Intune Data Retention Guide: Know How to Secure Your Intune Configurations

Intune Data Retention Guide: Know How to Secure Your Intune Configurations

July 14, 2023

As a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM), Microsoft Intune is a vital tool for ensuring business security, compliance, and continuity. However, IT teams need to have a clear understanding of how Intune collects, processes, and retains data to make the best use of its services. Data retention, in particular, is an important subject for several key reasons:

  • Compliance with Regulations: Various industries are subject to strict data protection and privacy regulations, such as GDPR, HIPAA, and CCPA. Understanding how Intune stores and retains data can help ensure that your organization remains compliant with these regulations.
  • Data Security: Understanding how and where your data is stored can help you assess the security measures in place to protect it. This is particularly important given the increasing prevalence of cyber threats.
  • Data Accessibility: Knowing how long data is retained and how it can be accessed is crucial for business operations. For instance, you might need to retrieve data for audit purposes, legal discovery, or business analysis.
  • Data Management: Understanding Intune's data handling processes can help you make informed decisions about data management, such as when to delete data or when to implement additional backup solutions.
  • Risk Management: If data is lost, improperly accessed, or not available when needed, it can lead to operational risks, financial loss, and damage to the organization's reputation. Understanding data storage and retention in Intune can help mitigate these risks.
  • Trust and Transparency: Finally, understanding these processes can increase trust and transparency between the organization and its stakeholders, including customers, employees, and partners. This can enhance customer trust, employee confidence, and partner relationships.

This article will serve as a comprehensive guide to Intune data retention, walking you through the intricacies of how data is managed across company devices and applications in Microosft 365. We'll also share ways to secure your data beyond the built-in data retention policies offered by Microsoft, including via the use of third-party tools like Simeon Cloud.

Understanding Data Collection in Intune

Microsoft Intune collects data when users enroll their corporate or personal devices with the service. This data collection is necessary to support business operations, conduct business with the customer, and support the service. The sources from which Intune collects personal data include:

  • The administrators' use of Intune in the Microsoft Intune admin center.
  • End-user devices, both when devices are enrolled for Intune management and during usage.
  • Customer accounts at third-party services, as per the administrator's instructions.
  • Diagnostic, performance, and usage information.

The data collected by Intune falls into two categories: required and optional.

Required Data

Required data is necessary for the service to function as expected by the customer. Most of the data collected by Intune is required data, which can be personal or non-personal.

Personal data includes identifiable data that may directly identify the end user, or pseudonymized data with a unique identifier generated by the system that's used to deliver the enterprise service to users, support data, and account data.

Non-personal data includes service-generated system metadata and organizational/tenant information. Intune also collects access control data to manage access to administrative roles and functions through features like Role-Based Access Control.

Examples of required data collected by Intune include, but are not limited to:

  • Access control information
  • Admin and account information
  • Admin usage data from across all Intune tenants
  • Application inventory
  • Audit log information
  • Customer third-party tenant IDs
  • Device data
  • Hardware inventory information
  • Managed application information
  • Support information
  • User information

Optional Data

Optional data is not essential to the product or service experience, and therefore, customers can control the collection of optional data. Intune enables customers to opt-in or opt-out of optional data collection. Examples of optional data consist of pseudonymized data that Intune collects for diagnostics and telemetry.

Examples of the optional data Microsoft collects during the use of any Microsoft 365 Apps for enterprise applications and services fall into the following categories:

  • Details about the device, its configuration and connectivity capabilities, and status.
  • Details about the usage of the device, operating system, applications, and services.
  • Details about the health of the device, operating system, apps, and drivers.
  • Software installation and update information on the device.

Data Storage and Processing in Intune

After it collects company data, Intune adheres to the Data Handling Standard Policy for Microsoft 365. This policy outlines how customer data is stored and processed, ensuring that data handling practices are consistent and secure across all Microsoft 365 services.

Storage Locations

Microsoft operates Intune services across various regions worldwide.

When an administrator sets up Intune, they can choose the storage location for their Customer Data. This choice allows businesses to comply with local data residency regulations and requirements. For example, if a company operates primarily in Europe, the administrator might choose to store their data in a European data center to comply with GDPR.

Data Residency

As Microsoft continues to expand its datacenter geographies, it offers in-region data residency for Customer Data. This means that data pertaining to an organization is stored within the same geographic region where their organization is based. Existing customers can request the migration of their organization's Customer Data at rest to a datacenter geography that matches their signup country or region.

This migration process is designed to be seamless, with minimal impact on accessibility and functionality. However, during the migration workflow, certain features may be temporarily inaccessible depending on the volume of data being migrated and the features in use.

Data Retention

The Microsoft 365 Data Handling Standard policy also specifies how long customer data is retained after deletion. There are two scenarios in which customer data is deleted:

  • Active Deletion: This occurs when the tenant has an active subscription and a user or administrator deletes data, or when administrators delete a user. In this case, the deleted data is generally removed from Intune within 30 days.
  • Passive Deletion: This occurs when the tenant subscription ends. In this case, the data associated with the ended subscription is also typically removed within 30 days.

Audit logs, which record user and device actions, are retained for up to one year for security purposes. This allows administrators to review past activities if needed, such as for security audits or investigations.

Data Processing

Intune processes personal data using systems that are ISO certified. The ISO certification is a globally recognized standard that ensures services meet the needs of clients through an effective quality management system. This certification demonstrates that Intune has robust systems in place to manage and protect personal data.

Data Profiling

Microsoft Intune does not use any personal data collected as part of providing the service for profiling or marketing purposes. This means that the personal data collected by Intune is used solely to provide, maintain, and improve the Intune service, and not for any other purposes such as targeted advertising or user behavior analysis.

The Need for an Intune Backup and Restore Solution

Microsoft Intune's built-in data retention mechanisms strive to be robust and compliant with most regulations. However, they may not always meet the specific needs of enterprise organizations. Here's why:

  • Limited Retention Period: Intune typically retains data for 30 days after deletion and audit logs for up to one year. For some organizations, especially those in highly regulated industries, this might not be sufficient. They may need to retain data for longer periods to meet regulatory requirements or for internal audit and analysis purposes.
  • Lack of Granular Control: Intune's data retention policies are largely set and controlled by Microsoft. Enterprises may require more granular control over their data retention policies, such as the ability to set different retention periods for different types of data or for different business units.
  • Data Recovery: While Intune has mechanisms for data deletion, it doesn't provide a built-in backup and restore functionality. If data is accidentally deleted, there's no straightforward way to recover it within the Intune system after the 30-day retention period.
  • Single Point of Failure: Relying solely on Intune for data management can create a single point of failure. If there's an issue with Intune, it could potentially impact an organization's access to its data.

Custom solutions allow organizations to set their own data retention periods based on their specific regulatory requirements and business needs. They can also offer granular control over their data retention policies, allowing teams to tailor each policy to their specific needs.

Simeon Cloud: The Ultimate Intune Backup and Restore Solution

Simeon Cloud is an end-to-end solution for backing up and restoring Microsoft 365 and Intune configurations. It streamlines the deployment, management, and maintenance of configurations across devices, applications, and policies, with features like:

  • Centralized Configuration Management: Simeon Cloud offers a centralized platform for managing Intune configuration settings, including device configurations, app configurations, app protection policies, and more. This centralization ensures consistency across various elements, enhancing operational efficiency.
  • Version Control: With Simeon Cloud, you can track changes, revert to previous versions, and maintain a history of your Intune settings, thanks to its version control capabilities. This feature provides a safety net against accidental changes and promotes better configuration management.
  • Backup and Restore: Simeon Cloud's centralized management and version control capabilities work together to effectively back up your Intune configurations. Should there be any accidental changes or issues, restoring the desired configuration settings is just a few clicks away on the Simeon Cloud platform.
  • Automation: Simeon Cloud automates the deployment and management of Intune configurations across multiple environments or tenants. This automation reduces manual effort, streamlines the backup and restore processes, and minimizes the risk of human error.
  • Reporting and Monitoring: With Simeon Cloud, you can track the status of your Intune configurations and identify any discrepancies or issues through its reporting and monitoring features. This allows for proactive management and swift resolution of potential problems.
  • Security and Compliance: Simeon Cloud helps maintain security and compliance standards across your organization by centralizing and automating the management of Intune configurations. This ensures that your configurations adhere to the necessary standards and regulations.

Compared to other methods like PowerShell or Microsoft 365 DSC, Simeon Cloud offers a more refined, no-code approach to backing up Intune configurations. Its user-friendly web portal enables team members of varying technical expertise to manage and maintain Intune configurations with ease, reducing the dependency on specialized knowledge. Want to learn more about how Simeon can help your organization secure your Intune data? Lock in a free demo with our sales team today!