Are you waiting to migrate from Intune Silverlight portal to new Azure portal. If so, it’s better to avoid creating NEW Intune groups (in Silverlight console) with any exclusion logic. Otherwise your migration may get delayed further. Also, you need to remediate exclusion logic which you are already using in EXISTING Intune groups. So, what is this exclusion logic and why it’s not supported as part of Intune migration to Azure portal. Azure AD doesn’t support exclusion logic and moving forward Intune will be leveraging Azure AD groups for targeting policies/applications/profiles to devices.
First – Exclusion Groups
There is an Exclusion option in Intune groups (Silverlight), if you have used that functionality to exclude some users or devices from your deployments/assignments then you need to remediate those exclusion logics.
Second :- Implicit exclusions
Yes, this is more complex than the first exclusion scenario. Even if you never used the exclude members option in Group membership (Silverlight), you can get into an implicit exclude logic if you do the following:-
1. Create a group that doesn’t use All Users as the parent group.
In the following scenario (screen capture), I have created a group called “Helpdesk Group“. Parent group of “Helpdesk Group” is NOT all users rather I used “Intune Group” as the parent group for “Helpdesk Group”. This is what called implicit exclusion of Intune. You need to remediate this option in Intune groups.
Start with an empty group on the criteria membership page.
Include one or more security groups.
Remediation of Exclusion logic from Intune Groups:-
My recommendation would be to create new groups without exclusion logic using new dynamic user/device groups options and then deploy the existing apps and policies to those new groups along with old groups for some days. Once you can confirm everything is ok, you can remove the old Intune groups with exclusion logic from respective deployments. If everything fine after above activities then delete the Intune groups with exclusion logic !
Are you an Azure AD Admin ? – Don’t Delete the new groups pops up in Azure Portal :-
Over the next few months, Intune is migrating all Intune groups over to Azure AD groups. What does this mean to you? As an Azure AD admin, you’ll start to see Intune groups in your Azure AD infrastructure. Please do not delete these groups; they’ll pop in there in preparation for migration, then will be populated by our migration engine.
Now your tenant is ready for Intune Silverlight console to Azure Portal migration 🙂
More details in the Communication from Microsoft here