{"id":805,"date":"2026-04-03T07:03:56","date_gmt":"2026-04-03T07:03:56","guid":{"rendered":"https:\/\/cloudfirst.in\/insight\/?p=805"},"modified":"2026-04-10T10:11:34","modified_gmt":"2026-04-10T10:11:34","slug":"dpdp-act-compliance-checklist","status":"publish","type":"post","link":"https:\/\/cloudfirst.in\/insight\/dpdp-act-compliance-checklist\/","title":{"rendered":"DPDP Act Compliance Checklist for Microsoft 365 Users in India"},"content":{"rendered":"\n<p>Microsoft&#8217;s standard agreement for enterprise customers is the <strong>Microsoft Products and Services Data Protection Addendum (DPA)<\/strong>. This document governs how Microsoft processes personal data on your behalf across M365, Azure, and other Microsoft services. Without an executed DPA, your use of M365 is not <a href=\"https:\/\/cloudfirst.in\/insight\/what-is-the-dpdp-act\/\" data-type=\"post\" data-id=\"798\">DPDP<\/a>-compliant regardless of any other configuration.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Review Microsoft&#8217;s Subprocessor List<\/h3>\n\n\n\n<p>Microsoft uses subprocessors \u2014 third-party vendors \u2014 to deliver M365 services. Under the DPDP Act, you need visibility into who else is processing your data. Microsoft publishes an online list of M365 subprocessors that you should review and document.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Section 2: Data Residency Configuration<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Check Your Microsoft 365 Tenant Data Location<\/h3>\n\n\n\n<p>By default, Microsoft 365 stores data in the region associated with your tenant&#8217;s billing country. For Indian organisations, this is typically the Asia Pacific region \u2014 which may include data centres in Singapore, not India.<\/p>\n\n\n\n<p><strong>Admin path:<\/strong> Microsoft 365 Admin Centre \u2192 Settings \u2192 Org settings \u2192 Organisation profile \u2192 Data location<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Evaluate Microsoft 365 Advanced Data Residency (ADR)<\/h3>\n\n\n\n<p>For organisations that need to ensure data stays within India, Microsoft offers <strong>Microsoft 365 Advanced Data Residency (ADR)<\/strong> \u2014 an add-on that guarantees specific workload data is stored in a chosen country\/region. As of 2026, India is an available ADR location.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Review Teams Meeting Recording Storage Location<\/h3>\n\n\n\n<p>Teams meeting recordings are stored in OneDrive (personal meetings) and SharePoint (channel meetings). These locations inherit the data residency configuration of your M365 tenant and must be covered by your retention policies.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Section 3: Data Retention and Deletion<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Configure Microsoft Purview Retention Policies<\/h3>\n\n\n\n<p><strong>Admin path:<\/strong> Microsoft Purview Compliance Portal \u2192 Data lifecycle management \u2192 Microsoft 365 \u2192 Retention policies<\/p>\n\n\n\n<p>Configure retention policies for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Exchange email (recommended: 3\u20137 years with deletion at end of period)<\/li>\n\n\n\n<li>Teams channel messages and chats (recommended: 1\u20133 years with deletion)<\/li>\n\n\n\n<li>SharePoint and OneDrive files (retention period varies by document type)<\/li>\n\n\n\n<li>Teams meeting recordings (recommended: 90 days for standard meetings)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Enable Teams Recording Expiry<\/h3>\n\n\n\n<p><strong>Admin path:<\/strong> Teams Admin Centre \u2192 Meetings \u2192 Meeting policies \u2192 Recording expiry \u2192 set to 60 or 90 days for standard policy<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Section 4: Data Loss Prevention<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enable Microsoft Purview DLP for Indian Personal Data<\/h3>\n\n\n\n<p><strong>Admin path:<\/strong> Microsoft Purview Compliance Portal \u2192 Data loss prevention \u2192 Policies \u2192 Create policy<\/p>\n\n\n\n<p>Deploy DLP policies that detect Aadhaar numbers, PAN numbers, and Indian financial account details. Block or warn when these are being shared externally.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Configure Sensitivity Labels<\/h3>\n\n\n\n<p>Create sensitivity labels that reflect your DPDP Act data classification \u2014 at minimum: Personal Data, Sensitive Personal Data, and Non-Personal Data. Apply these to your most sensitive SharePoint libraries.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Section 5: Access Controls and Identity<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Audit Guest Access in Microsoft 365<\/h3>\n\n\n\n<p>Conduct a quarterly audit of all guest accounts in your Microsoft Entra ID tenant. Configure Entra ID Access Reviews to automate this process.<\/p>\n\n\n\n<p><strong>Admin path:<\/strong> Microsoft Entra Admin Centre \u2192 Identity Governance \u2192 Access reviews \u2192 New access review \u2192 Guest users<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Enable Conditional Access Policies<\/h3>\n\n\n\n<p>Implement Conditional Access policies that require MFA for all users accessing personal data, block access from non-compliant devices to sensitive SharePoint sites, and restrict access from high-risk locations.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Section 6: Breach Notification Readiness<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enable Microsoft Purview Audit Logging<\/h3>\n\n\n\n<p><strong>Admin path:<\/strong> Microsoft Purview Compliance Portal \u2192 Audit \u2192 Start recording user and admin activity<\/p>\n\n\n\n<p>Enable Audit (Standard) for all users, and Audit (Premium) for administrators and users with access to sensitive personal data.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Document Your Breach Response Procedure<\/h3>\n\n\n\n<p>Document a written breach response procedure that covers who is responsible for assessing potential breaches, the criteria for determining whether a breach requires DPDP Act notification, and the process for notifying the Data Protection Board.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Microsoft 365 DPDP Compliance Priority Order<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Execute the Microsoft DPA \u2014 this is a legal prerequisite for everything else<\/li>\n\n\n\n<li>Check and document your tenant data location<\/li>\n\n\n\n<li>Configure retention and deletion policies in Microsoft Purview<\/li>\n\n\n\n<li>Enable audit logging<\/li>\n\n\n\n<li>Audit and remove unnecessary guest access<\/li>\n\n\n\n<li>Deploy DLP policies for Indian personal data categories<\/li>\n\n\n\n<li>Configure Teams recording expiry<\/li>\n\n\n\n<li>Document your breach response procedure<\/li>\n<\/ul>\n\n\n\n<p><strong>CloudFirst is a Microsoft 365 Partner for Indian enterprises. Talk to an M365 expert today \u2192 cloudfirst.in\/microsoft-office-365.php<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Frequently Asked Questions<\/h2>\n\n\n\n<p><strong>Q: Does Microsoft 365 store data in India?<\/strong><\/p>\n\n\n\n<p>By default, M365 stores data in the region associated with your tenant&#8217;s billing country. For Indian tenants, this is typically the Asia Pacific geo, which may include Singapore. Microsoft 365 Advanced Data Residency (ADR) is the mechanism to guarantee data storage within India specifically.<\/p>\n\n\n\n<p><strong>Q: Do we need Microsoft Purview for DPDP compliance?<\/strong><\/p>\n\n\n\n<p>Microsoft Purview provides the compliance tools needed for DPDP Act obligations \u2014 retention policies, DLP, audit logging, content search. Many of these are included in M365 E3 and above. If you are on Business Premium or F-tier licences, your Purview access may be limited, which creates a compliance gap.<\/p>\n\n\n\n<p><strong>Q: Is Microsoft DPDP Act compliant?<\/strong><\/p>\n\n\n\n<p>Microsoft&#8217;s services are designed to support customer compliance with data protection laws including the DPDP Act. However, compliance is a shared responsibility \u2014 Microsoft provides the tools and agreements, but your organisation must configure them correctly.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft&#8217;s standard agreement for enterprise customers is the Microsoft Products and Services Data Protection Addendum (DPA). This document governs how Microsoft processes personal data on your behalf across M365, Azure,&hellip;<\/p>\n","protected":false},"author":1,"featured_media":824,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-805","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud"],"_links":{"self":[{"href":"https:\/\/cloudfirst.in\/insight\/wp-json\/wp\/v2\/posts\/805","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudfirst.in\/insight\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudfirst.in\/insight\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudfirst.in\/insight\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudfirst.in\/insight\/wp-json\/wp\/v2\/comments?post=805"}],"version-history":[{"count":1,"href":"https:\/\/cloudfirst.in\/insight\/wp-json\/wp\/v2\/posts\/805\/revisions"}],"predecessor-version":[{"id":807,"href":"https:\/\/cloudfirst.in\/insight\/wp-json\/wp\/v2\/posts\/805\/revisions\/807"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudfirst.in\/insight\/wp-json\/wp\/v2\/media\/824"}],"wp:attachment":[{"href":"https:\/\/cloudfirst.in\/insight\/wp-json\/wp\/v2\/media?parent=805"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudfirst.in\/insight\/wp-json\/wp\/v2\/categories?post=805"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudfirst.in\/insight\/wp-json\/wp\/v2\/tags?post=805"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}