Microsoft Law Enforcement Data Request: Police & Government Guide

Microsoft Corporation operates some of the most widely used consumer services on the internet: the Outlook.com, Hotmail, Live and MSN email services, the OneDrive cloud-storage service, the Xbox and Xbox Live gaming network, and historically Skype (Microsoft retired the consumer Skype service in 2025 and migrated users toward the consumer version of Microsoft Teams, though legacy records may still be subject to legal process). These services account for hundreds of millions of active consumer accounts worldwide, which is why they surface so often in criminal investigations. Officers encounter Microsoft consumer accounts in business-email-compromise (BEC) and invoice-fraud schemes routed through Outlook.com inboxes, in account-takeover cases, in the storage and distribution of child sexual abuse material (CSAM) via OneDrive and chat, and in grooming and harassment cases on Xbox Live. Microsoft is a United States company headquartered in Redmond, Washington, so the disclosure of consumer account records is governed primarily by the federal Stored Communications Act (18 U.S.C. § 2701 et seq.). Microsoft also shaped the modern cross-border landscape: its litigation in United States v. Microsoft Corp. (the “Microsoft Ireland” case) over email stored abroad was mooted only when Congress passed the CLOUD Act in 2018, which now frames how U.S. providers respond to demands for data held overseas.

Identifiers for a data request

Before Microsoft can preserve or disclose records, law enforcement must identify the target account precisely. The primary identifier is the Microsoft account (often abbreviated MSA): the email address a user signs in with, which for consumer services is typically an @outlook.com, @hotmail.com, @live.com or @msn.com address. A Microsoft account may also be registered against a third-party email address or a phone number, so supply whichever sign-in identifier you have. For gaming matters, the Xbox gamertag is a recognised identifier that Microsoft treats as non-content subscriber data. For a legacy Skype matter, the Skype name (the unique handle, not the changeable display name) is the locating identifier.

Supplemental identifiers help Microsoft confirm an account: the registration or last-login IP address with a precise date and time, the phone number on the account (with the international calling code for non-U.S. numbers), and any billing identifier. State the target date range clearly, spell out the month, and note that Microsoft returns log data in Coordinated Universal Time (UTC). Avoid relying on a display name or given name alone, because these are not unique and cannot locate an account.

What data Microsoft provides

Microsoft operates a tiered disclosure model keyed to the legal-process standards of the U.S. Stored Communications Act. The higher the privacy interest in the data, the higher the legal standard required to compel it:

Legal process	Standard	Data produced
Subpoena (including grand jury)	Relevance	Basic subscriber information: the name, email address, state, country and postal code provided at registration, the account creation date, the registration IP address, and non-content account data such as IP connection history, the Xbox gamertag, and credit-card or other billing information held on file
Court order (18 U.S.C. § 2703(d))	Specific & articulable facts	All subpoena-level subscriber information plus non-content transactional records: detailed login and connection logs, message header and routing metadata (sender, recipient, date and time, without the body), and other records of the account’s use of the services
Search warrant (probable cause)	Probable cause	All of the above plus stored content: the bodies of emails, files and photographs stored in OneDrive, and other user-created content held on or through the services. Microsoft will not disclose content in response to a subpoena alone

Content requires a warrant. Microsoft draws a firm line between non-content and content. Following the Sixth Circuit’s decision in United States v. Warshak, which held that email users have a reasonable expectation of privacy in the contents of their messages, Microsoft requires a search warrant (or its local equivalent) before it will produce the substance of communications or stored files. Subpoenas seeking content are rejected.

What is not available from Microsoft. Enterprise and commercial data is the critical exception. Where a target uses a Microsoft 365, Azure or Dynamics 365 service provisioned through an organisation, that organisation — not Microsoft — is generally the controller of the data. Microsoft’s stated practice is to redirect law enforcement to obtain the information directly from the enterprise customer, and to notify that customer of the demand unless legally prohibited. Plan to serve the organisation that administers the tenant, not Microsoft. Two other Microsoft-owned services run entirely separate processes: LinkedIn publishes its own Law Enforcement Data Request Guidelines, and GitHub publishes separate Guidelines for Legal Requests of User Data. Direct LinkedIn or GitHub requests to those services, not through the Microsoft consumer portal.

Retention. Microsoft does not retain consumer records indefinitely; the availability of older logs and content varies by service and by how the account has been used, and some data may have been deleted or aged out before a request arrives. Because retention is not guaranteed, a preservation request filed early is the only reliable way to stop relevant records from being lost while legal process is prepared.

User notification. Microsoft’s default policy is to give prior notice to consumer users whose data is sought by a law-enforcement agency, unless it is prohibited from doing so by law or court order, or unless notice would be counterproductive — for example, in cases involving child exploitation, an imminent threat of harm, or a compromised (hacked) account. Where you need notice suppressed, obtain a non-disclosure order (under 18 U.S.C. § 2705(b) for U.S. process) and serve it with your demand. For enterprise data, Microsoft notifies the affected organisation unless prohibited.

How to submit a request

1. Register on the portal. Create an account on the Microsoft Law Enforcement Request Portal at leportal.microsoft.com using an official government or law-enforcement email domain. Microsoft verifies registrants before granting access, and both the request and Microsoft’s response are exchanged through this secure channel.
2. File a preservation request first. Submit a preservation request under 18 U.S.C. § 2703(f) as early as possible, before your formal legal process is ready. A 2703(f) request directs Microsoft to preserve a snapshot of existing records for 90 days, renewable for one further 90-day period on a clearly marked extension request. Preservation freezes the evidence while a warrant or court order is obtained.
3. Submit your legal process. Upload the subpoena, 2703(d) court order or search warrant as a signed, dated document that names Microsoft Corporation as the custodian of records, identifies the target account by a valid identifier, and specifies the precise data sought and the date range. Microsoft’s compliance team rejects process that is invalid, improperly served, jurisdictionally overbroad or unsigned, so be specific and accurate.
4. CSAM and NCMEC matters. Microsoft reports apparent child sexual exploitation to the National Center for Missing & Exploited Children (NCMEC) CyberTipline and pioneered the PhotoDNA detection technology. If your investigation originated from a CyberTipline report, reference the report number so Microsoft can scope its production accurately, and flag the matter as child exploitation so the relevant exception to user notice applies.

Emergency disclosure requests

Where there is a good-faith emergency involving an imminent threat of death or serious physical injury, Microsoft may voluntarily disclose account records without formal legal process, consistent with 18 U.S.C. § 2702(b)(8) for content and 2702(c)(4) for non-content records. Microsoft considers emergency requests from law-enforcement agencies worldwide; common examples are suicide threats, kidnappings and other threats of imminent violence.

An emergency request must come from a sworn law-enforcement official using an official law-enforcement email domain, should be submitted on official letterhead and signed, and should:

• identify the target account by a valid identifier (the Microsoft account email, Xbox gamertag or Skype name), with any associated phone number;
• describe the nature and recency of the emergency as specifically as possible, including who is at risk;
• specify the information sought and explain how it will help prevent or resolve the emergency.

Microsoft discloses only the limited data necessary to address the emergency; anything beyond that requires the appropriate legal process. Impersonating a law-enforcement official to obtain data is a crime in the United States and elsewhere.

For India: legal basis and process

Microsoft is a U.S. entity, so Indian authorities cannot serve U.S. legal process directly on it. Domestic instruments establish the authority to demand data; the cross-border mechanism determines whether Microsoft will produce it.

• IT Act, 2000 — Section 69: Authorises the Central or State Government to direct the interception, monitoring or decryption of information in the interest of sovereignty, security, public order or the prevention of offences. Such directions bind intermediaries operating in India; compliance for U.S.-stored content remains subject to the cross-border route.
• IT Rules, 2021 — Rule 3 (Intermediary Guidelines): Significant social media intermediaries must appoint a nodal contact person available around the clock for law-enforcement coordination and retain certain records for at least 180 days. Use this channel for first-level coordination, and escalate to the treaty route for subscriber records and content held in the United States.
• BNSS, 2023 — Section 94: Empowers a court or an officer-in-charge of a police station to issue a summons (including in electronic form) for the production of documents and electronic records. This is the domestic production mechanism, and it is referenced within a treaty request to a U.S. provider.
• Mutual Legal Assistance Treaty (MLAT): For subscriber records and content, the path is: the investigating officer drafts the request, the Ministry of Home Affairs (MHA) Central Authority reviews and transmits it, and the U.S. Department of Justice Office of International Affairs (OIA) compels Microsoft through U.S. court process. A CLOUD Act executive agreement or letters rogatory may be available as alternatives where applicable.

Indian investigators should file a preservation request through the portal immediately, before the slower treaty process runs, and may submit an emergency disclosure request directly where life is at imminent risk.

What you’ll need

• An official government or law-enforcement email domain to register on the Microsoft Law Enforcement Request Portal (private domains are rejected);
• At least one valid identifier: the Microsoft account email (Outlook.com, Hotmail, Live or MSN), the Xbox gamertag, or a Skype name — never a display name alone;
• The target date range, stated clearly with the month spelled out, and an awareness that log records are returned in UTC;
• The appropriate legal instrument — a subpoena for subscriber information, a 2703(d) court order for transactional records, or a search warrant for content;
• A preservation request filed first, under 18 U.S.C. § 2703(f), before records age out or are deleted;
• For enterprise targets: process served on the organisation that administers the Microsoft 365 or Azure tenant, not on Microsoft; for LinkedIn or GitHub: a request through those services’ separate law-enforcement channels;
• For CSAM cases: the NCMEC CyberTipline reference number;
• For Indian agencies seeking content: an MLAT request through the MHA Central Authority, plus a parallel preservation request filed at once.

For a full directory of law enforcement request portals across major platforms, visit our LERS portal hub or the platform-by-platform LERS guide.