Data collection in Intune

When users enroll their corporate or personal devices using Intune, Intune collects, processes, and shares some personal data to support business operations, conduct business with the customer and to support the service. Intune collects personal data from the following sources:

  • The administrators use of the Intune in the Microsoft Endpoint Manager admin center.
  • End-user devices (when devices are enrolled for Intune management and during usage).
  • Customer accounts at third party services (per admin's instructions).
  • Diagnostic, performance, and usage information.

From these sources, Intune collects information that falls into the following two categories: required, optional. In each of the categories, data is further broken down by customer data, personal data, diagnostic data, and service-generated data.

Note

We do not sell any data collected by our service to any third parties for any reason.

Required data

Data in the required category consists of data that is necessary to make our service work as expected by the customer. Most of the data collected by Intune is required data. This data is tied to a user, device, or application and is essential to the nature of management. The data collected contains both personal data and non-personal data. Personal data includes identifiable data, which may directly identify the end user, or pseudonymized data with a unique identifier generated by the system, used to deliver the enterprise service to users, support data and account data. Non-personal data includes service-generated system metadata and organizational/tenant information. Intune also collects access control data to manage access to administrative roles and functions through features like Role Based Access Control.

Required data collected by Intune may include, but is not limited to:

  • User information
    • Owner name/user display (the Azure-registered name of the user as identified by AzureUserID)
    • User Principal Name or email address
    • Phone number
    • Third-party user identifies (like AppleID)
  • Hardware inventory information
    • Device name
    • Manufacturer
    • Operating system
    • Serial number
    • IMEI number
    • IP address
    • Wi-Fi MacAddress
    • ICCID
  • Audit log information, including data about the following activities
    • Manage
    • Create
    • Update (edit)
    • Delete
    • Assign
    • Remote tasks
  • Support information
    • Contact information (name, phone number, email address)
    • Email discussions with Microsoft support, product, and/or customer experience team members
  • Access control information
    • Static authenticators (customer's password)
    • Privacy keys for certificates
  • Admin and account information
    • Admin user first name and last name
    • Admin user name
    • UPN (email)
    • Phone number
    • Email address of account owner
    • Active Directory ID of each customer IT admin
    • Payment data for customer billing
    • Subscription key
  • Application inventory, like
    • app name
    • version
    • app ID
    • size
    • installation location
    • Application inventory data is only collected when marked by the Admin as a corporate-owned device or the compliant app feature is turned on.
  • Customer third party tenant IDs (like Apple ID)
  • Device data
    • Intune device ID
    • Azure Active Directory device ID
    • Intune device management ID
    • Tenant ID
    • Account ID
    • EAS device ID
    • Platform-specific IDs
    • AppleID for iOS/iPadOS devices
    • Mac Address for Mac devices
    • Windows ID for Windows devices
  • Managed application information
    • Managed application ID
    • Managed application device tag
    • Intune device management ID
    • Azure Active Directory device ID
    • Encryption keys
  • Admin usage data from across all Intune tenants (for example, admin controls selected when interacting with the Admin console)
  • Tenant account information (this data is available from the Intune blade)
    • Number of devices or users enrolled
    • Number of identified device platforms
    • Number of installed devices
    • installedDeviceCount: The number of devices on which the application is installed.
    • notApplicableDeviceCount: The number of devices for which the application is not applicable.
    • notInstalledDeviceCount: The number of devices for which the application is applicable but not installed.
    • pendingInstallDeviceCount: The number of devices for which the application is applicable and installation is pending.

Optional data

Data in the optional category is not essential to the product or service experience. Customers can control the collection of optional data. Intune enables customers to opt-in or opt-out of optional data collection. Examples of the optional data consist of data Intune collects for diagnostics and telemetry. Please note that we think there are compelling reasons for people to share this optional data as it creates opportunities for new and richer experiences but we understand the importance to provide users the opportunity to make these choices for themselves.

Examples of the optional diagnostic data may include application usage data, error, and performance data. All diagnostic data Microsoft collects during the use of any Microsoft 365 Apps for enterprise applications and services is pseudonymized as defined in the ISO/IEC 19944:2017 (section 8.3.3) standard.

Certain End User Data or Content is never Collected

Intune does not collect nor allow an Admin to see an end users’ calling or web browsing history, personal email, text messages, contacts, passwords to personal accounts, calendar events or photos, including those in a photo app or camera. See Getting started enrolling devices.

See How Microsoft categorizes data for online services for more information on the data types and definition.

Next steps

Find out more about how Intune stores and processes and shares personal data.