Microsoft 365 administrators and compliance officers need to know where Copilot data is stored and processed. The Microsoft Copilot Customer Data Boundary is a set of regional storage and processing rules that define where customer data can reside. This article explains how the boundary works, what data is covered, and how to verify your tenant’s compliance with regional requirements.
The Customer Data Boundary applies to Copilot for Microsoft 365 and other Microsoft 365 services. It ensures that customer data stored in the Microsoft Graph, SharePoint Online, Exchange Online, and other workloads is kept within the selected geographic region. Without proper configuration, data may be processed in a different region, potentially violating local data residency laws.
This article covers the technical rules of the Customer Data Boundary, how to check your tenant’s boundary status, and common configuration mistakes. You will learn how to confirm that Copilot data stays in your chosen region.
Key Takeaways: Copilot Customer Data Boundary Rules
- Microsoft 365 admin center > Settings > Org Settings > Customer Data Boundary: Controls whether customer data for Copilot and other services is stored and processed in a specific geographic region.
- Data categories covered: Customer content, functional data, service-generated data, and professional services data are all subject to the boundary rules.
- Boundary regions: Currently available for the European Union, the United Kingdom, and the United States. Other regions are planned for future rollout.
How the Customer Data Boundary for Copilot Works
The Customer Data Boundary is a Microsoft 365 feature that restricts where customer data is stored and processed. For Copilot, this means that the data Copilot accesses through Microsoft Graph — such as emails, documents, chat messages, and calendar entries — must remain within the selected geographic region. The boundary applies to both storage and processing, meaning that Copilot’s AI processing must also happen in the same region.
Microsoft defines customer data in four categories:
- Customer content: Data directly provided by users, such as text in emails, documents, and Teams messages.
- Functional data: Data needed for the service to operate, such as user profile information and permissions.
- Service-generated data: Data produced by the service, such as logs and usage metrics.
- Professional services data: Data related to Microsoft support or consulting engagements.
The boundary is enforced at the tenant level. Once enabled, all Copilot data must stay in the selected region. If a user interacts with Copilot from outside the region, the data is still processed in the tenant’s home region. The boundary does not prevent users from accessing Copilot from any location — it only controls where data is stored and processed.
Supported Regions
As of this writing, the Customer Data Boundary is available for the following regions:
- European Union and European Free Trade Association countries
- United Kingdom
- United States
Microsoft plans to add more regions over time. Check the Microsoft 365 admin center for the latest list of supported regions.
Steps to Verify and Configure the Customer Data Boundary for Copilot
To ensure that Copilot data stays within your chosen region, you must enable and verify the Customer Data Boundary in the Microsoft 365 admin center. The following steps assume you have Global Administrator or Compliance Administrator permissions.
- Open the Microsoft 365 admin center
Go to https://admin.microsoft.com and sign in with an account that has Global Administrator or Compliance Administrator privileges. - Navigate to Org Settings
In the left navigation pane, select Settings and then Org Settings. This page lists all organizational-level settings. - Select Customer Data Boundary
Scroll down the list and click Customer Data Boundary. If this option is not visible, your tenant may not yet have access to this feature. Check the Microsoft 365 roadmap for rollout dates. - Review the current boundary status
On the Customer Data Boundary page, look for the Current boundary section. It displays the region where your tenant’s data is currently stored and processed. If it shows None, the boundary is not enabled. - Enable the boundary for your region
Click Edit next to the Current boundary section. In the pane that opens, select the radio button for Enable Customer Data Boundary. Then choose your region from the dropdown list. Click Save. - Verify the change
After saving, the Current boundary section should display the region you selected. It may take up to 24 hours for the change to take full effect across all Microsoft 365 services, including Copilot. - Check Copilot-specific compliance
Go to the Compliance center at https://compliance.microsoft.com. Under Data lifecycle management, select Data boundary. Confirm that the region listed matches the one you set in the admin center.
Common Misconceptions and Limitations
Copilot Still Processes Data Outside the Region
Some administrators report that Copilot responses appear to reference data from outside the tenant’s boundary. This usually happens when the boundary was enabled after Copilot had already processed data. The boundary applies only to new data processing after the change. To ensure all data is within the region, enable the boundary before users start using Copilot.
Boundary Does Not Cover Third-Party Connectors
If your organization uses Copilot with third-party data sources such as Salesforce or ServiceNow, the Customer Data Boundary does not apply to those external services. Data from third-party connectors may be stored and processed outside the tenant’s region. Review each connector’s data handling policies separately.
User Location Does Not Affect Data Storage
The boundary is based on the tenant’s home region, not the user’s physical location. A user traveling in Asia will still have their Copilot data processed in the tenant’s region. This is by design to maintain consistent compliance.
Copilot Customer Data Boundary: Supported Regions Comparison
| Item | European Union | United Kingdom | United States |
|---|---|---|---|
| Data storage location | Datacenters in EU member states | Datacenters in the UK | Datacenters in the US |
| Data processing location | EU member states | UK | US |
| Copilot AI processing | EU-based Azure regions | UK South | US-based Azure regions |
| Covered Microsoft 365 workloads | Exchange, SharePoint, Teams, OneDrive, Graph | Same | Same |
| Third-party connector coverage | Not covered | Not covered | Not covered |
The table shows that all three supported regions offer the same coverage for core Microsoft 365 workloads. The key difference is the physical datacenter location and the specific Azure region used for Copilot AI processing. If your organization operates in multiple regions, you must choose one tenant region and ensure all users comply.
Now you can verify and configure the Customer Data Boundary for your Microsoft 365 tenant. Start by checking the current boundary status in the admin center. If you need to change the region, enable the boundary before rolling out Copilot to users. For advanced compliance, review the Microsoft 365 compliance center’s data boundary report to confirm that Copilot processing stays within the selected region.