can delete their own connection role assignments for shared connections by using PowerShell cmdlets. In addition, admins can use the cmdlets to delete users' connection permissions. Learn more about Power Apps PowerShell cmdlets.
The following PowerShell script deletes connection role assignments for the user who runs the script:
Add-PowerAppsAccount
#Retrieves all connection role assignments for the calling user and deletes them
Get-ConnectionRoleAssignment | Remove-ConnectionRoleAssignment
The following PowerShell script deletes connection role assignments for the user who has the specified userID
value:
Add-PowerAppsAccount
$deleteDsrUserId = "{userID}"
#Retrieves all shared connections for the specified userID and deletes their permissions
Get-AdminConnectionRoleAssignment -PrincipalObjectId $deleteDsrUserId | Remove-AdminConnectionRoleAssignment
Note
Owner role assignments can't be deleted unless the connection resource is deleted first.
Delete custom connectors created by the user
Custom connectors include references to the user who created them. Users can delete their own custom connectors by using PowerShell cmdlets. In addition, admins can use the cmdlets to delete users' custom connectors. Learn more about Power Apps PowerShell cmdlets.
The following PowerShell script deletes custom connectors that were created by the user who runs the script:
Add-PowerAppsAccount
#Retrieves all custom connectors for the calling user and deletes them
Get-Connector -FilterNonCustomConnectors | Remove-Connector
The following PowerShell script deletes connection role assignments for the user who has the specified userID
value:
Add-PowerAppsAccount
$deleteDsrUserId = "{userID}"
#Retrieves all custom connectors created by the specified userID and deletes them
Get-AdminConnector -CreatedBy $deleteDsrUserId | Remove-AdminConnector
Delete the user's permissions to shared custom connectors
Users can delete their own custom connector role assignments by using PowerShell cmdlets. In addition, admins can use the cmdlets to delete users' custom connector role assignments. Learn more about Power Apps PowerShell cmdlets.
The following PowerShell script deletes custom connector role assignments for the user who runs the script:
Add-PowerAppsAccount
#Retrieves all connector role assignments for the calling user and deletes them
Get-ConnectorRoleAssignment | Remove-ConnectorRoleAssignment
The following PowerShell script deletes custom connector role assignments for the user who has the specified userID
value:
Add-PowerAppsAccount
$deleteDsrUserId = "{userID}"
#Retrieves all custom connector role assignments for the specified userID and deletes them
Get-AdminConnectorRoleAssignment -PrincipalObjectId $deleteDsrUserId | Remove-AdminConnectorRoleAssignment
Note
Owner role assignments can't be deleted unless the connection resource is deleted first.
Delete or reassign environments created by the user
As an admin who is responding to a user's data deletion request, you have two options for each environment that the user created:
- If you determine that the environment isn't being used by anyone else in your organization, you can delete it.
- If you determine that the environment is still required, you can add yourself or another user in your organization as an Environment Admin.
Important
if you delete an environment, you permanently delete all resources in it, including apps, flows, and connections. Always review the contents of an environment before you delete it.
Delete the user's permissions in all environments or give other users access to the user's environments
You can remove the user's role assignments in all environments in your organization. You can also grant admin access to an environment that the user created. Learn more about managing environments.
Delete gateway settings
Learn more about responding to data export requests for on-premises data gateways.
Delete the user's details
Before you perform this step, make sure that you've reassigned and deleted all the user's flows. Otherwise, the PowerShell cmdlet returns an error.
Add-PowerAppsAccount
Remove-AdminFlowUserDetails -UserId {userID}
Delete the user from Microsoft Entra ID
The final step is to delete the user's Microsoft Entra account.
Note
For information about viewing, deleting, and exporting personal data, see Azure Data Subject Requests for GDPR. For general information about GDPR, see the GDPR section of the Microsoft Trust Center and the GDPR section of the Service Trust portal.
Delete the user from an unmanaged tenant
If the user is a member of an unmanaged tenant, you can close the user's account from the Work and School Privacy portal.
To determine whether the user is a member of a managed or unmanaged tenant, follow these steps:
Open the following URL in a browser. Replace
foobar@contoso.com
with the user's email address.https://login.microsoftonline.com/common/userrealm/foobar@contoso.com?api-version=2.1
If the response includes
"IsViral": true
, the user is a member of an unmanaged tenant.{ "Login": "foobar@unmanagedcontoso.com", "DomainName": "unmanagedcontoso.com", "IsViral": true, }
Otherwise, the user is a member of a managed tenant.