Last updated: July 2015
This Trust Center applies to the Microsoft Intune Online Services purchased directly from or provided by Microsoft. This Trust Center also applies to management functionalities and services powered by Intune unless otherwise indicated.
Customer Data is defined as “all data, including all text, sound, video or image files, and software that are provided to Microsoft by, or on behalf of, Customer through use of the Online Service.” For example, this includes inventory information from managed devices or apps which have been installed through Intune. Customers can access their own Customer Data at any at any time and for any reason without assistance from Microsoft. Microsoft will not use Customer Data or derive information from it for advertising. We will use Customer Data only to provide the service or for purposes compatible with providing the service.
It is ultimately up to our customers to evaluate our offerings against their own requirements, so they can determine if our services satisfy their regulatory needs. We are committed to providing our customers detailed information about our cloud services to help them make their own regulatory assessments.
Microsoft does not create customer accounts; the customer creates the accounts either directly in Intune Administration Portal, or in their local Active Directory, where the accounts can then be synchronized into Azure Active Directory. For this reason, the customer remains responsible for the accuracy of the user accounts they created.
Intune has been independently verified to meet requirements specified in ISO 27001, SOC 1 and 2 Type II, HIPAA/BAA, EU Model Clauses, CREST Certified Penetration Test, and UK-G Cloud.
Use of the Intune service is governed by the terms and conditions of the agreement under which the service was obtained. We have simplified our legal terms so that each of these agreements now incorporates the same Online Services Terms, which provide a common set of customer commitments, detailed Data Protection Terms, and EU Standard Contractual Clauses across our enterprise online services, including Intune, Azure, and Office 365.
Intune complies with all data protection and privacy laws generally applicable to Microsoft’s provision of the Intune service.
There are three types of data collected from mobile devices managed by Intune:
Hardware Inventory This information is provided by the mobile device operating system (Windows, iOS, and Android) and may be different based on each OS. Such information could include:
App Inventory There are two types of apps which can be installed on a mobile device. Corporate apps are installed through Intune’s Company Portal and are offered or required by your company’s Intune administrator. Personal apps are those which the user installs on their own from the Windows Store, Apple App Store, or Google Play.
App Inventory includes:
There are a few factors which affect which apps are inventoried.
Policies and Configurations Device or application management settings, certificates, VPN and Wi-Fi profiles are all examples of policies and configurations which an Intune administrator can define and deploy. This content, as well as the resulting compliance information from each managed device, is stored by Intune within the corporation-specific tenant.
Intune does not collect information specific to user activities, including:
Please note that it is ultimately your obligation to comply with your regulatory requirements. We provide you with information to help you do so. We commit to compliance with data protection and privacy laws generally applicable to IT service providers. If you are subject to industry or jurisdictional requirements, you will need to make your own assessment of your ability to comply. Customers in many industries and geographies have found they can use Intune in a manner that complies with applicable regulations, provided they utilize the services in a manner appropriate to their particular circumstances.
For instance, organizations covered by the E.U. Data Protection Directive should have their own policies, security, and training program in place to ensure their personnel do not use Intune in a way that violates the Directive. We will do our part by abiding by the promises we have made, thereby helping you remain compliant.
Microsoft will use the Customer Data you store in Intune only to provide you with the online services and for purposes compatible with providing the online services. These purposes may include:
No. Intune does not share data with its advertiser-supported services. Intune does not mine Customer Data for advertising.
Microsoft believes that its customers should control their own information whether stored on their premises or in a cloud service. Accordingly, we will not disclose Customer Data to a third party (including law enforcement, other government entity or civil litigant) except as you direct or required by law. Should a third party contact us with a demand for Customer Data, we will attempt to redirect the third party to request it directly from you. As part of that, we may provide your basic contact information to the third party. If compelled to disclose Customer Data to a third party, we will promptly notify you and provide a copy of the demand, unless legally prohibited from doing so.
Except as you direct, Microsoft will not provide any third party: (1) direct, indirect, blanket or unfettered access to Customer Data; (2) the platform encryption keys used to secure Customer Data or the ability to break such encryption; or (3) any kind of access to Customer Data if Microsoft is aware that such data is used for purposes other than those stated in the request.
Microsoft also publishes a Law Enforcement Requests Report that provides insight into the scope of requests.
For more information on our commitment to protecting Customer Data, please review Microsoft’s Corporate Citizenship Principles, Policies, and Practices FAQ, as well as the Responding to Government Legal Demands for Customer Data blog written by Brad Smith, General Counsel & Executive Vice President of Legal and Corporate Affairs for Microsoft.
Microsoft and its affiliates operate the Intune service. Microsoft may hire other companies to provide limited services on its behalf, such as providing customer support or troubleshooting the service. Microsoft will only disclose Customer Data to subcontractors so they can deliver the services we have retained them to provide. Subcontractors are prohibited from using Customer Data for any other purpose.
Subcontractors that work in facilities or on equipment controlled by Microsoft must follow our privacy standards and maintain the confidentiality of Customer Data. All other subcontractors must follow privacy standards equivalent to our own. See list of subcontractors authorized to access Customer Data in Intune. This list applies to all Intune services except for:
Segregation of duties for critical functions has been implemented in the Intune environment to minimize the risk of unintentional or unauthorized access or change to production systems. Duties and responsibilities have been defined for the different Intune engineering teams and provide for segregation of duties. Responsibilities for requesting, approving and implementing changes to production systems are segregated among different teams. Asset owners/custodians approve different accesses and privileges in the production environment.
The Online Services Security and Compliance (OSSC) team is responsible for the Microsoft cloud infrastructure Information Security Program, including policies and programs used to manage risks to Microsoft’s cloud services environments. The mission of OSSC is to drive an industry leading security and compliance program for Microsoft's Cloud Services.
OSSC manages the physical security at all Microsoft’s datacenters, which is critical to keeping the facilities operational as well as to protecting customer data. Established, precise procedures in security design and operations are utilized for each facility.
The Microsoft Business Continuity Program uses industry best practices to create and adapt capabilities in this area to address new applications as they become available in the Microsoft cloud environment.
Microsoft uses an ongoing management and governance process to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure continuity of products and services. Knowing all the resources – the people, equipment, and systems – needed to execute a task or perform a process is essential to creating a relevant plan for when disaster strikes. The failure to review, maintain, and test the plan is one of the biggest risks associated with having a disastrous loss occur; therefore, the program does more than simply record recovery procedures.
Data retention policies and procedures are defined and maintained in accordance to regulatory, statutory, contractual or business requirements. The Microsoft backup and redundancy program undergoes an annual review and validation.
Microsoft backs up infrastructure data regularly and validates restoration of data periodically for disaster recovery purposes.
“Information back-up” is covered under the ISO 27001 standards, specifically addressed in Annex A, domain 10.5.1. For more information, review of the publicly available ISO standards we are certified against is suggested.
Microsoft applies many layers of security as appropriate to datacenter devices and network connections. For example, security controls are used on both the control and management planes. Specialized hardware such as load balancers, firewalls, and intrusion prevention devices, is in place to manage volume-based denial of service (DoS) attacks.
Securing Microsoft’s Cloud Infrastructure management teams apply tiered access control lists (ACLs) to segmented virtual local area networks (VLANs) and applications as needed.
Through network hardware, Microsoft uses application gateway functions to perform deep packet inspection and take actions such as sending alerts based on, or blocking, suspicious network traffic.
A globally redundant internal and external DNS infrastructure is in place for the Microsoft cloud environment. Redundancy provides for fault tolerance and is achieved through clustering of DNS servers. Additional controls mitigate distributed denial of service (DDoS) and cache poisoning or pollution attacks. For example, ACLs within DNS servers and DNS zones restrict write access to DNS records to authorized personnel.
New security features, such as randomization of query identifiers, from the latest secure DNS software is used on all DNS servers. DNS clusters are continuously monitored for unauthorized software and DNS zone configuration changes as well as for other disruptive service events.
DNS is part of the globally connected Internet and requires participation of many organizations to provide this service. Microsoft participates in many of these such as the DNS Operations Analysis and Research Center (DNS-OARC), which is comprised of DNS experts worldwide.
Potential threats, vulnerabilities and exploitation techniques which could affect the service are assessed and corrective actions are taken. The service implements technologies to scan the environment for vulnerabilities. Additionally, we contract with external penetration testers who also test the systems. Identified vulnerabilities are tracked, and verified for remediation. In addition, regular vulnerability/penetration assessments to identify vulnerabilities and determine whether key logical controls are operating effectively are performed.
Microsoft’s Security Response Center (MSRC) regularly monitors external security vulnerability awareness sites. As part of the routine vulnerability management process, Microsoft evaluates its cloud services’ exposure to these vulnerabilities and takes action across the services to mitigate risks when necessary.
Microsoft has developed robust processes to facilitate a coordinated response to incidents if one were to occur. Contractual obligations in the Intune service agreements require Microsoft to notify customers promptly in the event of a breach affecting their data. The process is validated through the ISO 27001 audit provisions provided by the service. Security incidents may include, but are not limited to: e-mail viruses, malware, worms, denial of service attacks, unauthorized access, and any other type of unauthorized, or unlawful activity involving Intune computer networks or data processing equipment.
Password management policies within the Intune environment are managed by Microsoft Cloud Infrastructure and Operations (MCIO) and pushed down through Active Directory group policy. Group Policy settings include the requirement for passwords to meet complexity requirements.
User access management addresses all stages of access within the Intune environment, including formal registration of initial account setup and periodic review and termination of user access to services and source code within the Intune environment. In accordance with the Least Privilege Access (LPA) policies and guidelines addressed within Microsoft’s Information Security Policy, Intune teams maintain defined responsibilities in controlling and monitoring user access.
The Intune team maintains access to Client Operations Support tools using an access management tool to control membership of corporate domain based groups to Microsoft Intune assets. Client Operations Support Tools are a collection of tools used by Intune support and service engineering groups. These tools enable these groups to look at various data points and resolve customer and infrastructure issues with Intune. The Intune Client Operations and Engineering groups use an access management tool to maintain access to applications and tools supporting Intune environments.
All privileges are allocated to Microsoft personnel on a need-to-use basis and on an event-by-event basis in-line with the access control policy, meaning the relevant personnel have the least privileged access required for their functional role, and only when necessary.
To prevent unauthorized or inappropriate access to the operating system, Intune relies on a comprehensive access control framework. This framework consists of secure logon procedures, User ID and password authorization, and password management to confirm access is authorized, appropriate and used in accordance with the established access control policy.
Employee status data from Microsoft Human Resources (HR) is used to facilitate the provisioning and removal of user accounts in MCIO-managed Active Directory domains upon termination of the employee. Automated feeds from Microsoft HR systems provide this information and account management processes to prevent the creation of an account for individuals who do not have valid HR records.
Yes. Microsoft personnel have their own unique user account. Employee status data from Microsoft Human Resources (HR) is used to facilitate the provision and removal of user accounts in Microsoft managed Active Directory domains. Automated feeds from HR systems provide this information and account management processes create or delete accounts based on valid HR records.
Microsoft’s Information Security Policy requires that access to Intune assets to be granted based on business justification, with the asset owner's authorization and limited based on "need-to-know" and "least-privilege" principles. In addition, the policy also addresses requirements for access management lifecycle including access provisioning, authentication, access authorization, removal of access rights and periodic access reviews.
Password policies for corporate domain accounts are managed through Microsoft’s corporate Active Directory policy which specifies minimum requirements for password length, complexity and expiration. Temporary passwords are communicated to users using Microsoft IT (MSIT) established processes. All services and infrastructure must meet or exceed MSIT requirements based on their own discretion and to meet their security needs.
Microsoft Security Policy requires that physical media must be transported through secure shipping. "Secure Shipping" is the transportation of assets requiring chain-of-custody tracking and physical control of assets by accountable personnel at all times, as approved by the security group.
Microsoft requires subcontractors to join Microsoft's Vendor Privacy Assurance Program, to meet our privacy requirements by contract, and to undergo regular privacy training. We contractually obligate subcontractors that work in facilities or on equipment controlled by Microsoft to follow our privacy standards. All other subcontractors are contractually obligated to follow privacy standards equivalent to our own.
Yes, two-factor authentication is utilized via the authentication domain managed by Microsoft Cloud Infrastructure and Operations (MCIO). Access to the Intune machines is through Remote Desktop Services, and additional remote access authentication methods have not been implemented. Remote access to the corporate network is managed by Microsoft Information Technology (MSIT). MSIT relies on the DirectAccess and Virtual Private Network (VPN) solution to control remote access to network services.
Internal and external access to the Intune environment is a critical function of security. The level of access granted is designed to prevent the compromise of security of network services being accessed. Intune aligns with the Microsoft Cloud Infrastructure and Operations (MCIO) Network Security standard regarding network access, which details a comprehensive network access control framework, to effectively control access to network services.
Microsoft’s Global Networking Services (GNS) is responsible for network security throughout their managed domains in which the Intune service is deployed. Access to GNS network devices is provided through various secure mechanisms and follows standard logical access procedures established by MCIO. Only authorized Microsoft resource administrators are allowed to have physical or logical access to network devices. All connections must be authorized by MCIO as noted above. The Intune engineering team has defined requirements and established network controls to protect and maintain network systems, servers, and applications from threats.
Intune is audited to the level of SSAE16 SOC 1 and SOC 2 Type II by independent external auditors. In addition, Intune is audited annually as part of the ISO 27001 certification process.
No. Our independent audits and certifications are shared with customers in lieu of individual customer audits. These certifications and attestations accurately represent how we obtain and meet our security and compliance objectives, and serve as a practical mechanism to validate our promises for all customers. Allowing potentially thousands of customers to audit our services would not be a scalable practice and might compromise security and privacy. Our independent third-party validation program includes audits that are conducted on an annual basis to provide verification of Intune security controls.
No. Microsoft is not able to agree to custom audit obligations for individual customers. The costs and potential conflicts between varying obligations make it impractical to customize audits.