Intune App Assignment Include Exclude Azure AD Groups

0

Microsoft Intune team depreciated application assignment type “Not Applicable” for good reasons. So no need to get worried when you don’t see “Not Applicable” assignment type for your Intune tenant. “Not Applicable” will not be an option in the console but will be replaced by “Excluded Groups“. Exclude Group option was already available for Configuration policies, and it’s useful.

Do you remember the Groups in Intune silverlight portal? There was an exclusion logic used in Intune groups in silverlight portal. I think, the excluded Azure AD groups used in app assignment is not using nested groups logic (Implicit Exclusion Groups). In this post, I’m trying to explain two application assignment scenarios using Intune “Excluded Groups” logic.

What is the New feature Intune “Excluded Groups”

New app assignment process in Intune with an “Excluded Groups” option. You can now easily manage app assignments to groups with overlapping members or targeted with conflicting app assignment types, by using the new “Excluded Groups” option.

How does the depreciation of “Not Applicable” affect?

Previously, the app assignment process in the Intune on Azure console had the option of targeting groups with the “Not Applicable” assignment type. This will no longer be the case. “Not Applicable” will be replaced by the “Excluded Groups” option. This new feature to manage app assignments to target an app to a large group of users or devices, while restricting it from a subset of the same group. More details here.

What do I need to do to prepare for this change?

Start using the new app assignment process and update your documentation if needed. Click on Additional Information to see screenshots and to read about different scenarios where this new feature can help you manage your app assignments.

I will try to explain the use of following two scenario to give a brief idea about the new feature called Excluded Groups in Intune. I also have a video tutorial which explains both these scenarios.

Scenario A - Facebook is available for All Users Except "Mumbai Users"
Scenario B - WhatsApp is available for All Bangalore Users Except "L1 Team"

Scenario A

I want to make the Facebook application available to “All Users” in the organization. But this application should not be available for “Mumbai Users”. More details available in the video tutorial Intune App Assignment Include Exclude Azure AD Groups.

  1. Launch Azure Portal and navigate through Microsoft Intune – Mobile Apps – Apps
  2. Select the Facebook app that you want to assign. A dashboard is displayed related to the app.
  3. Select Assignments under the Manage section.
  4. Select Add group to add the groups of users who are assigned the app.
  5. Select an Assignment type from the available assignment types on the Add group blade. The available app assignments are “Available for enrolled devices“, “Available with or without enrollment” and “Required“.
  6. Select “Available for enrolled devices” as the assignment type.
  7. Select Included Groups to select the group of users that you want to make Facebook app available.
  8. Select Yes to make “this app available to all users with enrolled devices“.
  9. Click OK to set the group to include.
  10. Select Excluded Groups to select the groups of users that you want to make Facebook app unavailable.
  11. Select the groups “Mumbai Users” to exclude, which makes this Facebook app unavailable for the users in Mumbai Users Azure AD groups.
  12. Click OK on the Add group blade. The app Assignments list is displayed.
  13. Click Save to make your group assignments active for the Facebook app.

Intune App Assignment Include Exclude Azure AD Groups

Scenario B

I want to make the WhatsApp application available to “All Bangalore Users” in the organization. But this application should not be available for “L1 Team“. More details available in the video tutorial Intune App Assignment Include Exclude Azure AD Groups.

  1. We need to follow the above steps from 1 to 7.
  2. Select Included Groups to select the groups of users that you want to make the WhatsApp application available.
  3. Select the groups “All Bangalore Users” to include, which makes this WhatsApp app available for the users in “All Bangalore users” Azure AD groups.
  4. Click OK on the Add group blade to include the users. The app Assignments list is displayed with All Bangalore Users.
  5. Select Excluded Groups to select the groups of users that you want to make WhatsApps app unavailable.
  6. Select the groups “L1 Team” to exclude, which makes this WhatApps app unavailable for the users in L1 Team Azure AD groups.
  7. Click OK on the Add group blade. The app Assignments list is displayed.
  8. Click Save to make your group assignments active for the WhatApps app.

Intune App Assignment Include Exclude Azure AD Groups

Resources:-

  • New feature: New app assignment process in Intune with an “Excluded Groups” option – here
  • Include and exclude app assignments in Microsoft Intune – here

LEAVE A REPLY

Please enter your comment!
Please enter your name here