Edit

User Privacy and Microsoft Entra seamless single sign-on

  • Article

Note

This article provides steps about how to delete personal data from the device or service and can be used to support your obligations under the GDPR. For general information about GDPR, see the GDPR section of the Microsoft Trust Center and the GDPR section of the Service Trust portal.

Overview

Microsoft Entra seamless SSO creates the following log type, which can contain Personal Data:

  • Microsoft Entra Connect trace log files.

Improve user privacy for Seamless SSO in two ways:

  1. Upon request, extract data for a person and remove data from that person from the installations.
  2. Ensure no data is retained beyond 48 hours.

We strongly recommend the second option as it is easier to implement and maintain. See following instructions for each log type:

Delete Microsoft Entra Connect trace log files

Check the contents of %ProgramData%\AADConnect folder and delete the trace log contents (trace-*.log files) of this folder within 48 hours of installing or upgrading Microsoft Entra Connect or modifying Seamless SSO configuration, as this action may create data covered by GDPR.

Important

Don’t delete the PersistedState.xml file in this folder, as this file is used to maintain the state of the previous installation of Microsoft Entra Connect and is used when an upgrade installation is done. This file will never contain any data about a person and should never be deleted.

You can either review and delete these trace log files using Windows Explorer or you can use the following PowerShell script to perform the necessary actions:

$Files = ((Get-Item -Path "$env:programdata\aadconnect\trace-*.log").VersionInfo).FileName 
 
Foreach ($file in $Files) { 
    {Remove-Item -Path $File -Force} 
}

Save the script in a file with the ".PS1" extension. Run this script as needed.

To learn more about related Microsoft Entra Connect GDPR requirements, see this article.

Note about Domain controller logs

If audit logging is enabled, this product may generate security logs for your Domain Controllers. To learn more about configuring audit policies, read this article.

Next steps