User privacy and Microsoft Entra Connect Health

Article
11/06/2023

This article describes Microsoft Entra Connect Health and user privacy. For information about Microsoft Entra Connect and user privacy, see User privacy and Microsoft Entra Connect.

Note

This article provides steps about how to delete personal data from the device or service and can be used to support your obligations under the GDPR. For general information about GDPR, see the GDPR section of the Microsoft Trust Center and the GDPR section of the Service Trust portal.

User privacy classification

Microsoft Entra Connect Health falls into the data processor category of GDPR classification. As a data processor pipeline, the service provides data processing services to key partners and end consumers. Microsoft Entra Connect Health doesn't generate user data, and it has no independent control over what personal data is collected and how it's used. Data retrieval, aggregation, analysis, and reporting in Microsoft Entra Connect Health are based on existing on-premises data.

Data retention policy

Microsoft Entra Connect Health doesn't generate reports, perform analytics, or provide insights beyond 30 days. Therefore, Microsoft Entra Connect Health doesn't store, process, or retain any data beyond 30 days. This design is compliant with the GDPR regulations, Microsoft privacy compliance regulations, and Microsoft Entra data retention policies.

Servers that have active Health service data is not up to date error alerts for more than 30 consecutive days suggest that no data has reached Connect Health during that time. These servers will be disabled and not shown in the Connect Health portal. To re-enable the servers, you must uninstall and reinstall the health agent. This doesn't apply to warnings for the same alert type. Warnings indicate that partial data is missing from the server you're alerted for.

Disable data collection and monitoring

You can use Microsoft Entra Connect Health to stop data collection for a specific monitored server or for an instance of a monitored service. For example, you can stop data collection for individual Active Directory Federation Services (AD FS) servers that are monitored by using Microsoft Entra Connect Health. You can also stop data collection for the entire AD FS instance that's being monitored by using Microsoft Entra Connect Health. If you choose to stop data collection for a specific monitored server, the server is deleted from the Microsoft Entra Connect Health portal after data collection is stopped.

Important

To delete monitored servers from Microsoft Entra Connect Health, you must have either Microsoft Entra Global Administrator account permissions or the Contributor role in Azure role-based access control.

Removing a server or service instance from Microsoft Entra Connect Health is not a reversible action.

What to expect

If you stop data collection and monitoring for an individual monitored server or an instance of a monitored service, you can expect the following results:

When you delete an instance of a monitored service, the instance is removed from the Microsoft Entra Connect Health monitoring service list in the portal.
When you delete a monitored server or an instance of a monitored service, the health agent isn't uninstalled or removed from your servers. Instead, the health agent is configured to not send data to Microsoft Entra Connect Health. You must manually uninstall the health agent on a server that previously was monitored.
If you don't uninstall the health agent before you delete a monitored server or an instance of a monitored service, you might see error events related to the health agent on the server.
All data that belongs to the instance of the monitored service is deleted per the Microsoft Azure Data Retention Policy.

Disable data collection and monitoring for a monitored server

See How to remove a server from Microsoft Entra Connect Health.

Disable data collection and monitoring for an instance of a monitored service

See How to remove a service instance from Microsoft Entra Connect Health.

Disable data collection and monitoring for all monitored services

Microsoft Entra Connect Health provides the option to stop data collection of all registered services in the tenant. We recommend careful consideration and full acknowledgment of all hybrid identity administrators before you take this action. After the process begins, the Microsoft Entra Connect Health service stops receiving, processing, and reporting any data for all of your services. Existing data in Microsoft Entra Connect Health service is retained for no more than 30 days.

If you want to stop data collection on a specific server, complete the steps to delete a specific server. To stop data collection for a tenant, complete the following steps to stop data collection and delete all services for the tenant:

In the main menu under Configuration, select General Settings.
In the command bar, select Stop Data Collection. Other options for configuring the tenant settings are disabled after the process starts.
Check the list of onboarded services that are affected by stopping data collections.
Enter the exact tenant name to enable the Delete button.
Select Delete to initiate the deletion of all services. Microsoft Entra Connect Health will stop receiving, processing, and reporting any data that's sent from your onboarded services. The entire process of might take up to 24 hours. This step isn't reversible.

When the process is finished, you won't see any registered services in Microsoft Entra Connect Health.

Screenshot that shows the message that appears after data collection is stopped.

Re-enable data collection and monitoring

To re-enable monitoring in Microsoft Entra Connect Health for a previously deleted monitored service, you must uninstall and reinstall the health agent on all the servers.

Re-enable data collection and monitoring for all monitored services

For tenants, data collection can be resumed in Microsoft Entra Connect Health. We recommend careful consideration and full acknowledgment of all global administrators before you take this action.