Scenarios
Bulk manage Microsoft Intune policy assignments using CSV files (add, remove, replace) across tenants.
Assignments Manager - Scenarios
Overview
We have tested various common scenarios for managing Microsoft Intune policy assignments using the Assignments Manager. This guide provides detailed examples and explanations for each scenario, helping you understand how to effectively use the tool for your specific needs.
The Assignments Manager allows you to manage Microsoft Intune policy assignments in bulk using CSV files and reach a desired assignments state for your policies.
You can add, remove, replace or clear assignments for policies across different tenants.
Supported Assignment Types
Currently, we support only policy and configuration assignments. Application assignments will be supported in future releases.
Supported Operations
The tool supports four primary actions:
- Add - Add new assignments to existing policies
- Remove - Remove specific assignments from policies
- Replace - Replace all existing assignments with new ones
- NoAssignment - Remove all assignments using the NoAssignment action
Download Blank Template
For more information about the template CSV go to CSV template.
Assignment Types
1. Group Assignments
Assign policies to specific Entra ID groups.
CSV Format:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
My Policy;Finance Department;Include;Add;;Result: Policy is assigned to all members of "Finance Department" group.
2. All Users
Assign policies to all licensed users in your tenant.
CSV Format:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Security Policy;All Users;Include;Add;;Result: Policy applies to every user with an Intune license.
3. All Devices
Assign policies to all devices enrolled in Intune.
CSV Format:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Device Compliance;All Devices;Include;Add;;Result: Policy applies to all enrolled devices regardless of user.
Assignment Actions
Add Action
Adds new assignments without removing existing ones.
Scenario: Add Group Assignment
CSV:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Security Baseline;IT Admins;Include;Add;;Before:
- Policy has "All Users" assignment
After:
- Policy has "All Users" assignment
- Policy has "IT Admins" group assignment
Scenario: Add Assignment with Exclusion Group
CSV:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
App Protection;All Users;Include;Add;;
App Protection;Test Users;Exclude;Add;;Result:
- Policy assigned to all users
- Test Users group included separately (can be excluded via filters)
Remove Action
Removes specific assignments without affecting others.
Scenario: Remove Included Group Assignment
CSV:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Old Policy;Finance Team;Include;Remove;;Before:
- Policy assigned to: "Finance Team", "Sales Team", "All Devices"
After:
- Policy assigned to: "Sales Team", "All Devices"
- "Finance Team" assignment removed
Scenario: Remove Excluded Group Assignment
CSV:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Old Policy;Excluded IT Team;Exclude;Remove;;Before:
- Policy assigned to: "Finance Team", "Sales Team", "All Devices" and excluded "Excluded IT Team"
After:
- Policy assigned to: "Finance Team", "Sales Team", "All Devices"
- "Excluded IT Team" exclusion removed
Scenario: Remove All Users Assignment
CSV:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Pilot Policy;All Users;Include;Remove;;Before:
- Policy assigned to "All Users"
After:
- Policy has no assignments
Replace Action
Removes all existing assignments and adds the new one(s).
Scenario: Replace Group with Another Group
CSV:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Security Policy;New Security Group;Include;Replace;;Before:
- Policy assigned to: "Old Group A", "Old Group B", "All Users"
After:
- Policy assigned to: "New Security Group" only
Scenario: Replace Multiple Assignments with All Devices
CSV:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Device Config;All Devices;Include;Replace;;Before:
- Policy assigned to: "Group 1", "Group 2", "Group 3"
After:
- Policy assigned to: "All Devices" only
Clear (NoAssignment) Action
Removes all existing assignments from the policy.
Scenario: Clear All Assignments
CSV:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Obsolete Policy;; ;NoAssignment;;Before:
- Policy assigned to: "Group A", "Group B", "All Users" After:
- Policy has no assignments
Assignment Filters
Assignment filters allow you to include or exclude devices based on device properties.
Filter Types
- Include - Apply policy only to devices matching the filter
- Exclude - Apply policy to all devices except those matching the filter
Filter Platform Matching
Important
Assignment Filter platform must match the policy platform.
| Policy Platform | Compatible Filter Platform |
|---|---|
| Windows10AndLater, Windows8AndLater, Windows | Windows |
| iOS | iOS |
| Android | Android |
| macOS | macOS |
Scenario: Add Assignment with Include Filter
CSV:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Windows Compliance;All Devices;Include;Add;Windows 11 Only;IncludeResult:
- Policy assigned to all devices
- Only applied to devices matching "Windows 11 Only" filter
Scenario: Add Assignment with Exclude Filter
CSV:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Security Baseline;All Users;Include;Add;Test Devices;ExcludeResult:
- Policy assigned to all users
- Not applied to devices matching "Test Devices" filter
Scenario: Remove Assignment with Specific Filter
CSV:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
App Config;Sales Team;Include;Remove;VIP Devices;ExcludeBefore:
- Policy assigned to "Sales Team" with "VIP Devices" (Exclude)
- Policy assigned to "Sales Team" without filter
After:
- Only the assignment with the matching filter is removed
- Assignment without filter remains
Common Scenarios
Scenario 1: Migrate Policy from One Group to Another
Goal: Move policy from "Pilot Users" to "All Users"
CSV:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
New Feature Policy;All Users;Include;Replace;;Result: All previous assignments removed, policy now assigned to "All Users"
Scenario 2: Add Exclusion to Existing Assignment
Goal: Keep current assignments but exclude test devices
CSV:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Compliance Policy;All Devices;Exclude;Add;Test Devices;ExcludeResult: Policy applies to all devices except those matching "Test Devices" filter
Scenario 3: Change Filter Direction
Goal: Change from excluding test devices to including only production devices
CSV:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Security Policy;All Devices;Include;Replace;Production Devices;IncludeResult: All previous assignments removed, policy now applies only to production devices
Scenario 4: Batch Migration Multiple Policies
CSV:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Policy A;Finance Team;Include;Replace;;
Policy B;Finance Team;Include;Replace;;
Policy C;Finance Team;Include;Replace;;
Policy D;All Users;Include;Replace;;Result: Multiple policies migrated to new assignments in one operation
Scenario 5: Replace and Add Exclusion
Goal: Replace assignment and immediately add exclusion group
CSV:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
App Protection;All Users;Include;Replace;;
App Protection;Excluded Users;Exclude;Add;;Processing Order:
- Replace removes all assignments and adds "All Users"
- Add includes "Excluded Users" group
Note
This creates two assignments — you may want to use filters instead for exclusions.
Scenario 6: Clear All Assignments from Multiple Policies
CSV:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Old Policy 1;; ;NoAssignment;;
Old Policy 2;; ;NoAssignment;;
Old Policy 3;; ;NoAssignment;;Result: All assignments removed from specified policies
Scenario 7: Implement new policies (Update ring 1) for Pilot Group only
CSV:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Production policy - v1 ;Pilot Group;Exclude;Add;;
New production policy - v1.1 ;Pilot Group;Include;Add;;This will keep the existing production policy for all users but exclude the pilot group. The new production policy will be assigned only to the pilot group.
Validation Rules
Rule 1: Cannot Mix All Users/All Devices with Groups
Invalid
Cannot mix All Users / All Devices with group assignments in the same policy batch.
❌ Invalid:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
My Policy;All Users;Include;Add;;
My Policy;Finance Team;Include;Add;;Error: "Cannot mix 'All Users' with group assignments"
✅ Solution (use Replace):
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
My Policy;All Users;Include;Replace;;Rule 2: Filter Platform Must Match Policy Platform
❌ Invalid:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Windows Security Baseline;All Devices;Include;Add;iOS Device Filter;IncludeError: "Filter platform 'iOS' does not match policy platform 'Windows'"
✅ Valid:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Windows Security Baseline;All Devices;Include;Add;Windows 11 Filter;IncludeRule 3: Cannot Have Conflicting Actions in Same Batch
❌ Invalid:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
My Policy;Finance Team;Include;Add;;
My Policy;Finance Team;Include;Remove;;Error: "Conflicting assignment actions detected for the same assignment"
Reason: Adding and removing the same assignment in one batch creates a conflict.
Rule 4: Cannot Add Same Assignment with Different Filters
❌ Invalid:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
My Policy;IT Team;Include;Add;Filter A;Include
My Policy;IT Team;Include;Add;Filter B;ExcludeError: "Conflicting filter types for the same assignment"
Reason: Same group cannot have both Include and Exclude filters simultaneously.
Best Practices
1. Test Before Production
Always test your CSV with a small subset of policies first:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Test Policy 1;Test Group;Include;Add;;2. Use Replace for Clean Migrations
When migrating policies, use Replace to avoid orphaned assignments:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Production Policy;Production Users;Include;Replace;;3. Verify Group Names
Ensure group names match exactly (case-sensitive):
❌ finance team ≠ Finance Team
✅ Finance Team = Finance Team
4. Check Filter Names
Filter names must exist in your tenant before migration:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
My Policy;All Devices;Include;Add;Corporate Devices;IncludeVerify "Corporate Devices" filter exists first.
5. Batch Similar Operations
Group similar operations together:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Policy 1;Finance;Include;Replace;;
Policy 2;Finance;Include;Replace;;
Policy 3;Finance;Include;Replace;;6. Order of Operations
When using multiple actions, they execute in CSV row order:
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
My Policy;All Users;Include;Replace;;
My Policy;Excluded Group;Exclude;Add;;Result:
- Replace removes all assignments and adds "All Users"
- Add includes "Excluded Group"
MSP Scenario Examples
New Customer Onboarding (MSPs)
You have used other tools like Inforcer, Coreview or just added all those policies manually in a customer tenant. Now you can use the Assignments Manager to user your standardized assignment template from your pilot tenant and use it for future customers.
PolicyName;GroupName;AssignmentDirection;AssignmentAction;Filter;Filter Type
Windows Security Baseline;All Devices;Include;Replace;;
iOS Compliance Policy;All Users;Include;Replace;;
Android App Protection;All Users;Include;Replace;;
BYOD Compliance;All Users;Include;Replace;Corporate Devices;ExcludePilot to Production Migration
You have new policies added to a tenant and want to test it in a pilot group first.
PolicyName;GroupName;AssignmentDirection;AssignmentAction;Filter;Filter Type
Old Feature Policy;Pilot Group;Exclude;Add;;
New Feature Policy;Pilot Group;Include;Add;;Error Messages
| Error Message | Cause | Solution |
|---|---|---|
| "Policy not found" | Policy name doesn't exist | Verify policy name spelling |
| "Group not found" | Group name doesn't exist | Check Entra ID group name |
| "Filter not found" | Filter name doesn't exist | Verify assignment filter exists |
| "Platform mismatch" | Filter platform ≠ policy platform | Use matching platform filter |
| "Cannot mix assignment types" | Mixing All Users/Devices with groups | Use Replace action |
| "Conflicting actions" | Same assignment has Add + Remove | Remove duplicate |
Examples by Policy Type
Configuration Policies
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Windows Update Policy;All Devices;Include;Replace;Production Devices;Include
Windows Update Policy;Test Devices Group;Include;Add;Test Device Filter;ExcludeCompliance Policies
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Device Compliance - iOS;All Users;Include;Replace;;
Device Compliance - iOS;Executives;Include;Add;VIP Devices;IncludeApp Protection Policies
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
MAM Policy - Android;All Users;Include;Replace;;
MAM Policy - Android;BYOD Users;Include;Add;Personal Devices;ExcludeSecurity Baselines
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Windows Security Baseline v2;All Devices;Include;Replace;Managed Devices;IncludeFAQ
Q: What happens if I add the same assignment twice? A: The operation is idempotent - only one assignment is created.
Q: Can I remove an assignment that doesn't exist? A: No, during compare phase it checks if the assignment exists. If it doesn't exist it is not ready for migration.
Q: Can I use Replace multiple times in one CSV? A: Yes, but each Replace overwrites the previous one for that policy.
Q: Can I migrate assignments between tenants? A: No, group and filter names must exist in the target tenant.
Q: What happens if a filter name is wrong? A: Error: "Assignment filter not found" - operation fails for that row.
Support
For issues or questions:
- Verify CSV format matches examples above
- Check validation rules section
- Review error messages table
- Contact your system administrator