Export, schedule, and share reporting data securely

  • 9 minutes

While the Microsoft Intune admin center is excellent for IT administrators, other stakeholders, such as security officers, compliance auditors, or C-level executives, often need to see this data without logging into the management portal. Furthermore, your organization may require you to retain logs longer than Intune's default retention period.

To meet these needs, you must understand how to extract reporting data from Intune, automate its delivery, and ensure it remains secure in transit and at rest.

Export formats and methods

Depending on your use case, Intune provides several ways to export data out of the tenant.

  • Manual CSV Export: Almost every list and report in the Intune admin center features an Export button. This generates a static .csv file containing the currently filtered view. It is best used for quick, ad-hoc analysis in Excel.
  • Diagnostic Settings (JSON): As discussed in previous sections, configuring Diagnostic Settings allows you to continuously stream telemetry and audit logs in JSON format to Azure Storage Accounts, Event Hubs, or Log Analytics workspaces.
  • Intune Data Warehouse: This is a specialized OData feed that maintains historical Intune data (up to 30 days for most fact tables). It is designed specifically to be connected directly to reporting tools like Power BI.

Automate scheduled exports (Graph API and PowerShell)

A common limitation administrators discover is that Intune does not have a native "Email me this report every Monday" button. To schedule reporting, you must use automation.

Microsoft Graph API

The Microsoft Graph API is the programmatic gateway to everything in Intune. Any report you can view in the console can be queried via Graph API.

  • The Process: You can create an Azure Logic App or an Azure Automation Runbook that makes a daily HTTP GET request to the Graph API export endpoints. The app can then format that data and automatically email it to a distribution list or drop it into a secure SharePoint folder.

PowerShell

Administrators often use PowerShell to schedule localized exports.

  • By using the Microsoft Graph PowerShell SDK, you can write a script that authenticates to your tenant, pulls specific compliance or device inventory reports, exports them to a .csv, and uploads them to a secure location. You can then trigger this script using a standard Windows Scheduled Task or Azure Automation.

Secure sharing practices

When exporting and sharing device and user data, you are potentially moving sensitive information outside of Intune's secure boundary. You must implement strict governance to protect it.

Apply the Principle of Least Privilege

Never grant a stakeholder an "Intune Administrator" role just so they can view a report.

  • Microsoft Entra ID roles: If a user must log into the portal to see reports, assign them the Reports Reader or Global Reader role in Microsoft Entra ID. This grants them read-only access to reporting data without the ability to accidentally wipe a device or delete a policy.
  • Azure RBAC: If you are sharing an Azure Monitor Workbook, assign the stakeholder the Log Analytics Reader role on the specific resource group, keeping them entirely out of the Intune portal.

Audit report access and exports

Monitor who is pulling data out of your environment.

  • Intune's Audit Logs track when an administrator initiates a manual export.
  • If you are using an Enterprise App Registration to automate Graph API exports, ensure you regularly audit the sign-in logs and permissions associated with that App Registration.

Data minimization

Only export what the stakeholder actually needs. If the HR department needs a list of corporate-owned mobile phones, do not export the full device report that includes IP addresses, MAC addresses, and installed application lists. Filter the data via Graph API or your PowerShell script before the CSV is generated and shared.