We are pleased to announce that local data residency support in Switzerland is now generally available for Microsoft Defender for Endpoint and Microsoft Defender for Identity.
This announcement demonstrates our commitment to providing customers with the highest levels of security and compliance by offering services that are aligned to local data sovereignty requirements. Customers can now confidently onboard to Defender for Endpoint and Defender for Identity in Switzerland, knowing that this Defender data will remain at rest within the Swiss data boundary. This allows customers to meet their regulatory obligations and maintain control over their data. For more details on the Defender data storage and privacy policies refer to Microsoft Defender for Endpoint data storage and privacy and Microsoft Defender for Identity data security and privacy.
Note: Defender for Endpoint and Defender for Identity may potentially use other Microsoft services (i.e. Microsoft Intune for security settings management). Each Microsoft service is governed by its own data storage and privacy policies and may have varying regional availability. For more information, refer to our Online Product Terms.
In addition to Switzerland, Defender data can also be hosted in other regions including the United States, European Union, the United Kingdom, and Australia. See this previous blog for the AU announcement - Microsoft Defender data can now be hosted locally in Australia.
Configure Microsoft Defender for Endpoint with local data hosted in Switzerland.
Prerequisites
- Your EntraID tenant needs to be set to Switzerland, so the Microsoft Defender for Endpoint tenant will also be provisioned in this geo.
Image 1: Set EntraID tenant to Switzerland
- To access the GoLocal Geo instance in Switzerland, you need to ensure each device is onboarded using Streamlined Connectivity for devices on their network (see Enable access to Microsoft Defender for Endpoint service URLs in the Proxy Server for further details).
I am a new Defender for Endpoint customer
- Once the EntraID tenant is created, access the Security Portal (https://security.microsoft.com) and continue with the onboarding in the GoLocal geo.
- Once that process is completed, the Microsoft Defender for Endpoint / Microsoft Defender XDR tenant should be located in the GoLocal geo.
- Confirmation: In the portal, go to Settings -> Microsoft Defender XDR-> Account; and see where the service is storing your data at rest.
- For example: in the image below, the service location for this Microsoft Defender XDR demo tenant is Switzerland.
Image 2: Tenant information in the Defender portal
- However, if the location of the data at rest is in one of the current service locations of US/UK/EU/AU, then a tenant reset needs to be requested via Customer Service and Support (CSS).
I am a Defender for Endpoint customer with existing tenants in geographies different from the Swiss GoLocal Geo and want to move to the local Geo in Switzerland.
Existing customers have to request a tenant reset by contacting the Microsoft Customer Support. Support can be reached by clicking on the “?” top right in the portal when signed in as an Admin. If you are a Microsoft Unified support customer, please reach out to your Customer Success Account Manager to support you in the process.
Image 3: Defender portal dashboard
Microsoft Defender for Endpoint will store and process data in the same location as used by Microsoft Defender XDR. If Microsoft Defender XDR has not been turned on yet, onboarding to Microsoft Defender for Endpoint will also turn on Microsoft Defender XDR and a new data center location is automatically selected based on the location of active Microsoft 365 security services. https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/production-deployment?view=o365-worldwide#data-center-location
Configure Microsoft Defender for Identity data to be hosted in Switzerland
Prerequisites
- EntraID tenant, MDE and XDR need to be set to Switzerland, so the Microsoft Defender for Identity workspace would be provisioned in this geo as well and data at rest remains in that region.
Image 4: Set EntraID tenant to Switzerland for Defender for Identity
I am a new Microsoft Defender for Identity customer
- Once the EntraID tenant is created, access the Security Portal (https://security.microsoft.com) and continue with the Microsoft Defender for Identity workspace onboarding in the GoLocal geo.
- The previous point is required because when a Microsoft Defender for Identity workspace is created, it is created in the Azure region closest to the customer's EntraID tenant location. See Microsoft Defender for Identity frequently asked questions - Microsoft Defender for Identity | Microsoft Learn.
Image 5: Defender for Identity Geolocation information
I am a Defender for Identity customer with existing tenants in geographies different from the Swiss GoLocal Geo and want to move to the local Geo in Switzerland.
Existing customers have to request a workspace reset by contacting the Microsoft Customer Support. Support can be reached by clicking on the “?” top right in the portal when signed in as an Admin. If you are a Microsoft Unified support customer, please reach out to your Customer Success Account Manager to support you in the process.
With both our Endpoint Detection and Response, as well as our Identity Threat Detection and Response (ITDR) products now available for local data residency in Switzerland, we are giving more organizations the ability to meet local data sovereignty requirements, while deploying the best security solutions for their estate.
More information:
- Ready to go local? Read our documentation for more information on how to get started.
- Not yet a customer? Start a 90-day trial for Defender for Endpoint
- Check out our website to learn more about our industry leading Endpoint protection platform
- Discover why ITDR is critical to keep your organization safe against rising identity threats
Microsoft
