Frontrow Technology
← All insights & guides
Guide

Data residency

Data sovereignty and data residency in Australia — what Microsoft 365 customers need to know

Data sovereignty vs data residency for Australian Microsoft 365 customers in 2026: where M365 and Copilot data is stored, Microsoft's Australian datacentre regions, the Advanced Data Residency add-on, and the questions procurement should actually ask.

Graeme Lodge · Last reviewed 3 July 2026 · 9 min read

For an Australian organisation on Microsoft 365, the practical position is this: core customer data for a tenant provisioned in Australia is stored at rest in Microsoft's Australian datacentres, residency can be extended and evidenced with an add-on where contracts demand it, and the harder questions are about sovereignty (whose laws can reach the data) rather than residency (where the disks are). The two words get used interchangeably in procurement documents, and they should not be. This guide separates them and lays out what Microsoft commits to, what it does not, and what to check rather than assume.

Residency, sovereignty, localisation: three different claims

  • Data residency is geography: the data is stored in datacentres physically located in Australia. This is the claim Microsoft 365 can substantiate for core services in Australian tenants.
  • Data sovereignty is jurisdiction: which legal systems can compel access to the data. Residency in Australia does not by itself settle sovereignty, because the provider's own corporate jurisdiction matters too.
  • Data localisation is a legal requirement that certain data must stay onshore. Australia imposes this narrowly (My Health Record data is the clearest example) rather than economy-wide.

Where Microsoft 365 data physically lives

Microsoft operates Australian cloud regions including Australia East (New South Wales) and Australia Southeast (Victoria), with the Australia Central regions in Canberra serving government-focused workloads. For a Microsoft 365 tenant provisioned with Australia as its country, customer data at rest for the core workloads (Exchange Online mailboxes, SharePoint and OneDrive files, Teams chat content) is stored in the Australian regions. Microsoft publishes the current storage locations per service in the Microsoft 365 admin centre (the data location page) and in its product documentation, and that per-tenant view, not the marketing page, is the artefact to attach to a procurement response.

Two boundaries matter. First, the residency commitment covers customer data at rest for defined services; some supporting services, telemetry and globally distributed functions can involve processing or storage outside Australia. Second, service coverage has widened over time but is not total, which is exactly the gap the Advanced Data Residency add-on exists to close.

Advanced Data Residency and Multi-Geo

  • Advanced Data Residency (ADR) is a paid add-on that extends residency commitments to a broader set of Microsoft 365 workloads beyond the core, with contractual commitments and prioritised tenant data moves. Organisations with regulator- or contract-driven residency clauses (government suppliers, financial services, health) are its natural buyers; most SMBs do not need it.
  • Multi-Geo solves the opposite problem: a single tenant that must keep different users' data in different countries, common in multinationals with European or US arms. Australian-headquartered organisations with offshore subsidiaries meet residency clauses this way without splitting tenants.

What about Copilot?

Microsoft's stated position is that Microsoft 365 Copilot honours the tenant's existing data-residency commitments for customer data at rest: prompts, responses and Copilot interaction history are treated as customer data within the Microsoft 365 service boundary, and the content Copilot grounds on (mail, files, chats) stays where those services already store it. Processing is the more nuanced layer: generative AI inference runs on GPU capacity that Microsoft manages across its infrastructure, and Microsoft has built region-scoped processing commitments for some markets, the EU Data Boundary being the flagship. As at the time of writing, Frontrow is not aware of an equivalent blanket in-country processing guarantee for Australia, so an organisation whose obligations extend to where data is processed, in addition to where it is stored, should verify the current commitments in the Microsoft Product Terms and Trust Center rather than rely on any summary, this one included. For most Australian commercial obligations, the at-rest commitments are the ones contracts actually test.

The sovereignty questions residency does not answer

Data stored in Australia by a US-headquartered provider remains subject to lawful access processes under US law, such as the CLOUD Act, alongside Australian law. That is a fact of jurisdiction rather than a Microsoft-specific weakness, and Microsoft's posture here is comparatively strong: it publishes transparency reports on government demands, has litigated against overbroad requests, and offers Customer Lockbox and customer-held encryption keys (Customer Key, and Double Key Encryption for the highest-sensitivity content) that materially raise the bar on any access without customer involvement. For government and defence-adjacent work, Microsoft also operates the Canberra-region services assessed under IRAP for workloads at PROTECTED, with assessment scope varying by service. The honest summary: for the overwhelming majority of Australian businesses, Microsoft 365's Australian residency plus its encryption and access controls comfortably meet obligations; organisations with genuine sovereignty mandates should be having a scope-specific conversation, not a generic cloud-versus-onshore one.

What procurement should actually ask

  1. 1Which specific workloads carry a residency clause in our contracts or regulatory obligations, and does the core Microsoft 365 commitment already cover them? (Check the tenant's data-location page, not a brochure.)
  2. 2Do any obligations bind processing location as well as storage? If yes, get the current Product Terms position in writing for those services.
  3. 3Is ADR worth it for us? Buy it for evidence and coverage when a regulator or contract demands it; skip it when the core commitments already satisfy the clause.
  4. 4Who can access the data, and under what control? Conditional Access, Customer Lockbox and sensitivity labels answer more real-world sovereignty risk than datacentre geography does. Frontrow's Information Protection Stack tool and the Sensitivity Label Maturity assessment at frontrowtech.com.au/tools/sensitivity-label-maturity score this layer.
  5. 5Where do our backups and any third-party M365 backup provider store data? Residency clauses reach the backup copy too, and that vendor is often the one nobody checked.

Try it

Score the controls that sit on top of residency

Residency says where data sits; the Information Protection Stack assessment scores who can reach it, spanning labels, encryption, DLP and access control across the tenant.

10 questions · 5 domains

Information Protection Stack Maturity Check

Sensitivity labels alone don't protect data. The stack is labels (file + container) + DLP + auto-labelling + the SharePoint/Copilot data boundary. Score where you sit across all five — and where Privacy Act 2026 expects you to be. Pick the option closest to your tenant today.

Domain 1

Sensitivity labels (file-level)

Whether sensitivity labels are deployed, used by humans, and enforced where required.

  • Do you have a published sensitivity label taxonomy in use?

    Source: Microsoft Learn: Get started with sensitivity labels.

  • What percentage of new documents are labelled (per Purview Activity Explorer)?

    Source: Microsoft Learn: Activity explorer in Microsoft Purview.

Domain 2

Container labels (Sites, Teams, Groups)

Whether SharePoint sites, Microsoft 365 Groups and Teams have sensitivity labels applied at the container level — controlling membership, sharing and unmanaged-device access.

  • What proportion of SharePoint sites have a container sensitivity label applied?

    Source: Microsoft Learn: Use sensitivity labels with Microsoft Teams, Microsoft 365 Groups and SharePoint sites.

  • Do your container labels actually constrain external sharing and unmanaged-device access?

    Source: Microsoft Learn: Configure sensitivity labels for SharePoint sites; Block download from SharePoint sites for unmanaged devices.

Domain 3

Data Loss Prevention

Whether DLP policies cover Exchange, SharePoint, OneDrive, Teams and endpoint, are out of audit-only mode, and are tied to label conditions where appropriate.

  • Which workloads do your DLP policies cover?

    Source: Microsoft Learn: Microsoft Purview Data Loss Prevention; Get started with Endpoint DLP.

  • What mode are your DLP policies in?

    Source: Microsoft Learn: Plan a Data Loss Prevention deployment.

Domain 4

Auto-labelling

Whether sensitive content is auto-labelled at rest in SharePoint and OneDrive, and at send-time in Exchange, using built-in or trainable classifiers.

  • Is auto-labelling enabled for content at rest in SharePoint and OneDrive?

    Source: Microsoft Learn: Apply a sensitivity label to content automatically.

  • Is auto-labelling enabled for outbound email in Exchange Online?

    Source: Microsoft Learn: Apply a sensitivity label to content automatically; Exchange Online client-side and service-side labelling.

Domain 5

SharePoint search and Copilot data boundary

Whether Restricted SharePoint Search is configured, oversharing is detected, and the Copilot data boundary respects sensitivity labels.

  • Have you assessed SharePoint oversharing in the context of Microsoft 365 Copilot?

    Source: Microsoft Learn: Restricted SharePoint search; Microsoft 365 Copilot data security and compliance.

  • Does the Copilot data boundary in your tenant respect sensitivity labels for grounding and citations?

    Source: Microsoft Learn: Microsoft 365 Copilot data security and compliance; Sensitivity labels and Microsoft 365 Copilot.

This is an indicative self-assessment. It is not a substitute for a tenant-level Information Protection review. For verified results Frontrow Technology offers an in-tenant IP stack assessment with Purview audit data.

Common questions

Frequently asked

Is Microsoft 365 data stored in Australia?
Yes, for the core services of a tenant provisioned in Australia: Exchange Online mailbox content, SharePoint and OneDrive files and Teams chat are stored at rest in Microsoft's Australian datacentre regions. Coverage for services beyond the core varies, which is what the Advanced Data Residency add-on extends. The authoritative per-tenant view is the data-location page in the Microsoft 365 admin centre.
Does Microsoft 365 Copilot keep data in Australia?
Microsoft treats Copilot prompts, responses and interaction history as customer data within the tenant's existing residency commitments for data at rest, and Copilot grounds on content that stays where Exchange, SharePoint and Teams already store it. In-country processing guarantees are a separate, narrower question: verify the current Microsoft Product Terms if your obligations bind processing location, as commitments evolve.
What is the difference between data residency and data sovereignty?
Residency is where data is physically stored; sovereignty is which jurisdictions can lawfully compel access to it. Australian residency does not exempt data held by a US-headquartered provider from US legal process such as the CLOUD Act, which is why sovereignty conversations turn on encryption, key custody and access controls rather than datacentre location alone.
Do Australian businesses need the Advanced Data Residency add-on?
Most do not. ADR earns its cost when a regulator, government contract or client agreement demands residency commitments across workloads beyond the Microsoft 365 core, or demands contractual evidence of them. If no contract clause names it, the standard commitments for Australian tenants usually satisfy the obligation. Check the clause before buying the add-on.

Want Frontrow to run this with your team?

A 30-minute call with a senior consultant. No deck. Frontrow walks through your tenant, your priorities and the next sensible move.