This content has been archived, and while it was correct at time of publication, it may no longer be accurate or reflect the current situation at Microsoft.
Saving documents, email messages, images, and other files in the cloud makes everything better, right? But how do you ensure compliance with local regulations in dozens of countries or regions when you’re a multinational company?
Online storage and computing services have significantly improved both team collaboration and the employee experience at Microsoft. They can also create unexpected challenges related to data location, particularly when files are stored by default in a country or region other than the one in which they’re created or used.
In the past, Microsoft, like many large companies, used a single default location for storing employee-generated corporate information. For US firms, this location has typically been North America. For example, if a Microsoft employee in Europe saved a spreadsheet to their OneDrive in Microsoft 365, the actual file for the document landed in a data center in the United States.
“This did not make it easy for the company to comply with regional laws and best practices that are changing fast,” says Abhishek Sharma, an engineer in Microsoft Digital. “Regulators increasingly want organizations to store data where it is created so it can be managed according to local policies.”
Managing data residency, the physical location where data files are stored, is not a new challenge. Microsoft employees have been saving important documents to SharePoint for years because it automatically makes sure their files are saved in their local jurisdiction.
However, that hasn’t been a foolproof solution. What happens when an employee saves an important file to their OneDrive in Microsoft 365? The associated data files are secured, backed up, and accessible, but they might be stored in a location outside the employee’s region.
“We were under pressure to figure out exactly how to identify the work location of each person and to keep our individual employees’ files in the region where they were created,” Sharma says.
Another concern was that without a clear understanding of each employee’s work location, it was a long, manual process to determine which new features and services to roll out to whom.
“We have operational and legal requirements that restrict when and where we can deploy our new software and services,” says Anne Marie Suchanek, a program manager in Microsoft Digital. “We don’t want to push features to employees who shouldn’t be getting them. It’s super-important from a legal perspective that we get this right.”
Matching data to its region of use
So, what is the right approach?
Microsoft Digital worked with Corporate, External, and Legal Affairs (CELA), Human Resources, and the OneDrive product group to support a new Multi-Geo Capabilities in Office 365 scenario that helps to meet data residency requirements. By configuring a Preferred Data Location (PDL) for each user, Microsoft Digital can determine the optimal region for a user’s OneDrive for Business, their Exchange Server mailbox, and any SharePoint or Teams sites that they create. This setting is now available to Microsoft Office 365 and Microsoft 365 customers as well.
“The new PDL field, accessed by OneDrive, Exchange Server, the Office 365 apps, and SharePoint, is already improving operations at Microsoft,” Sharma says.
The PDL helps Microsoft meet the requirements of numerous laws and regulations, including the Global Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
The PDL field will also help Microsoft deploy new features and services more efficiently. It will allow product groups and Microsoft Digital to quickly determine which regions can adopt new features and which ones cannot.
A company-wide rollout
“It’s been about a year since this initiative was conceived, and 10 months of change management and process testing,” Sharma says. “We started by testing out this feature with the Office product group. Then we moved to real data with other employees.”
The Microsoft Digital team has already migrated more than 50,000 employee accounts and is adding the PDL field to more than 2,000 internal SharePoint and Teams sites a week. Data storage on these accounts and sites now resides in Office 365 regional data centers, enabling the company to retire local SharePoint-dedicated server farms.
With 148,000 employees and nearly 1 million internal websites at Microsoft, the first phase of the deployment initiative has several more months to go.
Once it’s complete, the team will work with CELA to scan any accounts that couldn’t initially be moved due to a unique project or role data retention requirements. As the accounts become eligible, Microsoft Digital will migrate them in monthly batches.
The first team site migrations were done manually. “We wanted to know, how many concurrent site migrations would work well?” Sharma says. “We got 50-100 a week working, then we moved to the next number, 500 a week, for a couple of months. Then we moved to 1,000, and now, up to 2,000 sites are migrated every week.”
The team is scripting the processes as learning takes place. “We had to crawl, then walk, then run,” Sharma says. “Once the basics all looked good, we asked ourselves, ‘How can we continue to do this with minimal effort? What kind of automation can we bring to this?’”
With careful attention to the user experience, Sharma says, the moves are taking place in the users’ off-peak hours with no business workflow interruptions. File migrations are being closely aligned with product development deadlines (and their ever-shorter timelines) to prevent them from affecting active projects.
A long-term objective of the project is to set the PDL as part of the new employee account setup process, before account activation. Currently, an employee’s first login, often to the Redmond domain in the North American region, sets their default location.
“We want this field set up from the get-go so that as soon as new employees are onboarded, their PDL is set correctly in the first place. Then we don’t have to do it later,” Suchanek says.
Records and data management is evolving
Providing multi-geo data location functionality to business units worldwide, the PDL field is just the latest step in Microsoft’s focus on securing its corporate information.
“Privacy and data residency standards are different around the world,” says Rachael Heade, a CELA senior program manager who has oversight of the Corporate Records Management program at Microsoft. “Once we actually had to move US contracts out of France and back to Chicago to comply with regulations.”
Giving customers more control over where files are stored is a natural next step, she says.
“Privacy isn’t a new initiative for us,” Heade says. “The idea that my data needs to be where I am physically is a discussion that’s been going on for decades. What’s new is the breadth and scope of it.”
Rather than simply a thin layer of contracts and product development details, records and data management at Microsoft now covers all work-related information and communication, from shared files to meeting notes.
“Data sovereignty as a concept is being applied more broadly than ever before,” Heade says. “The complexity of the cloud made everybody stop and think about it.”
Keeping data in the place where the employee works is also a major efficiency play.
“There are several key factors that contribute to how a company might shape data handling and retention policies—things like data type, level of business, and country or region,” she says. “At Microsoft, we are always working to safeguard employee-created files. Customers need to determine their own risk tolerance and take every possible action to protect their data.”
Learn more about Microsoft’s Multi-Geo Capabilities in Office 365 offering here.
