search

Supported scenarios

hashtag
Scenarios

Bulk manage Microsoft Intune policy assignments using CSV files (add, remove, replace) across tenants.

hashtag
Overview

We have tested various common scenarios for managing Microsoft Intune policy assignments using the Assignments Manager. This guide provides detailed examples and explanations for each scenario, helping you understand how to effectively use the tool for your specific needs.

Assignments Manager allows you to manage Microsoft Intune policy assignments in bulk using CSV files and reach a desired assignment state for your policies.

You can add, remove, replace, or clear assignments for policies across different tenants.

hashtag
Supported Operations

The tool supports four primary actions:

  • Add - Add new assignments to existing policies

  • Remove - Remove specific assignments from policies

  • Replace - Replace all existing assignments with new ones

  • NoAssignment - Remove all assignments using the NoAssignment action

hashtag
Supported Resources

Currently, the resources below are supported and tested by the team. The team tested these policies with the supported operations described above.

Platform
Intune Resource

All platforms

Settings Catalog

Compliance Policiy

Android

App Protection Policy

Android Enterprise - Device Restrictions Device Owner

Android Enterprise - Device Restrictions Work Profile

App Configuration Policy

iOS & iPad OS

App Configuration Policy

App Protection Policy

Device Features Policy

Device Restrictions

macOS

Custom Configuration Policy

Shell Scripts

Windows

Autopilot Deployment Profiles

Custom Configuration Profiles

Device Restriction Profiles

Driver Updates

Feature Updates

Kiosk Profiles

Platform Scripts

Proactive Remediation Scripts

Quality Updates

Windows Health Monitoring Profiles

circle-info

The team successfully tested the resources above. Missing resources in the list are not supported. They could work, but we are not responsible for any misconfiguration on that side. If they work, we are glad to hear so we can update our support list. We take new or unknown resources very seriously. We strive to get every resource in the product before you hit an unknown resource. If you are ahead, please let us know so we can add the resource. For both situations, please create a GitHub issuearrow-up-right to add that resource to the list.

hashtag
Assignment Types

1

hashtag
Group Assignments

Assign policies to specific Entra ID groups.

CSV Format:

Result: Policy is assigned to all members of the "Finance Department" group.

2

hashtag
All Users

Assign policies to all licensed users in your tenant.

CSV Format:

Result: Policy applies to every user with an Intune license.

3

hashtag
All Devices

Assign policies to all devices enrolled in Intune.

CSV Format:

Result: Policy applies to all enrolled devices regardless of user.

hashtag
Assignment Actions

hashtag
Add Action

Adds new assignments without removing existing ones.

Scenario: Add Group Assignment

CSV:

Before:

  • Policy has "All Users" assignment

After:

  • Policy has "All Users" assignment

  • Policy has "IT Admins" group assignment

Scenario: Add Assignment with Exclusion Group

CSV:

Result:

  • Policy assigned to all users

  • Test Users group included separately (can be excluded via filters)

hashtag
Remove Action

Removes specific assignments without affecting others.

Scenario: Remove Included Group Assignment

CSV:

Before:

  • Policy assigned to: "Finance Team", "Sales Team", "All Devices"

After:

  • Policy assigned to: "Sales Team", "All Devices"

  • "Finance Team" assignment removed

Scenario: Remove Excluded Group Assignment

CSV:

Before:

  • Policy assigned to: "Finance Team", "Sales Team", "All Devices" and excluded "Excluded IT Team"

After:

  • Policy assigned to: "Finance Team", "Sales Team", "All Devices"

  • "Excluded IT Team" exclusion removed

Scenario: Remove All Users Assignment

CSV:

Before:

  • Policy assigned to "All Users"

After:

  • Policy has no assignments

hashtag
Replace Action

Removes all existing assignments and adds the new one(s).

Scenario: Replace Group with Another Group

CSV:

Before:

  • Policy assigned to: "Old Group A", "Old Group B", "All Users"

After:

  • Policy assigned to: "New Security Group" only

Scenario: Replace Multiple Assignments with All Devices

CSV:

Before:

  • Policy assigned to: "Group 1", "Group 2", "Group 3"

After:

  • Policy assigned to: "All Devices" only

hashtag
Clear (NoAssignment) Action

Removes all existing assignments from the policy.

Scenario: Clear All Assignments

CSV:

Before:

  • Policy assigned to: "Group A", "Group B", "All Users"

After:

  • Policy has no assignments

hashtag
Assignment Filters

Assignment filters allow you to include or exclude devices based on device properties.

hashtag
Filter Types

  • Include - Apply policy only to devices matching the filter

  • Exclude - Apply policy to all devices except those matching the filter

hashtag
Filter Platform Matching

Important

Assignment Filter platform must match the policy platform.

Policy Platform
Compatible Filter Platform

Windows10AndLater, Windows8AndLater, Windows

Windows

iOS

iOS

Android

Android

macOS

macOS

hashtag
Scenario: Add Assignment with Include Filter

CSV:

Result:

  • Policy assigned to all devices

  • Only applied to devices matching "Windows 11 Only" filter

hashtag
Scenario: Add Assignment with Exclude Filter

CSV:

Result:

  • Policy assigned to all users

  • Not applied to devices matching "Test Devices" filter

hashtag
Scenario: Remove Assignment with Specific Filter

CSV:

Before:

  • Policy assigned to "Sales Team" with "VIP Devices" (Exclude)

  • Policy assigned to "Sales Team" without filter

After:

  • Only the assignment with the matching filter is removed

  • Assignment without filter remains

hashtag
Common Scenarios

hashtag
Scenario 1: Migrate Policy from One Group to Another

Goal: Move policy from "Pilot Users" to "All Users"

CSV:

Result: All previous assignments removed, policy now assigned to "All Users"

hashtag
Scenario 2: Add Exclusion to Existing Assignment

Goal: Keep current assignments but exclude test devices

CSV:

Result: Policy applies to all devices except those matching "Test Devices" filter

hashtag
Scenario 3: Change Filter Direction

Goal: Change from excluding test devices to including only production devices

CSV:

Result: All previous assignments removed, policy now applies only to production devices

hashtag
Scenario 4: Batch Migration Multiple Policies

CSV:

Result: Multiple policies migrated to new assignments in one operation

hashtag
Scenario 5: Replace and Add Exclusion

Goal: Replace assignment and immediately add exclusion group

CSV:

Processing Order:

1

Replace removes all assignments and adds "All Users"

2

Add includes "Excluded Users" group

Note

This creates two assignments — you may want to use filters instead for exclusions.

hashtag
Scenario 6: Clear All Assignments from Multiple Policies

CSV:

Result: All assignments removed from specified policies

hashtag
Scenario 7: Implement new policies (Update ring 1) for Pilot Group only

CSV:

This will keep the existing production policy for all users but exclude the pilot group. The new production policy will be assigned only to the pilot group.

hashtag
Validation Rules

hashtag
Rule 1: Cannot Mix All Users/All Devices with Groups

Invalid

Cannot mix All Users / All Devices with group assignments in the same policy batch.

❌ Invalid:

Error: "Cannot mix 'All Users' with group assignments"

✅ Solution (use Replace):

hashtag
Rule 2: Filter Platform Must Match Policy Platform

❌ Invalid:

Error: "Filter platform 'iOS' does not match policy platform 'Windows'"

✅ Valid:

hashtag
Rule 3: Cannot Have Conflicting Actions in Same Batch

❌ Invalid:

Error: "Conflicting assignment actions detected for the same assignment"

Reason: Adding and removing the same assignment in one batch creates a conflict.

hashtag
Rule 4: Cannot Add Same Assignment with Different Filters

❌ Invalid:

Error: "Conflicting filter types for the same assignment"

Reason: Same group cannot have both Include and Exclude filters simultaneously.

hashtag
Best Practices

hashtag
1. Test Before Production

Always test your CSV with a small subset of policies first:

hashtag
2. Use Replace for Clean Migrations

When migrating policies, use Replace to avoid orphaned assignments:

hashtag
3. Verify Group Names

Ensure group names match exactly (case-sensitive):

finance teamFinance TeamFinance Team = Finance Team

hashtag
4. Check Filter Names

Filter names must exist in your tenant before migration:

Verify "Corporate Devices" filter exists first.

hashtag
5. Batch Similar Operations

Group similar operations together:

hashtag
6. Order of Operations

When using multiple actions, they execute in CSV row order:

Result:

1

Replace removes all assignments and adds "All Users"

2

Add includes "Excluded Group"

hashtag
MSP Scenario Examples

hashtag
New Customer Onboarding (MSPs)

You have used other tools like Inforcer, Coreview or just added all those policies manually in a customer tenant. Now you can use the Assignments Manager to user your standardized assignment template from your pilot tenant and use it for future customers.

hashtag
Pilot to Production Migration

You have new policies added to a tenant and want to test it in a pilot group first.

hashtag
Error Messages

Error Message
Cause
Solution

"Policy not found"

Policy name doesn't exist

Verify policy name spelling

"Group not found"

Group name doesn't exist

Check Entra ID group name

"Filter not found"

Filter name doesn't exist

Verify assignment filter exists

"Platform mismatch"

Filter platform ≠ policy platform

Use matching platform filter

"Cannot mix assignment types"

Mixing All Users/Devices with groups

Use Replace action

"Conflicting actions"

Same assignment has Add + Remove

Remove duplicate

hashtag
Examples by Policy Type

hashtag
Configuration Policies

hashtag
Compliance Policies

hashtag
App Protection Policies

hashtag
Security Baselines

hashtag
FAQ

chevron-rightQ: What happens if I add the same assignment twice?hashtag

A: The operation is idempotent - only one assignment is created.

chevron-rightQ: Can I remove an assignment that doesn't exist?hashtag

A: No, during compare phase it checks if the assignment exists. If it doesn't exist it is not ready for migration.

chevron-rightQ: Can I use Replace multiple times in one CSV?hashtag

A: Yes, but each Replace overwrites the previous one for that policy.

chevron-rightQ: Can I migrate assignments between tenants?hashtag

A: No, group and filter names must exist in the target tenant.

chevron-rightQ: What happens if a filter name is wrong?hashtag

A: Error: "Assignment filter not found" - operation fails for that row.

hashtag
Support

1

Verify CSV format matches examples above

2

Check validation rules section

3

Review error messages table

4

Contact your system administrator

Last updated