Data collection in Intune
When users enroll their corporate or personal devices with Intune, Intune collects, processes, and shares some personal data to support business operations, conduct business with the customer and to support the service. Intune collects personal data from the following sources:
- The administrators use of the Intune in the Microsoft Intune admin center.
- End-user devices (when devices are enrolled for Intune management and during usage).
- Customer accounts at third party services (per admin's instructions).
- Diagnostic, performance, and usage information.
From these sources, Intune collects information that falls into the following two categories: required, optional. Each category is divided into customer data, personal data, diagnostic data, and service-generated data.
Note
We do not sell any data collected by our service to any third parties for any reason.
Required data
Data in the required category consists of data in the default feature set that is necessary to make our service work as expected by the customer. Most of the data collected by Intune is required data. This data is tied to a user, device, or application and is essential to the nature of management. The data collected contains both personal data and non-personal data. Personal data includes identifiable data that may directly identify the end user, or pseudonymized data with a unique identifier generated by the system that's used to deliver the enterprise service to users, support data, and account data. Non-personal data includes service-generated system metadata and organizational/tenant information. Intune also collects access control data to manage access to administrative roles and functions through features like Role Based Access Control.
Required data collected by Intune may include, but isn't limited to:
| Category | Data | MAM workload 1 |
|---|---|---|
| Access control information | Private keys for certificates | No |
| Static authenticators (customer's password) | No | |
| Admin and account information | Active Directory ID of each customer IT admin | Yes |
| Admin user first name and last name | Yes | |
| Admin user name | Yes | |
| Email address of account owner | Yes | |
| Payment data for customer billing | Yes | |
| Phone number | Yes | |
| Subscription key | Yes | |
| UPN (email) | Yes | |
| Admin created data, like: | Compliance policies | No |
| Group policy | No | |
| Line-of-Business (LOB) application | Yes | |
| PowerShell scripts | No | |
| Profile names | Yes | |
| Admin usage data from across all Intune tenants (for example, admin controls selected when interacting with the Admin console) | Yes | |
| Application inventory, like: | app ID | Yes (Managed apps only) |
| app name | Yes (Managed apps only) | |
| installation location | No | |
| size | No | |
| version | Yes (Managed apps only) | |
| Note: Application inventory data is only collected when marked by the Admin as a corporate-owned device or the compliant app feature is turned on. | ||
| Audit log information, including data about the following activities | Assign | Yes |
| Create | Yes | |
| Delete | Yes | |
| Manage | Yes | |
| Remote tasks | Yes | |
| Update (edit) | Yes | |
| Customer third party tenant IDs (like Apple ID) | No | |
| Device Data | Account ID | Yes |
| AppleID for iOS/iPadOS devices | No | |
| Microsoft Entra device ID | Yes (If device is Microsoft Entra joined) | |
| Intune device ID | Yes (If device is MDM enrolled with Intune) | |
| Device storage space | No | |
| EAS device ID | No | |
| Intune device management ID | Yes (If device is MDM enrolled with Intune) | |
| Location (corporate devices only) | No | |
| Mac Address for Mac devices | No | |
| Network information | No | |
| Platform-specific IDs | No | |
| Tenant ID | Yes | |
| Windows ID for Windows devices | No | |
| Hardware inventory information | Device name | Yes (Device Friendly Name) |
| Device type | Yes | |
| ICCID | No | |
| IMEI number | No | |
| IP address | No | |
| Manufacturer | Yes | |
| Model | Yes | |
| Operating system | Yes | |
| Operating system version | Yes | |
| Serial number | No | |
| Wi-Fi MacAddress | No | |
| Managed application information | Microsoft Entra device ID | Yes (If device is Microsoft Entra joined) |
| Device enrollment status | Yes | |
| Device health status | Yes (Includes threat status if a Mobile Threat Defense connector is configured) | |
| Encryption keys | Yes | |
| Intune device management ID | Yes (If device is MDM enrolled with Intune) | |
| Last application check-in date/time | Yes | |
| Managed application device tag | Yes | |
| Managed application ID | Yes | |
| Managed application SDK version | Yes | |
| Managed application version | Yes | |
| MAM enrollment data/time | Yes | |
| MAM enrollment status | Yes | |
| Support information | Contact information (name, phone number, email address) | No |
| Email discussions with Microsoft support, product, and/or customer experience team members | No | |
| Tenant account information (this data is available from the Microsoft Intune admin center | installedDeviceCount: The number of devices on which the application is installed. | Yes |
| Number of devices or users enrolled | No | |
| Number of identified device platforms | No | |
| Number of installed devices | No | |
| notApplicableDeviceCount: The number of devices for which the application isn't applicable. | No | |
| notInstalledDeviceCount: The number of devices for which the application is applicable but not installed. | No | |
| pendingInstallDeviceCount: The number of devices for which the application is applicable and installation is pending. | No | |
| User information | Owner name/user display (the Azure-registered name of the user as identified by AzureUserID) | Yes |
| Phone number | No | |
| Third-party user identifies (like AppleID) | No | |
| User Principal Name or email address | Yes |
1 Intune Mobile Application Management (MAM) can be deployed independent of other Intune workloads. For customers only using Intune MAM, this column identifies which required data is collected.
Optional data
Data in the required category consists of data in the default feature set that is necessary to make our service work as expected by the customer.
Your organization may enable optional features within Intune which enable collection of additional information from devices:
Device query for Corporate-owned Windows Devices
When a customer enables Device query, the admin can query device details such as File Name and File Path. For a complete list of data, see Intune data platform schema.
Customers can control the collection of pseudonymized diagnostics and telemetry data from Intune components installed on their devices. We think there are compelling reasons for people to share this optional data as it helps Microsoft improve the reliability and performance of its products and we understand the importance of providing users the opportunity to make these choices for themselves.
Examples of the optional data fall into the following categories as defined by the ISO/IEC 19944-1:2020 Information technology - Cloud computing - Cloud services and devices: Data flow, data categories:
- Details about the device, its configuration and connectivity capabilities, and status.
- Details about the usage of the device, operating system, applications, and services.
- Details about the health of the device, operating system, apps, and drivers.
- Software installation and update information on the device.
Certain End User Data or Content is never Collected
Intune doesn't collect nor allow an Admin to see the following data:
- An end users' calling or web browsing history
- Personal email
- Text messages
- Contacts
- Passwords to personal accounts
- Calendar events
- Photos, including those in a photo app or camera
For more information, see Getting started enrolling devices.
For more information on the data types and definition, see How Microsoft categorizes data for online services.
Next steps
Learn more about how Intune stores and processes and shares personal data.