Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune

Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune. For good reasons, the Microsoft Intune team depreciated the application assignment type “Not Applicable”. So no need to get worried when you don’t see the “Not Applicable” assignment type for your Intune tenant.

“Not Applicable” will not be an option in the console but replaced by “Excluded Groups“. Exclude Group option was already available for Configuration policies, and it’s useful.

Do you remember the Groups in Intune Silverlight portal? There was an exclusion logic used in Intune groups in the Silverlight portal. I think the excluded Azure AD groups used in-app assignment is not using nested groups logic (Implicit Exclusion Groups). 

In this post, I’m trying to explain two application assignment scenarios using Intune “Excluded Groups” logic.

Patch My PC

What are the New feature Intune “Excluded Groups

New app assignment process in Intune with an “Excluded Groups” option. Using the unique ” Excluded Groups ” option, you can now easily manage app assignments to groups with overlapping members or targeted with conflicting app assignment types by using the new “Excluded Groups” option.

How does the depreciation of “Not Applicable” effect?

Previously, the app assignment process in the Intune on Azure console had the option of targeting groups with the “Not Applicable” assignment type. This will no longer be the case. “Not Applicable” will be replaced by the “Excluded Groups” option.

This new feature manages app assignments to target an app to a large group of users or devices while restricting it from a subset of the same group.

  • https://blogs.technet.microsoft.com/intunesupport/2018/02/02/new-feature-new-app-assignment-process-in-intune-with-an-excluded-groups-option/

What do I need to do to prepare for this change?

Start using the new app assignment process and update your documentation if needed. Click on Additional Information to see screenshots and to read about different scenarios where this new feature can help you manage your app assignments.

I will try to explain the use of the following two scenarios to give a brief idea about the new feature called Excluded Groups in Intune. I also have a video tutorial that explains both of these scenarios.

  • Scenario A – Facebook is available for All Users Except “Mumbai Users”
  • Scenario B – WhatsApp is available for All Bangalore Users Except “L1 Team”

Scenario A

I want to make the Facebook application available to “All Users” in the organization. But this application should not be available for “Mumbai Users”.

Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune
  1. Launch Azure Portal and navigate through Microsoft Intune – Mobile Apps – Apps
  2. Select the Facebook app that you want to assign. A dashboard is displayed related to the app.
  3. Select Assignments under the Manage section.
  4. Select Add group to add the groups of users who are assigned the app.
  5. Select an Assignment type from the available assignment types on the Add group blade. The available app assignments are “Available for enrolled devices“, “Available with or without enrollment,” and “Required”.
  6. Select “Available for enrolled devices” as the assignment type.
  7. Select Included Groups to select the group of users you want to make the Facebook app available.
  8. Select Yes to make “this app available to all users with enrolled devices”.
  9. Click OK to set the group to include.
  10. Select Excluded Groups to select the groups of users you want to make the Facebook app unavailable.
  11. Select the groups “Mumbai Users” to exclude, which makes this Facebook app unavailable for the users in Mumbai Users Azure AD groups.
  12. Click OK on the Add group blade. The app Assignments list is displayed.
  13. Click Save to make your group assignments active for the Facebook app.
Intune App Assignment Include Exclude Azure AD Groups Intune App Assignment
Intune App Assignment

Scenario B

I want to make the WhatsApp application available to “All Bangalore Users” in the organization. But this application should not be available for the “L1 Team”. The video tutorial Intune App Assignment includes more details: Include Exclude Azure AD Groups.

  1. We need to follow the above steps from 1 to 7.
  2. Select Included Groups to select the groups of users that you want to make the WhatsApp application available.
  3. Select the groups “All Bangalore Users” to include, making this WhatsApp app available for the users in “All Bangalore users” Azure AD groups.
  4. Click OK on the Add group blade to include the users. The app Assignments list is displayed to All Bangalore Users.
  5. Select Excluded Groups to select the groups of users that you want to make the WhatsApps app unavailable.
  6. Select the group “L1 Team” to exclude, making this WhatApps app unavailable for the L1 Team Azure AD groups users.
  7. Click OK on the Add group blade. The app Assignments list is displayed.
  8. Click Save to make your group assignments active for the WhatApps app.
Intune App Assignment Include Exclude Azure AD Groups
Intune App Assignment Include Exclude Azure AD Groups Microsoft Intune

Resources

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.