As a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM), Microsoft Intune is a vital tool for ensuring business security, compliance, and continuity. However, IT teams need to have a clear understanding of how Intune collects, processes, and retains data to make the best use of its services. Data retention, in particular, is an important subject for several key reasons:
This article will serve as a comprehensive guide to Intune data retention, walking you through the intricacies of how data is managed across company devices and applications in Microsoft 365. We'll also share ways to secure your data beyond the built-in data retention policies offered by Microsoft, including via the use of third-party tools like CoreView.
This article covers:
Microsoft Intune collects data when users enroll their corporate or personal devices with the service. This data collection is necessary to support business operations, conduct business with the customer, and support the service. The sources from which Intune collects personal data include:
The data collected by Intune falls into two categories: required and optional.
Required data is necessary for the service to function as expected by the customer. Most of the data collected by Intune is required data, which can be personal or non-personal.
Personal data includes identifiable data that may directly identify the end user, or pseudonymized data with a unique identifier generated by the system that's used to deliver the enterprise service to users, support data, and account data.
Non-personal data includes service-generated system metadata and organizational/tenant information. Intune also collects access control data to manage access to administrative roles and functions through features like Role-Based Access Control.
Examples of required data collected by Intune include, but are not limited to:
Optional data is not essential to the product or service experience, and therefore, customers can control the collection of optional data. Intune enables customers to opt-in or opt-out of optional data collection. Examples of optional data consist of pseudonymized data that Intune collects for diagnostics and telemetry.
Examples of the optional data Microsoft collects during the use of any Microsoft 365 Apps for enterprise applications and services fall into the following categories:
After it collects company data, Intune adheres to the Data Handling Standard Policy for Microsoft 365. This policy outlines how customer data is stored and processed, ensuring that data handling practices are consistent and secure across all Microsoft 365 services.
Microsoft operates Intune services across various regions worldwide.
When an administrator sets up Intune, they can choose the storage location for their Customer Data. This choice allows businesses to comply with local data residency regulations and requirements. For example, if a company operates primarily in Europe, the administrator might choose to store their data in a European data center to comply with GDPR.
As Microsoft continues to expand its datacenter geographies, it offers in-region data residency for Customer Data. This means that data pertaining to an organization is stored within the same geographic region where their organization is based. Existing customers can request the migration of their organization's Customer Data at rest to a datacenter geography that matches their signup country or region.
This migration process is designed to be seamless, with minimal impact on accessibility and functionality. However, during the migration workflow, certain features may be temporarily inaccessible depending on the volume of data being migrated and the features in use.
The Microsoft 365 Data Handling Standard policy also specifies how long customer data is retained after deletion. There are two scenarios in which customer data is deleted:
Audit logs, which record user and device actions, are retained for up to one year for security purposes. This allows administrators to review past activities if needed, such as for security audits or investigations.
Intune processes personal data using systems that are ISO certified. The ISO certification is a globally recognized standard that ensures services meet the needs of clients through an effective quality management system. This certification demonstrates that Intune has robust systems in place to manage and protect personal data.
Microsoft Intune does not use any personal data collected as part of providing the service for profiling or marketing purposes. This means that the personal data collected by Intune is used solely to provide, maintain, and improve the Intune service, and not for any other purposes such as targeted advertising or user behavior analysis.
Microsoft Intune's built-in data retention mechanisms strive to be robust and compliant with most regulations. However, they may not always meet the specific needs of enterprise organizations. Here's why:
Custom solutions allow organizations to set their own data retention periods based on their specific regulatory requirements and business needs. They can also offer granular control over their data retention policies, allowing teams to tailor each policy to their specific needs.
CoreView Configuration Manager for Microsoft 365 is an end-to-end solution for backing up and restoring Microsoft 365 and Intune configurations. It streamlines the deployment, management, and maintenance of configurations across devices, applications, and policies, with features like:
Compared to other methods like PowerShell or Microsoft 365 DSC, CoreView Configuration Manager offers a more refined, no-code approach to backing up Intune configurations. Its user-friendly web portal enables team members of varying technical expertise to manage and maintain Intune configurations with ease, reducing the dependency on specialized knowledge. Want to learn more about how CoreView can help your organization secure your Intune data? Lock in a free demo with our sales team today!