Edit

Share via

Data collection in Intune

When users enroll their corporate or personal devices with Intune, Intune collects, processes, and shares some personal data to support business operations, and customer service. Intune collects personal data from the following sources:

  • The administrators use of the Intune in the Microsoft Intune admin center.
  • End-user devices (when devices are enrolled for Intune management and during usage).
  • Customer accounts at third party services (per admin's instructions).
  • Diagnostic, performance, and usage information.

From these sources, Intune collects information that falls into the following two categories: required and optional.

Note

We don't sell any data collected by our service to any third parties for any reason.

Required data

Data in the required category consists of data in the default feature set that is necessary to make our service work as expected by the customer. Most of the data collected by Intune is required data. This data is tied to a user, device, or application and is essential to the nature of management. The data collected contains both personal data and non-personal data. Personal data includes identifiable data that might directly identify the end user, or pseudonymized data with a unique identifier generated by the system that's used to deliver the enterprise service to users, support data, and account data. Non-personal data includes service-generated system metadata and organizational/tenant information. Intune also collects access control data to manage access to administrative roles and functions through features like Role Based Access Control.

Required data collected by Intune includes, but isn't limited to:

Category Data MAM workload 1
Access control information Private keys for certificates No
Static authenticators (customer's password) No
Admin and account information Active Directory ID of each customer IT admin Yes
Admin user first name and family name Yes
Admin user name Yes
Email address of account owner Yes
Payment data for customer billing Yes
Phone number Yes
Subscription key Yes
UPN (email) Yes
Admin created data, like: Compliance policies No
Group policy No
Line-of-Business (LOB) application Yes
PowerShell scripts No
Profile names Yes
Admin usage data from across all Intune tenants (for example, admin controls selected when interacting with the Admin console) Yes
Application inventory, like: app ID Yes (Managed apps only)
app name Yes (Managed apps only)
installation location No
size No
version Yes (Managed apps only)
Note: Application inventory data is only collected when marked by the Admin as a corporate-owned device or the compliant app feature is turned on.
Audit log information, including data about the following activities Assign Yes
Create Yes
Delete Yes
Manage Yes
Remote tasks Yes
Update (edit) Yes
Customer third party tenant IDs (like Apple ID) No
Device Data Account ID Yes
AppleID for iOS/iPadOS devices No
Microsoft Entra device ID Yes (If device is Microsoft Entra joined)
Intune device ID Yes (If device is MDM enrolled with Intune)
Device storage space No
EAS device ID No

| | Location (corporate devices only) | No | | | Mac Address for Mac devices | No | | | Network information | No | | | Platform-specific IDs | No | | | Tenant ID | Yes | | | Windows ID for Windows devices | No | | Hardware inventory information | Device name | Yes (Device Friendly Name) | | | Device type | Yes | | | ICCID | No | | | IMEI number | No | | | IP address | No | | | Manufacturer | Yes | | | Model | Yes | | | Operating system | Yes | | | Operating system version| Yes | | | Serial number | No | | | Wi-Fi MacAddress | No | | Managed application information | Microsoft Entra device ID | Yes (If device is Microsoft Entra joined) | | | Device enrollment status | Yes | | | Device health status | Yes (Includes threat status if a Mobile Threat Defense connector is configured) | | | Encryption keys | Yes | | | Intune device management ID | Yes | | | Last application check-in date/time | Yes | | | Managed application device tag | Yes | | | Managed application ID | Yes | | | Managed application SDK version | Yes | | | Managed application version | Yes | | | MAM enrollment data/time | Yes | | | MAM enrollment status | Yes | | Support information | Contact information (name, phone number, email address) | No | | | Email discussions with Microsoft support, product, and/or customer experience team members | No | | Tenant account information (this data is available from the Microsoft Intune admin center | installedDeviceCount: The number of devices on which the application is installed. | Yes | | | Number of devices or users enrolled | No | | | Number of identified device platforms | No | | | Number of installed devices | No | | | notApplicableDeviceCount: The number of devices for which the application isn't applicable. | No | | | notInstalledDeviceCount: The number of devices for which the application is applicable but not installed. | No | | | pendingInstallDeviceCount: The number of devices for which the application is applicable and installation is pending. | No | | User information | Owner name/user display (the Azure-registered name of the user as identified by AzureUserID) | Yes | | | Phone number | No | | | Third-party user identifies (like AppleID) | No | | | User Principal Name or email address | Yes |

1 Intune Mobile Application Management (MAM) can be deployed independent of other Intune workloads. For customers only using Intune MAM, this column identifies which required data is collected.

Optional data

Data in the required category consists of data in the default feature set that is necessary to make our service work as expected by the customer.

Your organization might enable optional features within Intune which enable collection of additional information from devices:

  • Device query for Corporate-owned Windows Devices

    When a customer enables Device query, the admin can query device details such as File Name and File Path. For a complete list of data, see Intune data platform schema.

  • Enhanced device inventory

    When a customer enables enhanced device inventory, the admin can see non-sensitive device details such as CPU, disk drive, and memory info. For a complete list of data, see Intune data platform schema.

Customers can control the collection of pseudonymized diagnostics and telemetry data from Intune components installed on their devices. We think there are compelling reasons for people to share this optional data as it helps Microsoft improve the reliability and performance of its products and we understand the importance of providing users the opportunity to make these choices for themselves.

Examples of the optional data fall into the following categories as defined by the ISO/IEC 19944-1:2020 Information technology - Cloud computing - Cloud services and devices: Data flow, data categories:

  • Details about the device, its configuration and connectivity capabilities, and status.
  • Details about the usage of the device, operating system, applications, and services.
  • Details about the health of the device, operating system, apps, and drivers.
  • Software installation and update information on the device.

Certain End User Data or Content is never Collected

Intune doesn't collect nor allow an Admin to see the following data:

  • An end users' calling or web browsing history
  • Personal email
  • Text messages
  • Contacts
  • Passwords to personal accounts
  • Calendar events
  • Photos, including those pictures in a photo app or camera

For more information, see Getting started enrolling devices.

For more information on the data types and definition, see How Microsoft categorizes data for online services.

Related content

Learn more about how Intune stores and processes and shares personal data.

  • Last updated on