Microsoft 365 is deeply embedded in the daily operations of millions of organizations worldwide. What most IT administrators and business leaders do not fully appreciate is the scale of telemetry data that Microsoft 365 continuously collects and transmits back to Microsoft's servers. From keystroke patterns to file access logs, the diagnostic data collection in Microsoft 365 is far more extensive than most organizations realize.
This article examines exactly what telemetry data Microsoft 365 collects, how it is used, what European regulators have found in their investigations, and why privacy-conscious organizations are increasingly looking for alternatives that do not phone home.
Understanding Microsoft 365 Diagnostic Data
Microsoft 365 collects what it calls "diagnostic data" from every installation. This data is categorized into two tiers:
Required Diagnostic Data
This is the minimum data that Microsoft collects from every Microsoft 365 installation. It cannot be disabled. Required diagnostic data includes:
- Device and configuration data: Hardware specifications, operating system version, Office version, language settings, installed add-ins
- Application events: Application start, stop, and crash events, including error codes and stack traces
- Performance metrics: Application load times, response times, and resource consumption
- Service connectivity: Network latency, connection success/failure rates, and service endpoint data
- Basic usage signals: Which features are used, how often, and duration of use sessions
Optional Diagnostic Data
This additional tier collects more detailed information and can theoretically be disabled by administrators. Optional diagnostic data includes:
- Content samples: Snippets of document content used for spell-check, autocorrect, and grammar analysis
- Detailed usage patterns: Specific user interactions including click paths, menu selections, and feature engagement sequences
- Connected Experiences data: Information about how users interact with cloud-powered features such as translation, research tools, and design suggestions
- Error context: Document content surrounding errors, which can include proprietary business information
- Search queries: What users search for within applications and services
Microsoft states that optional diagnostic data is used to "identify, diagnose, and fix problems" and to "make product improvements." However, the boundary between diagnostics and surveillance is a matter of perspective.
Connected Experiences: The Hidden Data Pipeline
Beyond traditional diagnostic data, Microsoft 365 includes a category called Connected Experiences, features that require a connection to Microsoft's servers to function. These represent a significant and often overlooked data pipeline:
Types of Connected Experiences
| Category | Examples | Data Sent to Microsoft |
|---|---|---|
| Content analysis | Editor (grammar/style), Designer, PowerPoint Design Ideas | Document content for processing |
| Online content | 3D Maps, Bing image search, Weather bar | Search queries, location data |
| Download experiences | Office templates, font downloads, language packs | Request metadata, usage patterns |
| Collaboration | Co-authoring, @mentions, sharing | Document metadata, user interaction data |
When a user activates Designer in PowerPoint or uses the Editor feature in Word, the content of their document is sent to Microsoft's cloud servers for processing. For organizations handling sensitive information, including legal documents, financial reports, or healthcare records, this represents an uncontrolled data exfiltration channel.
Microsoft Productivity Score: The Surveillance Controversy
In late 2020, Microsoft introduced the Productivity Score feature, which provided organizational leaders with detailed analytics about individual employee behavior within Microsoft 365. The feature tracked metrics such as:
- How often individual employees sent emails and in what volume
- Whether employees used features like @mentions in documents
- How frequently users participated in Teams meetings versus sending chat messages
- Individual usage patterns of collaboration features
- Network and device performance metrics per user
Privacy advocates immediately raised alarms. The Austrian privacy researcher Wolfie Christl described Productivity Score as a "full-fledged workplace surveillance tool." The backlash was significant enough that Microsoft eventually modified the feature to remove individual-level tracking and provide only aggregate organizational data.
The Productivity Score controversy revealed an important truth: Microsoft was already collecting individual-level behavioral data. The feature simply exposed data that Microsoft's systems were already gathering. Removing the dashboard did not remove the data collection.
European Regulatory Findings
European data protection authorities have conducted detailed investigations into Microsoft 365's data practices, with significant findings:
The Dutch DPIA Findings
The Dutch Ministry of Justice and Security commissioned a Data Protection Impact Assessment (DPIA) on Microsoft Office that produced alarming results:
- Microsoft collected telemetry data containing personal information without adequate transparency
- Users and administrators had insufficient control over the data collection
- The scope of data collected was disproportionate to the stated purposes
- Microsoft acted as an independent data controller for some data processing, not as a processor bound by customer instructions
- Diagnostic data was transferred to the United States without adequate legal safeguards
Following the DPIA, the Dutch government negotiated changes with Microsoft, but privacy experts noted that the fundamental architecture of data collection remained unchanged. The improvements were primarily about transparency and configuration options, not about eliminating the data flows.
German Federal and State Findings
German data protection authorities, including the Conference of Independent Federal and State Data Protection Authorities (DSK), have repeatedly questioned whether Microsoft 365 can be used in compliance with GDPR. Multiple German states have restricted or prohibited the use of Microsoft 365 in schools, citing unresolved privacy concerns.
French CNIL Guidance
The French data protection authority CNIL has issued guidance cautioning organizations about the use of US cloud services, with Microsoft 365 explicitly mentioned as a service requiring careful assessment under GDPR.
These findings align with the broader concerns about US cloud services and European data protection that we explore in our article on the US CLOUD Act and its implications for European data.
How to Reduce Microsoft 365 Telemetry
Microsoft provides several mechanisms for administrators to reduce telemetry collection. However, it is important to understand their limitations:
Group Policy Settings
Administrators can use Group Policy to set the diagnostic data level to "Required" (the minimum). This reduces but does not eliminate data collection. The relevant policies are found under:
User Configuration > Administrative Templates > Microsoft Office > Telemetry DashboardUser Configuration > Administrative Templates > Microsoft Office > Privacy > Trust Center
Registry Settings
For more granular control, registry keys can be set to disable specific Connected Experiences:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Common\PrivacyDisconnectedState— Disables all Connected ExperiencesControllerConnectedServicesEnabled— Disables optional Connected ExperiencesUserContentDisabled— Disables content analysis featuresDownloadContentDisabled— Disables online content downloads
Microsoft 365 Admin Center Controls
The admin center provides organizational-level controls for diagnostic data settings, Connected Experiences, and optional features. However, some data collection settings cannot be modified through the admin center and require Group Policy or registry changes.
The Limitation You Cannot Avoid
Even with all available controls set to their most restrictive settings, Microsoft 365 still collects Required Diagnostic Data. This is non-negotiable. Microsoft's position is that this minimum telemetry is necessary for the service to function, for security purposes, and for maintaining product quality.
For organizations that find even this minimum level of telemetry unacceptable, the only option is to use a platform that does not collect telemetry at all. As detailed in our Nextcloud vs Microsoft 365 comparison, self-hosted alternatives provide a fundamentally different data privacy model.
What Microsoft Knows About Your Organization
When you aggregate all the telemetry data that Microsoft 365 collects across an organization, the picture is comprehensive:
- Work patterns: When employees start and stop work, peak productivity hours, break patterns
- Communication networks: Who communicates with whom, how frequently, and through which channels
- Document workflows: Which documents are created, edited, shared, and by whom
- Technology adoption: Which features and tools are used, and which are ignored
- Hardware and infrastructure: Detailed inventory of your organization's devices, networks, and configurations
- Content signals: Through Connected Experiences, snippets and samples of actual document content
This data is transmitted to Microsoft's servers, processed by Microsoft's systems, and retained according to Microsoft's data retention policies. While Microsoft provides some data management tools, the organization does not have complete control over this data once it leaves the endpoint.
Why Self-Hosted Eliminates the Telemetry Problem
The telemetry issue is architecturally embedded in Microsoft 365. It is not a bug or an oversight; it is a fundamental design choice. Microsoft's business model depends partly on understanding how its products are used, and that understanding requires data collection.
Self-hosted platforms like Nextcloud take a fundamentally different approach:
- No phone-home functionality: Nextcloud does not send any data to Nextcloud GmbH or any other external party
- No telemetry collection: There is no diagnostic data system built into the platform
- No Connected Experiences: All processing happens on your infrastructure, not on the vendor's cloud
- Full network control: You can verify through firewall logs that no data leaves your network unexpectedly
- Open-source verification: The source code is publicly available, so you can confirm the absence of telemetry systems
For organizations subject to strict data protection requirements, including those needing to comply with NIS2 directive requirements, eliminating telemetry is not optional; it is a compliance necessity.
Practical Steps to Reduce Your Telemetry Exposure
If you are currently using Microsoft 365 and concerned about telemetry, here is a practical approach:
Immediate Actions
- Audit your current settings: Review your diagnostic data level and Connected Experiences configuration
- Set diagnostic data to Required: This is the minimum level and reduces (but does not eliminate) data collection
- Disable unnecessary Connected Experiences: Turn off content analysis features for sensitive document types
- Review Productivity Score settings: Ensure individual-level tracking is disabled
- Monitor outbound traffic: Use network monitoring to understand what data is being transmitted to Microsoft endpoints
Strategic Migration
- Identify your most sensitive workflows: Which departments or data types are most at risk from telemetry collection?
- Evaluate self-hosted alternatives: Nextcloud provides file sharing, document collaboration, video conferencing, and email integration without telemetry
- Plan a phased migration: Start with the most sensitive workflows and expand as your team adapts
- Document your risk assessment: Maintain records of your telemetry exposure evaluation for GDPR accountability purposes
Read our companion analysis of Google Workspace's data terms to understand how the other major productivity suite handles your business data. Together, these analyses paint a clear picture of why self-hosted alternatives are gaining traction among privacy-conscious organizations.
For a comprehensive view of how to make the switch, our complete guide to replacing Google and Microsoft with Nextcloud covers the full migration path from planning to deployment.
Your Data, Your Rules
MassiveGRID's managed Nextcloud hosting gives you complete data sovereignty with enterprise-grade security, encryption, and compliance controls.
Explore Managed Nextcloud HostingConclusion
Microsoft 365's telemetry collection is extensive, deeply integrated into the platform, and impossible to completely disable while still using the service. Even at the most restrictive settings, Required Diagnostic Data continues to flow from every endpoint to Microsoft's servers.
European regulators have consistently found issues with Microsoft's data practices. The Dutch DPIA findings, German regulatory actions, and French guidance all point to the same conclusion: Microsoft 365's telemetry collection creates real compliance challenges under GDPR.
For organizations that take data privacy seriously, the question is not how to configure Microsoft 365 to collect less telemetry. It is whether to use a platform that was architecturally designed without telemetry from the ground up. Nextcloud, deployed on infrastructure you control, sends no data to any third party. That is not a configuration option. It is how the software works.