Data collection in Intune

When users enroll their corporate or personal devices with Intune, Intune collects, processes, and shares some personal data to support business operations, conduct business with the customer and to support the service. Intune collects personal data from the following sources:

  • The administrators use of the Intune in the Microsoft Intune admin center.
  • End-user devices (when devices are enrolled for Intune management and during usage).
  • Customer accounts at third party services (per admin's instructions).
  • Diagnostic, performance, and usage information.

From these sources, Intune collects information that falls into the following two categories: required, optional. Each category is divided into customer data, personal data, diagnostic data, and service-generated data.

Note

We do not sell any data collected by our service to any third parties for any reason.

Required data

Data in the required category consists of data in the default feature set that is necessary to make our service work as expected by the customer. Most of the data collected by Intune is required data. This data is tied to a user, device, or application and is essential to the nature of management. The data collected contains both personal data and non-personal data. Personal data includes identifiable data that may directly identify the end user, or pseudonymized data with a unique identifier generated by the system that's used to deliver the enterprise service to users, support data, and account data. Non-personal data includes service-generated system metadata and organizational/tenant information. Intune also collects access control data to manage access to administrative roles and functions through features like Role Based Access Control.

Required data collected by Intune may include, but isn't limited to:

Category Data MAM workload 1
Access control information Private keys for certificates No
Static authenticators (customer's password) No
Admin and account information Active Directory ID of each customer IT admin Yes
Admin user first name and last name Yes
Admin user name Yes
Email address of account owner Yes
Payment data for customer billing Yes
Phone number Yes
Subscription key Yes
UPN (email) Yes
Admin created data, like: Compliance policies No
Group policy No
Line-of-Business (LOB) application Yes
PowerShell scripts No
Profile names Yes
Admin usage data from across all Intune tenants (for example, admin controls selected when interacting with the Admin console) Yes
Application inventory, like: app ID Yes (Managed apps only)
app name Yes (Managed apps only)
installation location No
size No
version Yes (Managed apps only)
Note: Application inventory data is only collected when marked by the Admin as a corporate-owned device or the compliant app feature is turned on.
Audit log information, including data about the following activities Assign Yes
Create Yes
Delete Yes
Manage Yes
Remote tasks Yes
Update (edit) Yes
Customer third party tenant IDs (like Apple ID) No
Device Data Account ID Yes
AppleID for iOS/iPadOS devices No
Microsoft Entra device ID Yes (If device is Microsoft Entra joined)
Intune device ID Yes (If device is MDM enrolled with Intune)
Device storage space No
EAS device ID No
Intune device management ID Yes (If device is MDM enrolled with Intune)
Location (corporate devices only) No
Mac Address for Mac devices No
Network information No
Platform-specific IDs No
Tenant ID Yes
Windows ID for Windows devices No
Hardware inventory information Device name Yes (Device Friendly Name)
Device type Yes
ICCID No
IMEI number No
IP address No
Manufacturer Yes
Model Yes
Operating system Yes
Operating system version Yes
Serial number No
Wi-Fi MacAddress No
Managed application information Microsoft Entra device ID Yes (If device is Microsoft Entra joined)
Device enrollment status Yes
Device health status Yes (Includes threat status if a Mobile Threat Defense connector is configured)
Encryption keys Yes
Intune device management ID Yes (If device is MDM enrolled with Intune)
Last application check-in date/time Yes
Managed application device tag Yes
Managed application ID Yes
Managed application SDK version Yes
Managed application version Yes
MAM enrollment data/time Yes
MAM enrollment status Yes
Support information Contact information (name, phone number, email address) No
Email discussions with Microsoft support, product, and/or customer experience team members No
Tenant account information (this data is available from the Microsoft Intune admin center installedDeviceCount: The number of devices on which the application is installed. Yes
Number of devices or users enrolled No
Number of identified device platforms No
Number of installed devices No
notApplicableDeviceCount: The number of devices for which the application isn't applicable. No
notInstalledDeviceCount: The number of devices for which the application is applicable but not installed. No
pendingInstallDeviceCount: The number of devices for which the application is applicable and installation is pending. No
User information Owner name/user display (the Azure-registered name of the user as identified by AzureUserID) Yes
Phone number No
Third-party user identifies (like AppleID) No
User Principal Name or email address Yes

1 Intune Mobile Application Management (MAM) can be deployed independent of other Intune workloads. For customers only using Intune MAM, this column identifies which required data is collected.

Optional data

Data in the required category consists of data in the default feature set that is necessary to make our service work as expected by the customer.

Your organization may enable optional features within Intune which enable collection of additional information from devices:

  • Device query for Corporate-owned Windows Devices

    When a customer enables Device query, the admin can query device details such as File Name and File Path. For a complete list of data, see Intune data platform schema.

Customers can control the collection of pseudonymized diagnostics and telemetry data from Intune components installed on their devices. We think there are compelling reasons for people to share this optional data as it helps Microsoft improve the reliability and performance of its products and we understand the importance of providing users the opportunity to make these choices for themselves.

Examples of the optional data fall into the following categories as defined by the ISO/IEC 19944-1:2020 Information technology - Cloud computing - Cloud services and devices: Data flow, data categories:

  • Details about the device, its configuration and connectivity capabilities, and status.
  • Details about the usage of the device, operating system, applications, and services.
  • Details about the health of the device, operating system, apps, and drivers.
  • Software installation and update information on the device.

Certain End User Data or Content is never Collected

Intune doesn't collect nor allow an Admin to see the following data:

  • An end users' calling or web browsing history
  • Personal email
  • Text messages
  • Contacts
  • Passwords to personal accounts
  • Calendar events
  • Photos, including those in a photo app or camera

For more information, see Getting started enrolling devices.

For more information on the data types and definition, see How Microsoft categorizes data for online services.

Next steps

Learn more about how Intune stores and processes and shares personal data.