For an Australian organisation on Microsoft 365, the practical position is this: core customer data for a tenant provisioned in Australia is stored at rest in Microsoft's Australian datacentres, residency can be extended and evidenced with an add-on where contracts demand it, and the harder questions are about sovereignty (whose laws can reach the data) rather than residency (where the disks are). The two words get used interchangeably in procurement documents, and they should not be. This guide separates them and lays out what Microsoft commits to, what it does not, and what to check rather than assume.
Residency, sovereignty, localisation: three different claims
- Data residency is geography: the data is stored in datacentres physically located in Australia. This is the claim Microsoft 365 can substantiate for core services in Australian tenants.
- Data sovereignty is jurisdiction: which legal systems can compel access to the data. Residency in Australia does not by itself settle sovereignty, because the provider's own corporate jurisdiction matters too.
- Data localisation is a legal requirement that certain data must stay onshore. Australia imposes this narrowly (My Health Record data is the clearest example) rather than economy-wide.
Where Microsoft 365 data physically lives
Microsoft operates Australian cloud regions including Australia East (New South Wales) and Australia Southeast (Victoria), with the Australia Central regions in Canberra serving government-focused workloads. For a Microsoft 365 tenant provisioned with Australia as its country, customer data at rest for the core workloads (Exchange Online mailboxes, SharePoint and OneDrive files, Teams chat content) is stored in the Australian regions. Microsoft publishes the current storage locations per service in the Microsoft 365 admin centre (the data location page) and in its product documentation, and that per-tenant view, not the marketing page, is the artefact to attach to a procurement response.
Two boundaries matter. First, the residency commitment covers customer data at rest for defined services; some supporting services, telemetry and globally distributed functions can involve processing or storage outside Australia. Second, service coverage has widened over time but is not total, which is exactly the gap the Advanced Data Residency add-on exists to close.
Advanced Data Residency and Multi-Geo
- Advanced Data Residency (ADR) is a paid add-on that extends residency commitments to a broader set of Microsoft 365 workloads beyond the core, with contractual commitments and prioritised tenant data moves. Organisations with regulator- or contract-driven residency clauses (government suppliers, financial services, health) are its natural buyers; most SMBs do not need it.
- Multi-Geo solves the opposite problem: a single tenant that must keep different users' data in different countries, common in multinationals with European or US arms. Australian-headquartered organisations with offshore subsidiaries meet residency clauses this way without splitting tenants.
What about Copilot?
Microsoft's stated position is that Microsoft 365 Copilot honours the tenant's existing data-residency commitments for customer data at rest: prompts, responses and Copilot interaction history are treated as customer data within the Microsoft 365 service boundary, and the content Copilot grounds on (mail, files, chats) stays where those services already store it. Processing is the more nuanced layer: generative AI inference runs on GPU capacity that Microsoft manages across its infrastructure, and Microsoft has built region-scoped processing commitments for some markets, the EU Data Boundary being the flagship. As at the time of writing, Frontrow is not aware of an equivalent blanket in-country processing guarantee for Australia, so an organisation whose obligations extend to where data is processed, in addition to where it is stored, should verify the current commitments in the Microsoft Product Terms and Trust Center rather than rely on any summary, this one included. For most Australian commercial obligations, the at-rest commitments are the ones contracts actually test.
The sovereignty questions residency does not answer
Data stored in Australia by a US-headquartered provider remains subject to lawful access processes under US law, such as the CLOUD Act, alongside Australian law. That is a fact of jurisdiction rather than a Microsoft-specific weakness, and Microsoft's posture here is comparatively strong: it publishes transparency reports on government demands, has litigated against overbroad requests, and offers Customer Lockbox and customer-held encryption keys (Customer Key, and Double Key Encryption for the highest-sensitivity content) that materially raise the bar on any access without customer involvement. For government and defence-adjacent work, Microsoft also operates the Canberra-region services assessed under IRAP for workloads at PROTECTED, with assessment scope varying by service. The honest summary: for the overwhelming majority of Australian businesses, Microsoft 365's Australian residency plus its encryption and access controls comfortably meet obligations; organisations with genuine sovereignty mandates should be having a scope-specific conversation, not a generic cloud-versus-onshore one.
What procurement should actually ask
- 1Which specific workloads carry a residency clause in our contracts or regulatory obligations, and does the core Microsoft 365 commitment already cover them? (Check the tenant's data-location page, not a brochure.)
- 2Do any obligations bind processing location as well as storage? If yes, get the current Product Terms position in writing for those services.
- 3Is ADR worth it for us? Buy it for evidence and coverage when a regulator or contract demands it; skip it when the core commitments already satisfy the clause.
- 4Who can access the data, and under what control? Conditional Access, Customer Lockbox and sensitivity labels answer more real-world sovereignty risk than datacentre geography does. Frontrow's Information Protection Stack tool and the Sensitivity Label Maturity assessment at frontrowtech.com.au/tools/sensitivity-label-maturity score this layer.
- 5Where do our backups and any third-party M365 backup provider store data? Residency clauses reach the backup copy too, and that vendor is often the one nobody checked.
Try it
Score the controls that sit on top of residency
Residency says where data sits; the Information Protection Stack assessment scores who can reach it, spanning labels, encryption, DLP and access control across the tenant.
10 questions · 5 domains
Information Protection Stack Maturity Check
Sensitivity labels alone don't protect data. The stack is labels (file + container) + DLP + auto-labelling + the SharePoint/Copilot data boundary. Score where you sit across all five — and where Privacy Act 2026 expects you to be. Pick the option closest to your tenant today.
Domain 1
Sensitivity labels (file-level)
Whether sensitivity labels are deployed, used by humans, and enforced where required.
Do you have a published sensitivity label taxonomy in use?
Source: Microsoft Learn: Get started with sensitivity labels.
What percentage of new documents are labelled (per Purview Activity Explorer)?
Source: Microsoft Learn: Activity explorer in Microsoft Purview.
Domain 2
Container labels (Sites, Teams, Groups)
Whether SharePoint sites, Microsoft 365 Groups and Teams have sensitivity labels applied at the container level — controlling membership, sharing and unmanaged-device access.
What proportion of SharePoint sites have a container sensitivity label applied?
Source: Microsoft Learn: Use sensitivity labels with Microsoft Teams, Microsoft 365 Groups and SharePoint sites.
Do your container labels actually constrain external sharing and unmanaged-device access?
Source: Microsoft Learn: Configure sensitivity labels for SharePoint sites; Block download from SharePoint sites for unmanaged devices.
Domain 3
Data Loss Prevention
Whether DLP policies cover Exchange, SharePoint, OneDrive, Teams and endpoint, are out of audit-only mode, and are tied to label conditions where appropriate.
Which workloads do your DLP policies cover?
Source: Microsoft Learn: Microsoft Purview Data Loss Prevention; Get started with Endpoint DLP.
What mode are your DLP policies in?
Source: Microsoft Learn: Plan a Data Loss Prevention deployment.
Domain 4
Auto-labelling
Whether sensitive content is auto-labelled at rest in SharePoint and OneDrive, and at send-time in Exchange, using built-in or trainable classifiers.
Is auto-labelling enabled for content at rest in SharePoint and OneDrive?
Source: Microsoft Learn: Apply a sensitivity label to content automatically.
Is auto-labelling enabled for outbound email in Exchange Online?
Source: Microsoft Learn: Apply a sensitivity label to content automatically; Exchange Online client-side and service-side labelling.
Domain 5
SharePoint search and Copilot data boundary
Whether Restricted SharePoint Search is configured, oversharing is detected, and the Copilot data boundary respects sensitivity labels.
Have you assessed SharePoint oversharing in the context of Microsoft 365 Copilot?
Source: Microsoft Learn: Restricted SharePoint search; Microsoft 365 Copilot data security and compliance.
Does the Copilot data boundary in your tenant respect sensitivity labels for grounding and citations?
Source: Microsoft Learn: Microsoft 365 Copilot data security and compliance; Sensitivity labels and Microsoft 365 Copilot.
This is an indicative self-assessment. It is not a substitute for a tenant-level Information Protection review. For verified results Frontrow Technology offers an in-tenant IP stack assessment with Purview audit data.