Data collection in Intune

When users enroll their corporate or personal devices with Intune, Intune collects, processes, and shares some personal data to support business operations, conduct business with the customer and to support the service. Intune collects personal data from the following sources:

  • The administrators use of the Intune in the Microsoft Endpoint Manager admin center.
  • End-user devices (when devices are enrolled for Intune management and during usage).
  • Customer accounts at third party services (per admin's instructions).
  • Diagnostic, performance, and usage information.

From these sources, Intune collects information that falls into the following two categories: required, optional. Each category is divided into customer data, personal data, diagnostic data, and service-generated data.

Note

We do not sell any data collected by our service to any third parties for any reason.

Required data

Data in the required category consists of data that is necessary to make our service work as expected by the customer. Most of the data collected by Intune is required data. This data is tied to a user, device, or application and is essential to the nature of management. The data collected contains both personal data and non-personal data. Personal data includes identifiable data that may directly identify the end user, or pseudonymized data with a unique identifier generated by the system that's used to deliver the enterprise service to users, support data, and account data. Non-personal data includes service-generated system metadata and organizational/tenant information. Intune also collects access control data to manage access to administrative roles and functions through features like Role Based Access Control.

Required data collected by Intune may include, but isn't limited to:

Category Data MAM workload 1
Access control information Privacy keys for certificates No
Static authenticators (customer's password) No
Admin and account information Active Directory ID of each customer IT admin Yes
Admin user first name and last name Yes
Admin user name Yes
Email address of account owner Yes
Payment data for customer billing Yes
Phone number Yes
Subscription key Yes
UPN (email) Yes
Admin created data, like: Compliance policies No
Group policy No
Line-of-Business (LOB) application Yes
PowerShell scripts No
Profile names Yes
Admin usage data from across all Intune tenants (for example, admin controls selected when interacting with the Admin console) Yes
Application inventory, like: app ID Yes (Managed apps only)
app name Yes (Managed apps only)
installation location No
size No
version Yes (Managed apps only)
Note: Application inventory data is only collected when marked by the Admin as a corporate-owned device or the compliant app feature is turned on.
Audit log information, including data about the following activities Assign Yes
Create Yes
Delete Yes
Manage Yes
Remote tasks Yes
Update (edit) Yes
Customer third party tenant IDs (like Apple ID) No
Device Data Account ID Yes
AppleID for iOS/iPadOS devices No
Azure Active Directory device ID Yes (If device is Azure Active Directory (Azure AD) joined)
Intune device ID Yes (If device is MDM enrolled with Intune)
Device storage space No
EAS device ID No
Intune device management ID Yes (If device is MDM enrolled with Intune)
Location (corporate devices only) No
Mac Address for Mac devices No
Network information No
Platform-specific IDs No
Tenant ID Yes
Windows ID for Windows devices No
Hardware inventory information Device name Yes (Device Friendly Name)
Device type Yes
ICCID No
IMEI number No
IP address No
Manufacturer Yes
Model Yes
Operating system Yes
Operating system version Yes
Serial number No
Wi-Fi MacAddress No
Managed application information Azure Active Directory device ID Yes (If device is Azure AD joined)
Device enrollment status Yes
Device health status (jailbroken) Yes
Encryption keys Yes
Intune device management ID Yes (If device is MDM enrolled with Intune)
Last application check-in date/time Yes
Managed application device tag Yes
Managed application ID Yes
Managed application SDK version Yes
Managed application version Yes
MAM enrollment data/time Yes
MAM enrollment status Yes
Support information Contact information (name, phone number, email address) No
Email discussions with Microsoft support, product, and/or customer experience team members No
Tenant account information (this data is available from the Microsoft Endpoint Manager admin console installedDeviceCount: The number of devices on which the application is installed. Yes
Number of devices or users enrolled No
Number of identified device platforms No
Number of installed devices No
notApplicableDeviceCount: The number of devices for which the application isn't applicable. No
notInstalledDeviceCount: The number of devices for which the application is applicable but not installed. No
pendingInstallDeviceCount: The number of devices for which the application is applicable and installation is pending. No
User information Owner name/user display (the Azure-registered name of the user as identified by AzureUserID) Yes
Phone number No
Third-party user identifies (like AppleID) No
User Principal Name or email address Yes

1 Intune Mobile Application Management (MAM) can be deployed independent of other Intune workloads. For customers only using Intune MAM, this column identifies which required data is collected.

Optional data

Data in the optional category isn't essential to the product or service experience. Customers can control the collection of optional data. Intune enables customers to opt in or opt-out of optional data collection. Examples of the optional data consist of data Intune collects for diagnostics and telemetry. We think there are compelling reasons for people to share this optional data as it creates opportunities for new and richer experiences but we understand the importance to provide users the opportunity to make these choices for themselves.

Examples of the optional diagnostic data may include application usage data, error, and performance data. All diagnostic data Microsoft collects during the use of any Microsoft 365 Apps for enterprise applications and services is pseudonymized as defined in the ISO/IEC 19944-1:2020 (section 8.3.3) standard.

Certain End User Data or Content is never Collected

Intune doesn't collect nor allow an Admin to see the following data:

  • An end users’ calling or web browsing history
  • Personal email
  • Text messages
  • Contacts
  • Passwords to personal accounts
  • Calendar events
  • Photos, including those in a photo app or camera.

For more information, see Getting started enrolling devices and

For more information on the data types and definition, see How Microsoft categorizes data for online services.

Next steps

Learn more about how Intune stores and processes and shares personal data.