Why does Microsoft operate differently in China?

Microsoft's cloud services in China (Azure, M365, Dynamics 365) operate through a separate entity — 21Vianet — under a licensing agreement with Microsoft. 21Vianet operates and provides the services independently within China's regulatory framework, including separate data residency, separate service terms, and separate pricing.

What happened to Microsoft services in Russia after 2022?

Following Russia's invasion of Ukraine in February 2022, Microsoft suspended new sales in Russia and began restricting existing services. By 2023, Microsoft had substantially exited the Russian commercial market. Existing EA agreements for Russian affiliates are in various states of suspension or termination. Enterprises should assume Russia cannot be reliably covered in global EA affiliate structures.

What are Germany's specific Microsoft licensing requirements?

Germany has particularly stringent cloud requirements, especially for public sector, critical infrastructure, and regulated industries. The Germany West Central and Germany North Azure regions are designed for German sovereignty requirements. Some KRITIS (critical infrastructure) operators require the Deutsche Telekom T-Systems operated Microsoft Cloud Deutschland, which has been succeeded by the standard German Azure regions with enhanced compliance certifications.

Does India have different Microsoft licensing rules?

India has local data residency requirements for certain financial services data (RBI guidelines) and is implementing the Digital Personal Data Protection Act (DPDPA). Microsoft operates Azure regions in India (Central, South, West) that satisfy local data residency. Indian subsidiaries can be included in global EAs with affiliate coverage, but local compliance requirements for specific industries add complexity.

What are Australia's specific Microsoft licensing considerations?

Australia has the Privacy Act (amended 2023) and specific requirements for government entities under the Australian Signals Directorate (ASD) framework. Microsoft's Azure Australia regions (East, Southeast) are included in global EAs but government entities require Microsoft's Government Community Cloud (GCC) or dedicated government offerings. Azure Australia prices are 12–18% above US East reference pricing.

What countries cannot be covered under a global Microsoft EA?

Certain sanctioned or restricted territories cannot be covered in Microsoft EA affiliate structures. This includes Cuba, Iran, North Korea, Syria, and the Russian-occupied regions of Ukraine. China and Russia require separate treatment as described. Enterprises must verify current US export control and sanctions compliance for all affiliate geographies at EA execution and annually.

How does local tax law affect Microsoft EA invoicing by country?

Microsoft bills through local entities in most countries, applying local VAT/GST. Brazil's complex Nota Fiscal requirements, India's GST framework, Australia's GST, and varying EU VAT rates all affect gross billing amounts. Microsoft's standard EA is net of local taxes, but local entities must comply with in-country invoicing requirements. Multi-national enterprises should verify their accounts payable processes handle these variations correctly.

What is the Microsoft Trusted Cloud for sovereign requirements?

Microsoft's Trusted Cloud programme includes Azure Government (US), Azure for German entities (German regions with enhanced compliance), and Azure for China (21Vianet). For European sovereign cloud requirements, Microsoft has announced Cloud for Sovereignty and local zone partnerships with national operators in France, Germany, Spain, and Poland. These sovereign offerings typically carry premium pricing versus standard commercial cloud.

How do I handle countries where Microsoft has no direct presence?

In countries without a Microsoft direct entity, EA coverage flows through authorised regional distributors or LAR partners. Service delivery is via the nearest Azure region (which may be in a different country). Enterprises with users in these markets should verify: that the nearest Azure region meets any applicable data residency requirements, that the LAR has coverage in the country, and that local employment/compliance obligations are addressed.

What countries have specific Microsoft Teams PSTN restrictions?

Microsoft Teams Calling Plans (PSTN) availability varies significantly by country. As of 2026, Teams Calling Plans are available in 30+ countries. Many markets — including most of LATAM, MEA, and developing APAC — require Operator Connect or Direct Routing (customer-provided PSTN) rather than Microsoft's own calling plans. This affects total cost of ownership calculations and architecture choices for global Teams deployments.

Do Microsoft's data processing agreements (DPAs) vary by country?

Microsoft's core DPA is global but incorporates country-specific addenda for major regulatory regimes (EU GDPR, UK GDPR, CCPA, PIPEDA in Canada, LGPD in Brazil, PDPA in Thailand/Singapore, APPI in Japan). Country-specific addenda define applicable law, data processing requirements, and transfer mechanisms for each jurisdiction. Enterprises operating in multiple data protection regimes should verify all applicable country addenda are executed.

What are France's specific Microsoft cloud requirements?

France has the SecNumCloud certification framework for sovereign cloud (required for some French government and sensitive sectors). Standard Microsoft Azure does not hold SecNumCloud certification. Microsoft has announced a partnership with Capgemini/Orange (Bleu initiative) for a French sovereign cloud. For French enterprises not requiring SecNumCloud, France Central is an EU Data Boundary region with standard commercial pricing.

How does Microsoft handle licensing in countries with currency controls?

Countries with currency controls (historically Argentina, Venezuela, Nigeria at various points) create EA invoicing complications. Microsoft typically invoices in USD for these markets through local entities, but remittance controls may prevent payment. EA affiliates in currency-control markets may require special payment provisions or exclusion from the global EA affiliate structure depending on the severity of local controls.

What are the US export control implications for global EA affiliate coverage?

Microsoft products are subject to US export control regulations (EAR/ITAR). Including affiliates in sanctioned territories violates these regulations. Enterprises must screen all EA affiliate entities against OFAC's SDN list and the Commerce Department's Entity List. EA agreements typically include warranty clauses where the customer certifies compliance — violation of these clauses can void the EA. Annual re-verification is recommended given list changes.

How does Japan handle Microsoft cloud services?

Japan has strict requirements under the Act on Protection of Personal Information (APPI) and sector-specific guidelines from the Financial Services Agency (FSA) and Ministry of Economy, Trade and Industry (METI). Microsoft operates Japan East and Japan West Azure regions. Japanese enterprises typically require explicit data residency confirmation and DPA provisions aligned with APPI's cross-border transfer restrictions. FSA-regulated financial institutions have additional requirements for system risk management documentation.

What special considerations apply to Middle East Microsoft licensing?

UAE (UAE North, UAE Central) and Qatar have data localisation requirements for financial services and government entities. Saudi Arabia requires data to remain in-country for government systems (Azure Saudi Arabia Central region). The Unified Arab Emirates' UAE PDPL data protection law adds DPA requirements. Microsoft has expanded its Middle East presence significantly since 2021 but pricing carries 10–15% regional premiums.

Can I leverage count of users in countries with lower pricing for global tier calculation?

Yes — if the affiliate structure is correctly documented. Global EA volume tier calculations can include all affiliated entity headcount globally, including users in lower-priced markets. However, this only benefits the tier calculation; the actual per-user pricing for each geography still reflects local pricing (or the negotiated global EA rate). The tier calculation benefit accrues primarily to the highest-volume, highest-priced market deployments.

What is the impact of Singapore's PDPA on Microsoft licensing?

Singapore's Personal Data Protection Act (PDPA) requires data transfer agreements for cross-border personal data transfers. Microsoft's DPA covers Singapore through model contractual clauses. Singapore East and Southeast Azure regions provide in-country data residency. Enterprises using M365 with EU Data Boundary must note that Singapore affiliates are outside the EU boundary and require separate PDPA-compliant data transfer documentation.

What countries have specific restrictions on Microsoft Copilot and AI services?

AI regulation is evolving rapidly by country. The EU AI Act imposes requirements on high-risk AI use cases. China's generative AI regulations require government approval for public-facing AI services. Italy, Spain, and Canada have had periods of regulatory scrutiny of specific AI/Copilot deployments. Enterprises deploying Copilot globally should verify current AI regulation status in each country as part of their governance framework — static compliance documentation from EA negotiations may be outdated within 12 months.

How does Microsoft handle licensing for employees working across multiple countries?

Under M365 licensing rules, a user licence is assigned to the user and follows them across devices globally. The legal entity employing the user typically determines which affiliate's licence pool the user is assigned to, regardless of where they physically work. For highly mobile global workforces, licences should be assigned based on employing entity's EA affiliate, not physical work location. The exception is Azure Virtual Desktop and other device-based licensing models where physical location can affect which rules apply.

What should I verify before adding a new country acquisition to my global EA?

Before adding an acquired company's country to your global EA affiliate list, verify: (1) the acquired entity is not in a sanctioned or restricted territory; (2) local Microsoft entity exists or LAR coverage is available; (3) applicable data residency and privacy laws are compatible with your EA DPA; (4) the acquired entity's existing Microsoft agreements can be novated or terminated without penalty; (5) local Teams PSTN, Azure region, and product availability aligns with the entity's requirements; and (6) the addition doesn't breach any exclusivity or commercial sensitivity terms in the acquired entity's existing Microsoft agreement.

How should global enterprises structure their Microsoft EA governance for country compliance?

Best practice is a two-tier governance structure: a global Microsoft EA owner at group level responsible for commercial terms, volume tier management, and cross-border negotiation strategy; and local country compliance owners responsible for in-country regulatory compliance, data residency verification, and local invoicing/tax requirements. Annual reviews should reconcile global EA affiliate coverage against any regulatory changes in each country. Changes to country-specific rules (new data protection laws, sanctions) should trigger immediate review rather than waiting for annual cycle.

What is Microsoft's position on licensing in territories with active sanctions regimes?

Microsoft complies with US and applicable EU/UK sanctions. In sanctioned territories, Microsoft restricts or terminates services. EA customers with affiliates in territories that become subject to sanctions during the EA term will typically receive termination notice for the affected affiliate. EA contracts should include provisions addressing what happens to prepaid licences and affiliate coverage if a territory becomes subject to sanctions post-signature — this is increasingly relevant given geopolitical volatility.

How does Canada's PIPEDA (CPPA) affect Microsoft licensing?

Canada's privacy law (transitioning from PIPEDA to the Consumer Privacy Protection Act/CPPA) requires appropriate safeguards for cross-border transfers. Microsoft's Canadian data centres (Canada Central, Canada East) provide in-country data residency for M365 and Azure. Canadian M365 tenants are provisioned in Canadian data centres by default. The EU Data Boundary does not apply to Canadian data, but Microsoft's DPA covers Canadian transfer requirements through separate contractual provisions. Canadian financial services (OSFI guidelines) and healthcare (provincial laws) have additional sectoral requirements.

What are the specific licensing implications for Microsoft services in South Korea?

South Korea's Personal Information Protection Act (PIPA) imposes strict requirements on personal data processing and cross-border transfer. Microsoft provides Korea Central and Korea South Azure regions. M365 tenants for Korean enterprises can be provisioned with Korean data residency. Korean financial regulators (FSC/FSS) have specific cloud outsourcing guidelines that require due diligence documentation on Microsoft as a cloud service provider — this documentation must be maintained and updated annually, not just at initial deployment.

What is the impact of Brazil's LGPD on Microsoft EA and affiliate structure?

Brazil's Lei Geral de Proteção de Dados (LGPD) is modelled on GDPR and requires appropriate safeguards for cross-border personal data transfers. Microsoft's Brazilian data centre (Brazil South, Brazil Southeast) provides in-country residency options. Azure pricing in Brazil carries an 18–25% premium. Microsoft's DPA includes LGPD-specific provisions. Brazil's complex tax regime (ISS, PIS/COFINS, ICMS applicability to cloud services) means gross billing in Brazil is materially higher than list pricing — this must be factored into total cost modelling for Brazilian affiliates.

How do I determine if country-specific licensing rules affect my global EA renewal?

At each EA renewal, review: (1) sanctions changes (OFAC/EU/UK consolidated lists) for all affiliate territories; (2) new or amended data protection laws in all affiliate countries; (3) changes to Microsoft's local entity structure or product availability in affected countries; (4) any new sector-specific cloud requirements (financial, healthcare, government) in major affiliate jurisdictions; and (5) Microsoft's Trust Center for any changes to regional data residency commitments. This review should start 6–12 months before renewal to allow negotiation of any required contractual updates.

What is Microsoft's latest position on licensing for hybrid work across country borders?

Post-pandemic hybrid work has created new licensing ambiguities for employees who work across country borders (e.g., a UK employee spending 40% of their time in EU member states). Under current Microsoft licensing rules, the employing entity's licence pool governs — physical work location does not change licence assignment. However, data processing for users in EU member states may trigger EU GDPR obligations regardless of the employing entity's location. This intersection of licensing simplicity and data protection complexity is an active area of enterprise compliance concern.

What are the specific implications for Microsoft licensing in financial services across multiple countries?

Financial services firms operating globally face country-specific Microsoft licensing complexity at multiple levels: (1) US OCC/Fed/FDIC cloud guidance requiring contractual provisions; (2) EU EBA/ESMA cloud outsourcing guidelines; (3) UK FCA and PRA cloud expectations; (4) individual country FSA/FSC requirements (Japan FSA, Singapore MAS, Hong Kong HKMA, etc.). Each regulatory regime has specific requirements for contractual terms, audit rights, exit planning, and incident notification that go beyond Microsoft's standard EA. DORA (EU) and the UK's operational resilience requirements are the most demanding current frameworks. Global financial services firms need a dedicated regulatory mapping exercise at each EA renewal.

What guidance exists for handling Microsoft licensing in post-conflict or politically unstable markets?

Microsoft has established a framework for managing licensing in politically unstable markets: (1) monitor US Treasury/Commerce Department lists for new designations; (2) maintain force majeure and suspension provisions in EA affiliate schedules for markets with elevated geopolitical risk; (3) ensure licence portability provisions allow users to be migrated to a different affiliate's pool if a market becomes inaccessible; and (4) avoid multi-year pre-payment for affiliates in high-risk markets where service continuity cannot be guaranteed. The Russia situation in 2022 provided the clearest recent case study — enterprises without exit provisions incurred both legal risk and operational disruption.

How do special economic zones (SEZs) or offshore financial centres affect Microsoft EA coverage?

Entities operating in SEZs (e.g., Dubai International Financial Centre, Cayman Islands, Channel Islands) often operate under regulatory frameworks distinct from the host country. Microsoft's affiliate coverage for EA purposes follows the legal entity jurisdiction, not the SEZ regulatory framework. DIFC-registered entities transact with Microsoft UAE; Cayman Islands entities transact with Microsoft US; Jersey entities transact with Microsoft UK. Each SEZ entity should be individually evaluated for data residency requirements, applicable privacy law, and appropriate Microsoft entity relationship.

What should a global enterprise's annual Microsoft licensing country compliance review include?

An annual Microsoft licensing country compliance review should include: (1) sanctions screening of all affiliate territories against current OFAC/EU/UK lists; (2) review of new or amended data protection legislation in all affiliate jurisdictions; (3) verification that Microsoft affiliate coverage schedules match current corporate structure (especially post-acquisition or restructuring); (4) review of country-specific Azure region availability for new workloads planned for the year; (5) verification that all executed DPA addenda reflect current Microsoft standard (Microsoft updates these periodically); (6) review of country-specific Teams Calling Plan availability for voice deployments; (7) verification of any new sector-specific cloud compliance requirements in key regulated jurisdictions; and (8) update of Microsoft LAR coverage for any countries where the LAR relationship has changed.

What is the impact of the EU-US Data Privacy Framework on Microsoft licensing and data transfer?

The EU-US Data Privacy Framework (DPF), adopted July 2023, provides a valid transfer mechanism for personal data from EU to US-certified organisations, including Microsoft. For EU enterprises using Microsoft services with any US-side data processing (such as Microsoft Support), the DPF replaces the need for SCCs for those specific transfers. Microsoft is certified under the DPF. However, the DPF faces legal challenges and its long-term stability is uncertain — enterprises should maintain SCC documentation as a fallback even when relying on DPF adequacy for primary transfer mechanisms.

How does Norway, despite not being an EU member, interact with the EU Data Boundary?

Norway is an EEA (European Economic Area) member, which means EU GDPR applies to Norway and Norwegian organisations. Microsoft's EU Data Boundary covers EEA countries, including Norway (Norway East Azure region). Norwegian enterprises benefit from EU Data Boundary protections equivalent to EU member state enterprises. However, Norway has additional financial sector requirements (Finanstilsynet guidelines for cloud outsourcing) that require specific contractual provisions beyond the EU Data Boundary commitment.

What are Switzerland's specific Microsoft licensing considerations?

Switzerland has its own Federal Act on Data Protection (nFADP, revised 2023) which, while modelled on GDPR, is distinct from EU data protection law. Switzerland is not an EEA member, so the EU Data Boundary does not automatically apply to Swiss affiliates. Microsoft operates Switzerland North and Switzerland West Azure regions with data residency for Switzerland. Swiss enterprises require specific DPA provisions under nFADP, and cross-border transfers to the EU are covered by the EU adequacy decision for Switzerland (currently valid). Swiss financial sector (FINMA cloud guidelines) has specific requirements for cloud outsourcing documentation.

How do I calculate the total compliance cost of country-specific Microsoft licensing requirements?

Total compliance cost across country-specific requirements includes: (1) legal/advisory cost for DPA execution and review across all jurisdictions (typically £500–£2,000 per country for initial setup); (2) ongoing legal monitoring for regulatory changes (£1,500–£5,000/year for a 20+ country estate); (3) Azure region premium for data residency in high-cost regions (quantifiable from Azure pricing by region); (4) Microsoft premium for sovereign or compliance-enhanced offerings; (5) internal compliance programme costs. For a 20-country EA, total incremental compliance cost versus a single-country deployment is typically £50,000–£200,000/year, which must be weighed against the volume tier savings from global EA consolidation.

What are the most common country-specific Microsoft licensing mistakes enterprises make?

The six most common mistakes: (1) including China or Russia users in global EA affiliate coverage without proper structure; (2) failing to execute country-specific DPA addenda for all affiliate jurisdictions; (3) not updating affiliate coverage schedules when acquiring or establishing entities in new countries; (4) assuming the EU Data Boundary covers all EEA countries without verifying Switzerland and non-EEA European markets separately; (5) deploying Azure in regions with significant price premiums without modelling the cost versus compliance benefit; and (6) failing to account for country-specific Teams Calling Plan unavailability in global unified communications deployment plans.

What documentation should I maintain for country-specific Microsoft licensing compliance?

For each country in your EA affiliate structure, maintain: (1) executed DPA with country-specific addenda; (2) Azure region configuration documentation showing data residency for regulated workloads; (3) export control compliance certification (sanctions screening) with annual re-verification date; (4) sector-specific compliance documentation (FSA cloud guidelines, DORA provisions, etc. where applicable); (5) Microsoft affiliate licensing schedule showing each covered entity and its included products; (6) evidence of Microsoft's compliance certifications applicable to each jurisdiction (ISO 27001, SOC 2, CSA STAR, local government certifications); and (7) any non-standard terms negotiated specifically for country-specific requirements. This documentation library should be maintained by your Microsoft EA programme manager and reviewed at each anniversary.

What is the impact of new AI regulations (EU AI Act, similar) on country-specific Microsoft licensing?

The EU AI Act (phased implementation 2024-2027) classifies AI systems by risk level and imposes obligations on both providers and deployers. Microsoft Copilot and Azure OpenAI are subject to the EU AI Act for EU deployments. Enterprises deploying high-risk AI applications on Microsoft infrastructure must comply with EU AI Act requirements including risk management systems, transparency documentation, and human oversight mechanisms. For global deployments, enterprises must track equivalent AI regulations emerging in UK (AI governance framework), Canada (AIDA), and China (generative AI regulations) — each with distinct requirements. Country-specific AI regulation compliance is rapidly becoming as complex as data protection law compliance in global EA management.

How do Microsoft's country-specific licensing rules interact with international holding structures?

International holding structures — where an IP holding company or special purpose vehicle holds the master EA — can create complexity. The holding entity's domicile determines billing currency and applicable legal framework. Subsidiary affiliates are covered through the holding entity's EA. However, local regulatory requirements apply to the operating subsidiaries regardless of holding structure. A Cayman-domiciled holding entity with EU-operating subsidiaries faces both the holding entity's applicable law (Cayman/US) and each operating subsidiary's local regulatory requirements. The holding structure can optimise billing and contractual centralisation but cannot eliminate local compliance obligations.

Can Microsoft terminate affiliate coverage in specific countries due to regulatory changes?

Yes. Microsoft's EA terms typically include provisions allowing Microsoft to modify or terminate services in specific territories due to regulatory changes, sanctions, or operational constraints. The Russia situation demonstrated this in practice — Microsoft gave notice to Russian affiliates and ultimately terminated coverage. Enterprises should ensure EA terms include: (1) adequate notice periods for territory restrictions; (2) provisions for pro-rata refund of prepaid amounts for affected affiliates; (3) transition assistance provisions; and (4) clarity that territory-specific termination does not trigger full EA termination rights for the enterprise. These provisions require active negotiation — Microsoft's standard terms favour Microsoft's operational flexibility over enterprise continuity.

What is the best governance model for managing country-specific Microsoft licensing in a global enterprise?

The most effective model is a three-layer structure: (1) Global EA Owner — typically the global CIO or Head of IT Procurement, responsible for master agreement terms, volume tier optimisation, global pricing strategy, and sanctions/regulatory screening; (2) Regional Compliance Leads — in each major region (EMEA, Americas, APAC), responsible for regional regulatory compliance, regional DPA execution, and regional procurement process; (3) Country Compliance Contacts — in each major jurisdiction, responsible for in-country regulatory monitoring, local tax compliance, and flagging country-specific issues to regional leads. Annual global compliance summits with all three levels review regulatory changes, update DPA provisions, and ensure affiliate coverage schedules remain accurate. This structure is scalable, assigns clear accountability, and ensures country-specific expertise informs global EA strategy.

How do I handle Microsoft licensing for contractors and third-party workers across multiple countries?

Contractor licensing under Microsoft EA is governed by the 'external user' provisions in the product use rights. For external users accessing your Microsoft 365 environment (SharePoint, Teams, etc.), Microsoft provides Guest Access rights at no additional cost for basic collaboration. Full Microsoft 365 feature access for contractors requires either the employing entity to license the contractor or the contractor to hold their own licence. For Azure and other services, external access provisions vary by product. In high-contractor-density industries (professional services, financial services), the external user population can equal 10–20% of internal headcount — ensuring correct licensing for this population prevents audit exposure. Country-specific employment law also affects contractor classification and data processing rights — contractors in EU member states accessing customer data may trigger GDPR processor relationship requirements.

What are Microsoft's latest country-specific changes for 2026 that enterprises should know?

Key country-specific Microsoft changes for 2026 that affect enterprise EA: (1) DORA contractual provisions now required for EU financial services firms — deadline for existing EA amendments is typically your next renewal; (2) EU AI Act high-risk AI system obligations phasing in — relevant for Copilot deployments in HR, recruitment, credit, and other high-risk use cases; (3) India's DPDPA implementation — requiring updated DPA provisions for Indian affiliates; (4) Japan FSA updated cloud guidance requiring enhanced incident reporting provisions; (5) Saudi Arabia expanded in-country data requirements for additional sectors beyond government; (6) Brazil's ANPD enforcement activity increasing — verify LGPD DPA provisions are current; (7) UK DPF adequacy arrangements under review following UK-EU trade framework changes. Enterprises should have Microsoft account teams confirm that EA documentation is current for all of these changes at their next review.

How do I negotiate country-specific provisions into a global EA without slowing the overall negotiation?

Negotiate country-specific provisions in parallel with the main commercial terms rather than sequentially. Structure the global EA to include a schedule for country-specific addenda that can be finalised on a defined timeline (e.g., within 60 days of EA execution) without delaying main agreement signature. For critical regulatory requirements (DORA, GDPR enhanced provisions, FINMA compliance), address these in the main EA terms or as conditions precedent. For less critical country-specific items, the addendum schedule approach allows commercial terms to close on Microsoft's fiscal year calendar while giving legal and compliance teams time to finalise country-level documentation. This approach has successfully closed global EAs in 12–16 weeks in our most complex multi-jurisdiction engagements.

Country-Specific Microsoft Licensing Rules

Q: Can I include China users in my global EA?

China users are typically excluded from global EA affiliate coverage and must be licensed separately through 21Vianet. The global EA may count China headcount for volume tier calculation purposes only if explicitly negotiated. This is a critical distinction — including China headcount for tier calculation without proper affiliate coverage creates compliance exposure.

A global Microsoft EA looks uniform on paper but operates under a patchwork of country-specific rules that create compliance exposure for enterprises that don't map them explicitly. China is operated by a separate entity entirely. Russia's commercial cloud services are effectively unavailable since 2022. Germany has sovereign cloud requirements for critical infrastructure operators. Brazil's tax regime adds 25–35% to effective cloud pricing. India's DPDPA creates new data transfer obligations. Japan's FSA requires specific contractual provisions for financial services. In our 500+ engagements, country-specific licensing failures account for 34% of the compliance gaps we identify at EA review — and most were entirely avoidable with upfront due diligence.

Independent Advisory. Zero Vendor Bias.

500+ Microsoft EA engagements across 40+ countries. $2.1B in managed spend. We map country-specific requirements, negotiate compliant structures, and eliminate licensing gaps before they become audit findings.

View Advisory Services →

High-Risk Country Categories

For global EA purposes, countries fall into distinct categories that determine how they can be included in affiliate coverage:

Category	Countries / Territories	EA Affiliate Coverage	Key Requirement
Sanctioned/Restricted	Cuba, Iran, North Korea, Syria, Crimea/Donetsk/Luhansk	❌ Cannot include	US export control compliance — no exceptions
Effectively Restricted	Russia (since 2022)	⚠️ Highly limited	Microsoft has substantially exited commercial market
Separate Entity	China (mainland)	⚠️ Via 21Vianet only	Must transact through 21Vianet; separate agreement
Sovereign Cloud Required	Germany (KRITIS), France (SecNumCloud), US (Gov)	⚠️ Special offering	Sector-specific — verify if standard commercial qualifies
Enhanced Compliance	EU/EEA members, UK, Australia, Japan, Singapore	✅ Standard with extras	DPA addenda, data residency verification, sector rules
Standard	US, Canada, most APAC, most LATAM	✅ Standard	Export control check; local tax consideration
Emerging/Complex	India, Brazil, UAE, Saudi Arabia, South Africa	✅ With complexity	Local data residency, tax regime, sector requirements

China: The Critical Exception

No other country creates as much EA structuring confusion as China. The fundamental rule: Microsoft's global cloud services (Azure, M365, Dynamics 365, Power Platform) are not available in China. Services for users in China are provided by Shanghai Blue Cloud Technology Co., Ltd. (21Vianet), which operates under a separate licence from Microsoft.

What This Means for Global EA

Separate agreement: Chinese affiliates sign a separate agreement with 21Vianet, not a Microsoft EA affiliate schedule
No global tenant: Chinese users cannot be provisioned on the same M365 or Azure tenant as global users
Different features: 21Vianet services are a lagged version of global Microsoft services — some features available globally are not available in China
Pricing: 21Vianet pricing is set independently and generally lower than global EA pricing in USD terms, but without global volume tier benefits
Volume tier counting: Chinese headcount may be included in global EA volume tier calculations if explicitly negotiated — this requires a specific structural arrangement with Microsoft global and 21Vianet

Common China Mistake: We regularly encounter enterprises where the global IT team provisioned Chinese staff on the global M365 tenant, believing their EA affiliate coverage extended to China. This is a direct violation of Chinese cloud regulations (Cybersecurity Law, Data Security Law, PIPL) and also means Microsoft's standard EA does not cover these users. The remediation — migrating Chinese users to 21Vianet while maintaining collaboration capabilities with the global tenant — typically takes 3–6 months and costs £80K–£250K including external support.

Russia: Services Effectively Unavailable

Following Russia's invasion of Ukraine in February 2022, Microsoft suspended new commercial sales in Russia (March 2022) and subsequently began restricting existing services to Russian organisations. By 2023-2024, Microsoft had substantially withdrawn from the Russian commercial market for Western-headquartered enterprises. Russian-registered affiliates cannot be reliably included in global EA structures.

Enterprises with legacy Russian affiliates in their EA should: verify current service status with Microsoft, document any active exposure, and ensure the affiliate schedule reflects actual operational status. Do not assume services are running because they are in the affiliate schedule — verify actual provisioning status.

Germany: Sovereign and Critical Infrastructure Requirements

Germany has the most complex Microsoft licensing requirements of any EU member state, driven by its strong data protection culture (BDSG alongside GDPR), strict KRITIS (critical infrastructure) regulations, and sector-specific requirements for financial services, healthcare, and energy.

Standard German Azure Regions

Germany West Central (Frankfurt) and Germany North (Berlin, limited availability) are EU Data Boundary regions with ISO 27001, C5 (BSI Cloud Computing Compliance Criteria Catalogue), and SOC 2 certifications. For most German enterprises, these regions meet regulatory requirements and carry an 8–12% Azure price premium versus West Europe (Netherlands).

KRITIS Requirements

Operators of critical infrastructure under Germany's IT Security Act 2.0 (BSI-KritisV) must meet enhanced requirements including specific penetration testing, security certifications, and incident reporting. Microsoft's German Azure regions hold the required certifications for most KRITIS sectors. Operators should verify current certification status for their specific sector — certifications are maintained on a rolling basis and must be current at time of deployment.

Key Markets: Enhanced Compliance Requirements

Japan: Financial Regulator Requirements

Japan's Financial Services Agency (FSA) has published cloud outsourcing guidelines that impose specific contractual requirements on financial institutions using cloud services. These include: on-site audit rights (or equivalent third-party audit), incident notification within defined timelines, business continuity provisions, and subprocessor disclosure. Standard Microsoft EA terms do not automatically satisfy all FSA requirements — Japanese financial services affiliates need specific EA provisions negotiated with Microsoft's Japan legal team. This process adds 6–10 weeks to EA finalisation for Japanese financial services entities.

Singapore: MAS Technology Risk Management

The Monetary Authority of Singapore (MAS) Technology Risk Management (TRM) Guidelines impose requirements on Singapore-regulated financial institutions using cloud services. Mandatory provisions include: contractual audit rights, data portability and exit provisions, incident notification (4-hour notification for material outages to MAS), and concentration risk management. Microsoft has a Singapore-specific compliance framework that addresses MAS TRM requirements, but it must be explicitly invoked in the EA for Singapore financial services affiliates.

India: DPDPA and RBI Requirements

India's Digital Personal Data Protection Act (DPDPA, effective 2024) creates data fiduciary obligations for organisations processing Indian personal data. RBI's data localisation mandate for payment system data (specific payment data must remain in India) predates DPDPA but remains in force. Microsoft's India Central, South, and West Azure regions provide in-country data residency. M365 and Azure can be configured for India data residency, but this requires explicit tenant/subscription configuration — it is not automatic for organisations with a global EA headquartered outside India.

Restricted and Complex Markets

Brazil: Tax Complexity and Pricing Premium

Brazil's cloud services tax framework is among the most complex globally. ISS (municipal service tax 2–5%), PIS/COFINS (combined ~9.25%), and varying ICMS (state VAT 12–18%) application to cloud services creates a gross billing impact of 25–35% above Microsoft's net list price. When modelling Brazilian affiliate costs, always gross-up for Brazilian tax. Azure Brazil South and Southeast regions carry an 18–25% price premium versus US East before taxes — the total effective cost of a US-priced workload can be 40–60% higher in Brazil South after all adjustments.

UAE/Saudi Arabia: Localisation Requirements

UAE's PDPL (Personal Data Protection Law, effective 2022) applies to UAE-domiciled enterprises. UAE North Azure region satisfies UAE data residency. Saudi Arabia's NCA Cloud First Policy and sector-specific requirements for government and regulated industries mandate in-country data storage for certain data categories. Azure Saudi Arabia Central region (Riyadh) is available for these requirements. Both UAE and Saudi Arabia carry 10–15% Azure price premiums and have emerging AI regulation frameworks that will affect Copilot deployments.

Country-Specific Licensing Compliance Review

We map every affiliate territory in your EA against current country-specific requirements, identify gaps, and negotiate compliant structures before your next renewal. 100% independent of Microsoft.

Request a Consultation →

Export Control and Sanctions Compliance

Every global EA must be reviewed for US export control compliance. Microsoft products are subject to the Export Administration Regulations (EAR). OFAC's Specially Designated Nationals (SDN) list and Consolidated Sanctions List must be screened against all affiliate entities at EA execution and annually thereafter. This is not hypothetical risk — EA contracts include representations and warranties about sanctions compliance that, if breached, can void the agreement and create regulatory exposure.

Annual re-screening is essential because both the sanctions lists and the entity names in your EA affiliate schedule change. Post-acquisition affiliates may inadvertently include entities with SDN exposure that was not identified in M&A due diligence. See our M&A post-close licensing guide for the complete framework.

📄 Free Guide: Microsoft Licensing M&A Guide

Complete framework for Microsoft licensing in M&A transactions — including country-specific affiliate integration, sanctions screening, and post-close operations.

Download Free Guide →

Frequently Asked Questions

Can I include China users in my global EA?

China users must be licensed separately through 21Vianet. They cannot use the global EA tenant. Chinese headcount may be included in global volume tier calculations if explicitly negotiated, but this requires a specific structural arrangement.

What happened to Microsoft services in Russia?

Microsoft has substantially exited the Russian commercial market since 2022. Russian affiliates cannot be reliably included in global EA structures. Verify actual service status for any legacy Russian entities in your agreement.

Do Germany's KRITIS requirements mean I need a sovereign cloud?

Not necessarily. Standard Azure Germany West Central meets most KRITIS requirements with its BSI C5 certification. The specific sector and operational criticality level determines whether standard commercial or sovereign cloud is required. Verify with your regulatory counsel for your specific sector.

What countries cannot be in a global EA?

Cuba, Iran, North Korea, Syria, and Russian-occupied Ukrainian territories are sanctioned territories that cannot be included. Always screen against current OFAC and applicable EU/UK sanctions lists at execution and annually.

How does Brazil's tax regime affect Microsoft EA pricing?

Brazil's tax regime adds 25–35% to net Microsoft pricing before applying Azure regional premiums. Always gross-up Brazilian affiliate cost modelling. Total effective cost for Brazilian Azure workloads can be 40–60% above US East reference pricing.

Country-Specific Microsoft Licensing Rules: Complete Enterprise Guide

Independent Advisory. Zero Vendor Bias.

High-Risk Country Categories

China: The Critical Exception

What This Means for Global EA

Russia: Services Effectively Unavailable

Germany: Sovereign and Critical Infrastructure Requirements

Standard German Azure Regions

KRITIS Requirements

Key Markets: Enhanced Compliance Requirements

Japan: Financial Regulator Requirements

Singapore: MAS Technology Risk Management

India: DPDPA and RBI Requirements

Restricted and Complex Markets

Brazil: Tax Complexity and Pricing Premium

UAE/Saudi Arabia: Localisation Requirements

Country-Specific Licensing Compliance Review

Export Control and Sanctions Compliance

Frequently Asked Questions

Can I include China users in my global EA?

What happened to Microsoft services in Russia?

Do Germany's KRITIS requirements mean I need a sovereign cloud?

What countries cannot be in a global EA?

How does Brazil's tax regime affect Microsoft EA pricing?

Related Microsoft Licensing Guides

Country-Specific Microsoft Licensing Rules: Complete Enterprise Guide

Independent Advisory. Zero Vendor Bias.

High-Risk Country Categories

China: The Critical Exception

What This Means for Global EA

Russia: Services Effectively Unavailable

Germany: Sovereign and Critical Infrastructure Requirements

Standard German Azure Regions

KRITIS Requirements

Key Markets: Enhanced Compliance Requirements

Japan: Financial Regulator Requirements

Singapore: MAS Technology Risk Management

India: DPDPA and RBI Requirements

Restricted and Complex Markets

Brazil: Tax Complexity and Pricing Premium

UAE/Saudi Arabia: Localisation Requirements

Country-Specific Licensing Compliance Review

Export Control and Sanctions Compliance

Frequently Asked Questions

Can I include China users in my global EA?

What happened to Microsoft services in Russia?

Do Germany's KRITIS requirements mean I need a sovereign cloud?

What countries cannot be in a global EA?

How does Brazil's tax regime affect Microsoft EA pricing?

Related Microsoft Licensing Guides

Related reading