Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Microsoft Azure is the cloud platform operated by Microsoft Corporation. It offers App Service, Functions, Azure SQL, Cosmos DB, Front Door for global content delivery, Application Gateway for HTTP load balancing, Application Insights for telemetry, Microsoft Entra ID for identity and dozens of other services that European websites use to host, secure and accelerate their applications. Because Azure is a US owned platform, every European deployment must address international transfers and consent requirements alongside the Microsoft EU Data Boundary commitment.
Microsoft Azure is the public cloud platform operated by Microsoft Corporation, headquartered in Redmond, Washington. On a European website it typically appears as Azure App Service hosting the application, Azure Front Door distributing content globally, Azure Application Gateway balancing HTTP traffic, Azure SQL or Cosmos DB storing user data, Microsoft Entra ID handling authentication, and Application Insights capturing telemetry. Azure also powers higher level services such as Microsoft Clarity, Power BI Embedded, Azure OpenAI and Communication Services.
Microsoft offers the EU Data Boundary commitment, under which the storage and most processing of customer data and pseudonymous personal data for the core online services stays inside the European Union and European Free Trade Association. Some support, telemetry and identity operations may still touch US systems, and Microsoft Corporation remains subject to US extraterritorial laws.
At the infrastructure layer, Azure mostly sets session affinity cookies. Azure App Service and Front Door use ARRAffinity and ARRAffinitySameSite to keep a visitor on the same instance. Application Gateway uses ApplicationGatewayAffinity and ApplicationGatewayAffinityCORS. Azure Front Door may also set the AzureAppProxyAccessCookie when authentication is enabled. These cookies are usually classified as strictly necessary for the operation of the website.
On top of this, Application Insights stores a unique user identifier (ai_user) and a session identifier (ai_session) in browser storage to measure usage. Microsoft Entra ID sets authentication cookies (ESTSAUTH, ESTSAUTHPERSISTENT) on the login domain. Higher level products such as Microsoft Clarity drop additional analytics cookies that require prior opt-in consent.
Microsoft acts as a processor under the Microsoft Products and Services Data Protection Addendum (DPA). The DPA incorporates the European Commission Standard Contractual Clauses, lists sub-processors, and binds Microsoft to ISO 27001, ISO 27018, ISO 27701, SOC 2 and EU Cloud Code of Conduct controls. The website operator stays the controller and remains responsible for every cookie set through an Azure component.
Under the ePrivacy Directive transposed nationally (TTDSG in Germany, LCEN in France, LSSI-CE in Spain), session affinity cookies are typically exempt from prior consent because they are strictly necessary, while Application Insights telemetry and Clarity cookies are not.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Microsoft Corporation is certified under the EU-US Data Privacy Framework, providing an adequacy basis for transfers to the United States. The Microsoft EU Data Boundary, fully rolled out in 2024, keeps customer data and pseudonymous personal data for Azure, Microsoft 365, Dynamics 365 and Power Platform in the EU and EFTA. Transfer impact assessments and supplementary measures such as customer managed keys with Azure Key Vault HSM are still recommended after Schrems II.
For pure infrastructure (hosting, load balancing, content delivery, security), Article 6(1)(f) GDPR legitimate interest is the standard legal basis. For analytics and personalization features such as Application Insights or Microsoft Clarity, prior opt-in consent gathered through a Consent Management Platform is required before triggering the scripts.
Sign the Microsoft DPA, opt into the EU Data Boundary scope, pin resources to EU regions, enable customer managed keys in Azure Key Vault, scope Microsoft Entra ID roles tightly, configure log retention, list Microsoft as a sub-processor in the privacy notice, document the transfer impact assessment, disable Application Insights anonymous IP collection or enable IP masking, and integrate every non strictly necessary cookie into the Consent Management Platform.
Websites using Microsoft Azure must obtain user consent under GDPR regulations.
DPIA considerations
A Data Protection Impact Assessment is recommended when Azure hosts personal data at scale, processes special category data, or combines App Service, Application Gateway, Front Door and Application Insights with user identifiers. The DPIA should cover region selection, the EU Data Boundary scope, customer managed keys, conditional access, retention, sub-processors and the response plan for US government access requests under FISA 702.
Sample consent text
We use Microsoft Azure to host and deliver this website. Azure may set technical cookies for session affinity (ARRAffinity, ApplicationGatewayAffinity) and process your IP address. Some flows transit through US infrastructure under the EU-US Data Privacy Framework and Standard Contractual Clauses, within the Microsoft EU Data Boundary scope. By clicking Accept, you allow the analytics and personalization features powered by Azure.
Third-party domains contacted
azure.comazureedge.netazurewebsites.netwindows.netmsftauth.netazurefd.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| ARRAffinity | HTTP cookie | Session | Azure App Service and Front Door session affinity: keeps a visitor on the same backend instance. |
| ARRAffinitySameSite | HTTP cookie | Session | SameSite compliant variant of ARRAffinity used in modern browsers. |
| ApplicationGatewayAffinity | HTTP cookie | Session | Azure Application Gateway sticky session for HTTP backends. |
| ApplicationGatewayAffinityCORS | HTTP cookie | Session | Cross-origin variant of ApplicationGatewayAffinity. |
| ESTSAUTH | HTTP cookie | Session | Microsoft Entra ID authentication cookie set on the login domain (login.microsoftonline.com). |
| ai_user | localStorage | 1 year | Application Insights anonymous user identifier for telemetry. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Azure sets primarily session affinity cookies. Azure App Service and Front Door deploy ARRAffinity and ARRAffinitySameSite (session). Application Gateway sets ApplicationGatewayAffinity and ApplicationGatewayAffinityCORS. Microsoft Entra ID adds authentication cookies (ESTSAUTH, ESTSAUTHPERSISTENT) on its login domain. Application Insights stores ai_user and ai_session in local storage. Microsoft Clarity, deployed on Azure, sets its own analytics cookies.
Session affinity cookies set by Azure infrastructure (ARRAffinity, ApplicationGatewayAffinity) are normally considered strictly necessary and exempt from prior consent under the ePrivacy Directive. Telemetry features such as Application Insights and Microsoft Clarity require informed opt-in consent before they trigger.
Legitimate interest under Article 6(1)(f) GDPR is the standard basis for infrastructure hosting, security and performance optimisation. Consent under Article 6(1)(a) applies to analytics, advertising and personalization features. Contractual necessity (Article 6(1)(b)) may apply when Azure powers a feature the visitor explicitly subscribed to.
Yes, even when an EU region is chosen, some support, identity and global services may transit through US infrastructure. Microsoft Corporation is certified under the EU-US Data Privacy Framework and the Microsoft DPA includes Standard Contractual Clauses. The EU Data Boundary keeps most customer data and pseudonymous personal data in EU/EFTA datacentres.
A DPIA is recommended when Azure handles large scale personal data, sensitive categories, or aggregates several services (App Service, Application Gateway, Front Door, Application Insights) tied to user identifiers. Document region, EU Data Boundary scope, customer managed keys, retention, sub-processors and FISA 702 response plan.
Sign the Microsoft DPA, opt into the EU Data Boundary, pin services to EU regions, enable customer managed keys, scope Entra ID conditional access, retain logs only as long as necessary, list Microsoft and its sub-processors, document the transfer impact assessment, enable IP masking in Application Insights and route every non strictly necessary cookie through the CMP.
For European workloads, OVHcloud Public Cloud, Scaleway, Hetzner Cloud, IONOS Compute Engine and T-Systems Open Telekom Cloud are EU based options. For specialised compliance (GAIA-X aligned, sovereignty), look at Outscale, Cleura and the upcoming Bleu sovereign cloud in France. Suitability depends on your service mix and certifications.
List Microsoft Corporation as a processor, describe the Azure services in use, document the technical cookies (ARRAffinity, ApplicationGatewayAffinity, ESTSAUTH), explain the EU Data Boundary and the EU-US Data Privacy Framework, link to the Microsoft DPA and provide a contact point for data subject requests.