This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Note
Access to this page requires authorization. You can trysigning in orchanging directories.
Access to this page requires authorization. You can trychanging directories.
In Intune, you can determine who has access to an app by assigning groups of users to include and exclude. Before you assign groups to the app, you must set the assignment type for an app. The assignment type makes the app available, required, or uninstalls the app.
To set the availability of an app, you include and exclude app assignments to a group of users or devices by using a combination of include and exclude group assignments. This capability can be useful when you make the app available by including a large group, and then narrow the selected users by also excluding a smaller group. The smaller group might be a test group or an executive group.
As a best practice, create and assign apps specifically for your user groups, and separately for your device groups. For more information on groups, seeAdd groups to organize users and devices.
When working with group assignments, if Microsoft Entra soft-deletes groups, Intune displays them as soft deleted in the console and their assignments are removed. Restoring the groups restores their assignments.
Important scenarios exist when including or excluding app assignments:
Including user groups and excluding user groups when assigning apps
Including device groups and excluding device group when assigning apps
For example, if you assign a device group to theAll corporate users user group, but exclude members in theSenior Management Staff user group,All corporate users except theSenior Management staff get the assignment, because both groups are user groups.
For example, if you assign a device group to theAll Users user group, but exclude anAll personal devices device group,All users get the app. The exclusion doesn't apply.
As a result, we don't recommend assigning apps to mixed groups.
Note
When you set a group assignment for an app, theNot Applicable type is deprecated and replaced with exclude group functionality.
Intune provides precreatedAll Users andAll Devices groups in the Microsoft Intune admin center. The groups have built-in optimizations for your convenience. It's highly recommended that you use these groups to target all users and all devices instead of any "all users" or "all devices" groups that you might create yourself.
Android enterprise supports including and excluding groups. You can use the built-inAll Users andAll Devices groups for Android enterprise app assignment.
To assign an app to groups by using the include and exclude assignment:
Sign in to theMicrosoft Intune admin center.
SelectApps >All Apps. The list of apps that has been added to Intune is shown.
Select the app that you want to assign. A dashboard displays information about the app.
SelectProperties under theManage section.
SelectEdit next toAssignments.
SelectAdd all users under theAvailable with or without enrollment section to assign this app to all users.
SelectAdd group under theAvailable with or without enrollment section.
Select the group that you want to exclude from the app assignment.
ChooseSelect to include the group.
SelectIncluded under theGroup mode next to the group you added. TheEdit assignment pane is displayed.
[NOTE]By default, the groups you select are assigned in included mode.
SelectExclude as theMode under theAssignment settings in theEdit assignment pane.
SelectOK to exclude the selected group.
SelectExcluded Groups to select the groups of users that you want to make this app unavailable to.
Select the groups to exclude. This action makes this app unavailable to those groups.
SelectReview + save to make your group assignments active for the app.
Note
When you add a group, if any other group has already been included for a specific assignment type, the app is preselected and can't be modified for other include assignment types. The group that has been used can't be used as an included group.
When you make group assignments, groups that have already been assigned aren't available to be modified. If you want to select a group that currently isn't available, first remove the group from the app's assigned list.
To edit assignments, in the appAssignments pane, select the row that contains the specific assignment that you want to change. You can also remove an assignment by selecting the ellipse (…) at the end of a row, and then selectingRemove.
Note
Removing a group assignment doesn't remove the related app except on Android Enterprise dedicated, fully managed, and corporate-owned work profile devices. The installed app remains on the device.
Was this page helpful?
Need help with this topic?
Want to try using Ask Learn to clarify or guide you through this topic?
Was this page helpful?
Want to try using Ask Learn to clarify or guide you through this topic?