Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
The Microsoft Ajax Content Delivery Network (ajax.aspnetcdn.com) is a public CDN operated by Microsoft Corporation that hosts popular JavaScript libraries, including jQuery, jQuery UI, Modernizr and the ASP.NET AJAX scripts. Many older ASP.NET, SharePoint and intranet sites reference these scripts directly from the Microsoft Ajax CDN. The CDN itself does not place cookies, but each request exposes the visitor IP address to Microsoft servers, which has GDPR transparency and transfer implications.
The Microsoft Ajax Content Delivery Network, served from ajax.aspnetcdn.com, is a public CDN operated by Microsoft Corporation that hosts cached copies of popular JavaScript libraries (jQuery and jQuery UI, Modernizr, ASP.NET AJAX, the Microsoft Ajax Library). It was originally launched to accelerate the loading of these libraries by serving them from a globally distributed Microsoft edge. The CDN is widely referenced in legacy ASP.NET applications, SharePoint sites and tutorials. Microsoft has officially announced the retirement of this service and recommends migrating to a generic CDN.
The Microsoft Ajax CDN does not set cookies, does not run analytics on the visitor, does not fingerprint and does not include any visitor side tracking script. The only personal data it sees is the HTTP request metadata that any server naturally observes when delivering an asset: IP address, User Agent, Referer and Accept Language. Microsoft uses these data points for CDN performance routing, anti DDoS measures and aggregated traffic reporting, and may retain them for a limited period in operational logs.
Because no information is stored or read on the visitor device, the ePrivacy strictly necessary rule does not even apply. The GDPR still applies to the visitor IP that is shared with Microsoft when the asset is loaded. After Schrems II and the Google Fonts case law in Germany, even the passive exposure of an EU visitor IP to a US controller has been treated as a transfer that requires either a clear basis and information or, preferably, the use of a self hosted alternative. The same logic applies to the Microsoft Ajax CDN.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For a self hosted equivalent, the legal basis is legitimate interest under Article 6(1)(f) GDPR. For the Microsoft Ajax CDN, the safest pattern is to migrate the scripts to a self hosted copy or to an EU only CDN, eliminating the third country transfer. If the operator chooses to keep referencing ajax.aspnetcdn.com, the privacy notice should mention Microsoft Corporation as a recipient, cite the EU US Data Privacy Framework certification of Microsoft as the transfer mechanism, and ideally provide a consent gate for visitors who refuse the transfer.
The Microsoft Ajax CDN is served from Microsoft Azure Front Door and Azure CDN edges located worldwide, including in the EU, with backend origins in the United States. Microsoft Corporation is the data controller for the operational logs and participates in the EU US Data Privacy Framework. Although the CDN often serves European visitors from an EU edge, the parent company is US established and engages US support and engineering teams, so the transfer should be treated as a real transfer to the United States in the privacy notice.
Because Microsoft has announced the retirement of the Ajax CDN, the recommended step is to bundle jQuery and other libraries locally with your build system or to load them from an EU CDN with EU only routing. If migration is not immediate, list ajax.aspnetcdn.com in the third party resources section of your privacy notice, mention Microsoft Corporation as the recipient, cite the EU US Data Privacy Framework and provide visitors with information about how to block the request through their browser settings or an extension.
Websites using Microsoft Ajax Content Delivery Network must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not required for using the Microsoft Ajax CDN. The service does not set cookies, does not perform analytics on visitors and only sees the standard HTTP request metadata (IP address, User Agent, Referer) inherent to any external asset load. The only personal data involved is the visitor IP, which is well below the threshold of Article 35 GDPR.
Sample consent text
Some pages on our site load JavaScript libraries (such as jQuery) from the Microsoft Ajax Content Delivery Network (ajax.aspnetcdn.com), operated by Microsoft Corporation in the United States. This means your IP address is shared with Microsoft for the duration of the request. The Microsoft Ajax CDN itself does not place cookies or trackers on your device.
Third-party domains contacted
ajax.aspnetcdn.comajax.microsoft.comaspnetcdn.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| no_cookies | first_party | N/A | The Microsoft Ajax CDN serves static JavaScript files and does not set any cookies of its own. This entry exists for inventory completeness so the absence of cookies is explicitly documented. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
No. The Microsoft Ajax CDN is a static asset delivery service that does not set cookies, does not write local storage and does not fingerprint visitors. The only data exposed is the HTTP request metadata (IP address, User Agent, Referer) that any web server naturally observes when serving an asset.
Consent is not required because no information is stored or read on the visitor device. However, after the German Google Fonts case law, exposing an EU visitor IP to a US controller without information or basis is considered problematic. The safest path is to self host the libraries or use a CDN with EU only routing. If you keep the Microsoft Ajax CDN, mention it in your privacy notice and rely on legitimate interest combined with the EU US Data Privacy Framework certification of Microsoft.
For self hosted libraries the basis is legitimate interest under Article 6(1)(f) GDPR. For the Microsoft Ajax CDN the safest position is to combine legitimate interest with transparent disclosure of the transfer to the United States, citing the EU US Data Privacy Framework certification of Microsoft as the transfer mechanism. For stricter German audiences, a consent gate can be added in the functional category of the CMP.
Microsoft routes Ajax CDN requests through Azure edges located worldwide, including in the EU. However, Microsoft Corporation is established in the United States, runs global operations and engages US support and engineering teams, so requests should be treated as transfers to the US and disclosed in the privacy notice. Microsoft is certified under the EU US Data Privacy Framework.
No. The CDN does not perform profiling, automated decision making, large scale processing of sensitive data or systematic monitoring. The only personal data involved is the HTTP request metadata that any web server naturally sees, which is well below the Article 35 GDPR threshold.
Because Microsoft has announced the retirement of the Ajax CDN, migrate the libraries to a self hosted bundle or to a CDN with EU only routing as a priority. While the migration is pending, document the resource in your privacy notice as a third party served from Microsoft Corporation, cite the EU US Data Privacy Framework as the transfer mechanism and ensure your CMP does not load any other Microsoft script automatically.
The simplest alternative is to bundle jQuery, jQuery UI and Modernizr locally with your build system, eliminating the third party request entirely. Public alternatives include jsDelivr (Polish operator, US backbone), unpkg (US), cdnjs (Cloudflare, US) and Bunny CDN (Slovenian operator with EU only zone options). For German audiences a self hosted setup is recommended to avoid Google Fonts style claims.
You do not need to add a cookie entry because the CDN does not set cookies. Add a short paragraph in the third party resources section of your privacy notice, indicating that some pages load JavaScript libraries from ajax.aspnetcdn.com operated by Microsoft Corporation, that this exposes the visitor IP to Microsoft in the United States and that the transfer is covered by the EU US Data Privacy Framework.