Key Takeaways
- Intune allows administrators to include or exclude user and device groups from app assignments.
- Exclusions help prevent app access due to security, licensing, or business requirements.
- Before assigning groups, administrators must select an assignment type such as Available, Required, or Uninstall.
- Excluding groups helps improve app management, tracking, and usage control.
- A common scenario is assigning an app to a large group while excluding a smaller group, such as test users or executives.
How to Exclude Devices or Users from Intune App Assignments! Excluding users or devices from app assignments in Intune provides administrators with greater control over application deployment. It helps ensure that only the intended users and devices receive access to specific apps while supporting security, licensing, and operational requirements.
Table of Content
Table of Contents
How to Exclude Devices or Users from Intune App Assignments
To exclude specific groups of users or devices from an app assignment in Intune, follow these steps. If you want to remove users or devices from ongoing deployment, you can create a new Entra ID group and add the members you want to exclude to it.
- Sign in to the Microsoft Intune admin center https://intune.microsoft.com/.
- Select Apps > Windows > Windows App. Select the existing application from the list that you want to exclude from users or devices.
- For Example, I will be selecting Bitwarden Password Manager.
- Intune Win32 App Deployment Step By Step Guide For ITPros
- Create AAD Dynamic Groups Based On MDM Intune SCCM Management
Once you choose the application, click on “Properties”. Scroll down to find the “Assignments” section and click on “Edit” within that section. The screenshot below helps you to show more details.
Assignment Type
App availability can be set based on the assignment type. Assignment type can be Required, Available for enrolled devices, or Uninstall. Here, the application Assignment type is Required to make this app required for all users or make this app required on all devices.
To exclude the selected user or device groups, click on Add Group, and then choose Select Groups to include one or more groups. Ensure the device or user you try to exclude is added to the selected group.
Note – The Not Applicable assignment type has been deprecated and replaced by Exclude Groups in Intune. Microsoft recommends using the built-in All Users and All Devices groups for app assignments, as they are optimized for better performance and management. Additionally, Android Enterprise supports both group inclusion and exclusion, allowing administrators to use these built-in groups for app deployments.
HTMD Test Policy group
In the Assignments section, we selected the HTMD Test Policy group. To choose the group, simply locate it in the list, select the checkbox next to the group name, and then click the Select button to add it to the assignment. This makes it easy to include the required group for the app deployment or policy assignment.
Under “Assignments“, you will see Group mode is set to “Included”. Click on the Included button to select exclude groups, and then select the groups of users or devices that you want to exclude from the app assignment.
Note – When a group is already included in a specific app assignment type, it is automatically preselected and cannot be used for another include assignment type. The same group cannot be added again as an included group.
When you add a new group, it will automatically be set to the Included mode. However, if you need to change this, you can click on the Excluded option for the newly added group. The screenshot below helps you to show more details.
Here, you can see the mode switched to Excluded, and then click OK to save your changes and complete all the steps. Note! The excluded option is not available for “all users” and “all devices” built-in assignment groups. If a group has already been assigned as included under a different assignment, then the option to change the mode will not be available.
| Assignment Settings | Configured |
|---|---|
| Mode | Excluded |
Once the app assignment mode is set to Exclude, the selected group is prevented from receiving the app assignment. Any users or devices that are members of the excluded group will not receive, install, or have access to the app through that specific Intune assignment, even if they belong to an included group.
Removing a group assignment does not automatically uninstall the app from devices. In most cases, the app remains installed even after the assignment is removed. The exception is Android Enterprise dedicated, fully managed, and corporate-owned work profile devices, where the app may be removed when the assignment is no longer applied.
The next screen displays a Summary of your assignment configuration. Review the selected settings and groups to ensure everything is configured correctly. Once you have verified the details, click Save to apply the changes and complete the app assignment configuration.
In the last step of the edit application step, A notification will appear automatically in the top right-hand corner with the message “Application Bitwarden Password Manager saved successfully.”
After you have excluded specific groups of users or devices from an app assignment, those users or devices will not be able to use the app once you removed them if already provisioned. It is important to note that this feature only applies to Intune app assignments, and does not prevent users or devices from manually installing the app from other sources.
Video: Supported Application Types in Intune
In this video, you will get the details on Supported Intune Application Types. This video also explains about Limitations of each app type and Important Considerations while making Intune Design Decisions.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, join the WhatsApp Community and the Whatsapp channel to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
About Author – Jitesh, Microsoft MVP, has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.