Microsoft Defender for Identity data security and privacy

Note

This article provides steps for how to delete personal data from the device or service and can be used to support your obligations under the GDPR. If you’re looking for general info about GDPR, see the GDPR section of the Service Trust portal.

Search for and identify personal data

In Defender for Identity you can view identifiable personal data from the Microsoft Defender for Identity portal using the search bar.

Search for a specific user or computer, and select the entity to bring you to the user or computer profile page. The profile provides you with comprehensive details about the entity from Active Directory, including network activity related to that entity and its history.

Defender for Identity personal data is gathered from Active Directory through the Defender for Identity sensor and stored in a backend database.

Update personal data

Defender for Identity's personal user data is derived from the user's object in the Active Directory of the organization. Therefore, changes made to the user profile in the organization AD are reflected in Defender for Identity.

Delete personal data

  • After a user is deleted from the organization's Active Directory, Defender for Identity automatically deletes the user profile and any related network activity within a year. You can also delete any security alerts that contain personal data.

  • Read-only permissions on the Deleted Objects container are recommended. To learn more about how the **Deleted Objects container permission is used by the Defender for Identity service, see the Deleted Objects container recommendation in Defender for Identity prerequisites.

Export personal data

In Defender for Identity you have the ability to export security alert information to Excel. This function also exports the personal data.

Audit personal data

Defender for Identity implements the audit of personal data changes, including the deleting and exporting of personal data records. Audit trail retention time is 90 days. Auditing in Defender for Identity is a back-end feature and not accessible to customers.

Additional resources

Important

Currently, Defender for Identity data centers are deployed in Europe, UK, North America/Central America/Caribbean and Asia. Your instance is created automatically in the data center that is geographically closest to your Azure Active Directory (Azure AD). Once created, Defender for Identity instances aren't movable.

Security and privacy for Defender for Identity US Government GCC High customers

For additional information on Defender for Identity compliance standards and location of customer data for US Government GCC High customers, review the Enterprise Mobility + Security for US Government service description.

See also