|
| 1 | +--- |
| 2 | +title: Configure data boundary |
| 3 | +description: Learn how to configure data boundary. |
| 4 | +ms.topic: how-to |
| 5 | +ms.date: 02/11/2025 |
| 6 | +ms.custom: devx-track-azurepowershell, devx-track-azurecli |
| 7 | +# Customer intent: As an Azure user, I want to create a new data boundary. |
| 8 | +--- |
| 9 | + |
| 10 | +# Configure data boundary |
| 11 | + |
| 12 | +This documentation provides details on how customers can configure Azure Resource Manager for use in a data boundary. The only data boundary configuration currently supported, aside from the default Global configuration, is for the European Union (EU). The EU Data Boundary is a geographically defined boundary within which Microsoft has committed to store and process Customer Data and pseudonymized personal data, and store Professional Services Data for Microsoft enterprise online services, including Azure, Dynamics 365, Power Platform, and Microsoft 365, subject to limited circumstances where personal data continue to be transferred outside the EU Data Boundary. For more information, see [Overview of the EU Data Boundary](/privacy/eudb/eu-data-boundary-learn). |
| 13 | + |
| 14 | +> [!IMPORTANT] |
| 15 | +> To store Professional Services Data in the EU Data Boundary for Azure, customers must configure Azure Resource Manager to the EU Data Boundary. This documentation provides details on how customers can configure Azure Resource Manager for use in the EU Data Boundary. |
| 16 | +
|
| 17 | +A data boundary can only be established in new tenants that have no existing subscriptions or deployed resources. Once a tenant is opted into a data boundary, the data boundary configuration cannot be removed or modified. Subscriptions and resources created under a tenant with a data boundary cannot be moved out of that tenant. Existing subscriptions and resources cannot be moved into a tenant with a data boundary. Each tenant is limited to one data boundary, and after the data boundary is configured, Azure Resource Manager will restrict resource deployments to regions within that boundary. A Global data boundary has no restrictions on the regions a resource can deploy to. Customers can opt their tenants into a data boundary by deploying a `Microsoft.Resources/dataBoundaries` resource at the tenant level. |
| 18 | + |
| 19 | +The `DataBoundaryTenantAdministrator` built-in role is required to configure data boundary. For more information, see [Permissions required](#permissions-required). |
| 20 | + |
| 21 | +To opt your tenant into an Azure EU Data Boundary: |
| 22 | + |
| 23 | +1. Create a new tenant within an EU country or region to configure a Microsoft Entra EU Data Boundary. For more information on how to create a new tenant within an EU country or region, see [Create a new tenant in Microsoft Entra ID](/entra/fundamentals/create-new-tenant). |
| 24 | +1. Before creating any new subscriptions or resources, deploy a Microsoft.Resources/dataBoundaries resource with an EU configuration. |
| 25 | +1. Create a subscription and deploy Azure resources. |
| 26 | + |
| 27 | +## Permissions required |
| 28 | + |
| 29 | +To configure data boundary, the `DataBoundaryTenantAdministrator` built-in role is required at the tenant scope. Use the following steps to assign the role: |
| 30 | + |
| 31 | +1. Elevate access to manage all Azure subscriptions and management groups. For more information, see [Elevate access to manage all Azure subscriptions and management groups](../../role-based-access-control/elevate-access-global-admin.md). |
| 32 | +1. With the User Access Administrator privilege, grant yourself the `DataBoundaryTenantAdministrator` role at the tenant scope (`/`) by using Azure CLI or Azure PowerShell or REST API. |
| 33 | + |
| 34 | + # [Azure CLI](#tab/azure-cli) |
| 35 | + |
| 36 | + ```azurecli |
| 37 | + DATA_BOUNDARY_TENANT_ADMINISTRATOR_ROLE_ID="d1a38570-4b05-4d70-b8e4-1100bcf76d12" |
| 38 | + |
| 39 | + az role assignment create --assignee "{assignee}" --role DATA_BOUNDARY_TENANT_ADMINISTRATOR_ROLE_ID --scope "/" |
| 40 | + ``` |
| 41 | + |
| 42 | + # [PowerShell](#tab/azure-powershell) |
| 43 | + |
| 44 | + ```azurepowershell |
| 45 | + $dataBoundaryTenantAdministratorRoleDefinitionId = "d1a38570-4b05-4d70-b8e4-1100bcf76d12" |
| 46 | + |
| 47 | + New-AzRoleAssignment -ObjectId <objectId> -RoleDefinitionId $dataBoundaryTenantAdministratorRoleDefinitionId -Scope "/" |
| 48 | + ``` |
| 49 | + |
| 50 | + # [REST API](#tab/rest-api) |
| 51 | + |
| 52 | + ```http |
| 53 | + PUT https://management.azure.com/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentName}?api-version=2020-04-01-preview |
| 54 | + ``` |
| 55 | + |
| 56 | + Request body: |
| 57 | + |
| 58 | + ```json |
| 59 | + { |
| 60 | + "properties": { |
| 61 | + "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/d1a38570-4b05-4d70-b8e4-1100bcf76d12", |
| 62 | + "principalId": "{assignee}" |
| 63 | + } |
| 64 | + } |
| 65 | + ``` |
| 66 | + |
| 67 | + Response body: |
| 68 | + |
| 69 | + ```json |
| 70 | + { |
| 71 | + "id": "/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentName}", |
| 72 | + "type": "Microsoft.Authorization/roleAssignments", |
| 73 | + "name": "{roleAssignmentName}", |
| 74 | + "properties": { |
| 75 | + "roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/d1a38570-4b05-4d70-b8e4-1100bcf76d12", |
| 76 | + "principalId": "{assignee}", |
| 77 | + "principalType": "User", // Could also be "Group", "ServicePrincipal", etc. |
| 78 | + } |
| 79 | + } |
| 80 | + ``` |
| 81 | + |
| 82 | + --- |
| 83 | + |
| 84 | +For more information, see [Assign Azure roles](../../role-based-access-control/role-assignments-powershell.md). |
| 85 | + |
| 86 | +## Create data boundary |
| 87 | + |
| 88 | +Data boundary geo currently has two options: |
| 89 | + |
| 90 | +|Data boundary geo | Description | |
| 91 | +|------|-------------| |
| 92 | +|Global| By default, all tenants have a global data boundary. | |
| 93 | +|EU | Establish an EU data boundary. | |
| 94 | + |
| 95 | +To opt in a tenant to data boundary, use the following commands. |
| 96 | + |
| 97 | +# [Azure CLI](#tab/azure-cli) |
| 98 | + |
| 99 | +```azurecli |
| 100 | +az data-boundary create --data-boundary <data-boundary-geo> --default default |
| 101 | +``` |
| 102 | + |
| 103 | +The `--default` switch is currently mandatory but will be phased out in the future. |
| 104 | + |
| 105 | +For more information, see [Azure CLI Reference](/cli/azure/reference-index). |
| 106 | + |
| 107 | +# [PowerShell](#tab/azure-powershell) |
| 108 | + |
| 109 | +```azurepowershell |
| 110 | +Set-AzDataBoundary -DataBoundary <data-boundary-geo> |
| 111 | +``` |
| 112 | + |
| 113 | +For more information, see [Azure PowerShell Reference](/powershell/module/az.resources). |
| 114 | + |
| 115 | +# [REST API](#tab/rest-api) |
| 116 | + |
| 117 | +```http |
| 118 | +PUT https://management.azure.com/providers/Microsoft.Resources/dataBoundaries/default?api-version=2024-08-01 |
| 119 | +``` |
| 120 | + |
| 121 | +Request body: |
| 122 | + |
| 123 | +```json |
| 124 | +{ |
| 125 | + "properties": { |
| 126 | + "dataBoundary": "<data-boundary-geo>" |
| 127 | + } |
| 128 | +} |
| 129 | +``` |
| 130 | + |
| 131 | +```Response body: |
| 132 | +
|
| 133 | +```json |
| 134 | +{ |
| 135 | + "name": "{tenantId}", |
| 136 | + "id": " /providers/Microsoft.Resources/dataBoundaries/{tenantId}", |
| 137 | + "properties": { |
| 138 | + "dataBoundary": "{dataBoundaryGeo}", |
| 139 | + "provisioningState": "Created" |
| 140 | + } |
| 141 | +} |
| 142 | +``` |
| 143 | + |
| 144 | +For more information, see [Azure REST API Reference](/rest/api/azure/). |
| 145 | + |
| 146 | +--- |
| 147 | + |
| 148 | +## Read data boundary |
| 149 | + |
| 150 | +To get data boundary at specified scopes. The scopes include: |
| 151 | + |
| 152 | +| Scope | Value | |
| 153 | +|-------|-------| |
| 154 | +|Tenant | (empty) | |
| 155 | +|Subscription | subscriptions/{subscriptionId} | |
| 156 | +|Resource group | subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName} | |
| 157 | + |
| 158 | +# [Azure CLI](#tab/azure-cli) |
| 159 | + |
| 160 | +```azurecli |
| 161 | +az data-boundary show --scope <scope-path> --default default |
| 162 | +``` |
| 163 | + |
| 164 | +Get data boundary of tenant: |
| 165 | + |
| 166 | +```azurecli |
| 167 | +az data-boundary show-tenant --default default |
| 168 | +``` |
| 169 | + |
| 170 | +The `--default` switch is currently mandatory but will be phased out in the future. |
| 171 | + |
| 172 | +For more information, see [Azure CLI Reference](/cli/azure/reference-index). |
| 173 | + |
| 174 | +# [PowerShell](#tab/azure-powershell) |
| 175 | + |
| 176 | +```azurepowershell |
| 177 | +Get-AzDataBoundaryScope -Scope <scope-path> |
| 178 | +``` |
| 179 | + |
| 180 | +Get data boundary of tenant: |
| 181 | + |
| 182 | +```azurepowershell |
| 183 | +Get-AzDataBoundaryTenant |
| 184 | +``` |
| 185 | + |
| 186 | +For more information, see [Azure PowerShell Reference](/powershell/module/az.resources). |
| 187 | + |
| 188 | +# [REST API](#tab/rest-api) |
| 189 | + |
| 190 | +```http |
| 191 | +GET https://management.azure.com/{scope}/providers/Microsoft.Resources/dataBoundaries/default?api-version=2024-08-01 |
| 192 | +``` |
| 193 | + |
| 194 | +Response body: |
| 195 | + |
| 196 | +```json |
| 197 | +{ |
| 198 | + "name": "{tenantId}", |
| 199 | + "id": " /providers/Microsoft.Resources/dataBoundaries/{tenantId}", |
| 200 | + "properties": { |
| 201 | + "dataBoundary": "{dataBoundaryGeo}", |
| 202 | + "provisioningState": "Succeeded" |
| 203 | + } |
| 204 | +} |
| 205 | +``` |
| 206 | + |
| 207 | +For more information, see [Azure REST API Reference](/rest/api/azure/). |
| 208 | + |
| 209 | +--- |
| 210 | + |
| 211 | +## Troubleshooting |
| 212 | + |
| 213 | +The following table lists the data boundary related error messages: |
| 214 | + |
| 215 | +| Error code | Error message | Explanation | |
| 216 | +|------------|---------------|-------------| |
| 217 | +| NonEmptyTenantCannotChangeDataBoundary | Tenant \<tenant-name> already contains subscriptions. Data boundary update for non-empty tenants is not supported. | Customers can only apply an Azure data boundary to a brand new tenant with no management groups, subscriptions, or resources. | |
| 218 | +| AuthorizationFailed | The client \<client-name> with object ID \<object-id> does not have authorization to perform action `Microsoft.Resources/dataBoundaries/write` over scope \<scope-name> or the scope is invalid. If access was recently granted, please refresh your credentials. | Ensure you have the Data Boundary Administrator role at the tenant scope. See [Permissions Required](#permissions-required). | |
| 219 | +| InvalidResourceLocation <br/> InvalidResourceGroupLocation | Invalid resource group location \<region-name>. The tenant ID for the given subscription is opted into the \<data-boundary-geo> data boundary. The resource group location is restricted by the data boundary. List of regions in the data boundary is: \<region-list>. | Once a data boundary applies to a tenant, users can only create resources in regions within the data boundary. For example, users cannot create resources in *WestUS* if an EU data boundary is applied to the tenant. To resolve this error, pick a region from the list returned in the error message. | |
| 220 | +| InvalidSubscriptionMoveDataBoundary | Transfer action failed. Transfer of this subscription is not allowed due to data boundary restrictions on the tenant. | It is not possible to move a subscription if the source or target tenants have a non-global data boundary. Subscription move is blocked even if the source and target tenants have the same data boundary. | |
| 221 | + |
| 222 | +## Next steps |
| 223 | + |
| 224 | +For more information, see [Overview of the EU Data Boundary](/privacy/eudb/eu-data-boundary-learn). |
0 commit comments