# Supported scenarios
## Scenarios
Bulk manage Microsoft Intune policy assignments using CSV files (add, remove, replace) across tenants.
### Overview
We have tested various common scenarios for managing Microsoft Intune policy assignments using the Assignments Manager. This guide provides detailed examples and explanations for each scenario, helping you understand how to effectively use the tool for your specific needs.
Assignments Manager allows you to manage Microsoft Intune policy assignments in bulk using CSV files and reach a desired assignment state for your policies.
You can add, remove, replace, or clear assignments for policies across different tenants.
***
### Supported Operations
The tool supports four primary actions:
* **Add** - Add new assignments to existing policies
* **Remove** - Remove specific assignments from policies
* **Replace** - Replace all existing assignments with new ones
* **Update** - Updates the current assignment row
* **NoAssignment** - Remove all assignments using the NoAssignment action
### Supported Resources
Currently, the resources below are supported and tested by the team. The team tested these policies with the supported operations described above.
| Platform | Intune Resource |
| ------------- | ----------------------------------------------------- |
| All platforms | Settings Catalog |
| | Compliance Policiy |
| Android | App Protection Policy |
| | Android Enterprise - Device Restrictions Device Owner |
| | Android Enterprise - Device Restrictions Work Profile |
| | App Configuration Policy |
| iOS & iPad OS | App Configuration Policy |
| | App Protection Policy |
| | Device Features Policy |
| | Device Restrictions |
| macOS | Custom Configuration Policy |
| | Shell Scripts |
| Windows | Autopilot Deployment Profiles |
| | Custom Configuration Profiles |
| | Device Restriction Profiles |
| | Driver Updates |
| | Feature Updates |
| | Kiosk Profiles |
| | Platform Scripts |
| | Proactive Remediation Scripts |
| | Quality Updates |
| | Windows Health Monitoring Profiles |
{% hint style="info" %}
The team successfully tested the resources above. \
Missing resources in the list are **not** supported. They could work, but we are not responsible for any misconfiguration on that side. \
\
If they work, we are glad to hear so we can update our support list. \
We take new or unknown resources very seriously. We strive to get every resource in the product before you hit an unknown resource. If you are ahead, please let us know so we can add the resource. \
\
For both situations, please create a [GitHub issue](https://github.com/srozemuller/IntuneAssistant/issues) to add that resource to the list.
{% endhint %}
### Assignment Types
{% stepper %}
{% step %}
#### Group Assignments
Assign policies to specific Entra ID groups.
CSV Format:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
My Policy;Finance Department;Include;Add;;
```
Result: Policy is assigned to all members of the "Finance Department" group.
{% endstep %}
{% step %}
#### All Users
Assign policies to all licensed users in your tenant.
CSV Format:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Security Policy;All Users;Include;Add;;
```
Result: Policy applies to every user with an Intune license.
{% endstep %}
{% step %}
#### All Devices
Assign policies to all devices enrolled in Intune.
CSV Format:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Device Compliance;All Devices;Include;Add;;
```
Result: Policy applies to all enrolled devices regardless of user.
{% endstep %}
{% endstepper %}
***
### Assignment Actions
#### Add Action
Adds new assignments **without removing** existing ones.
**Scenario: Add Group Assignment**
CSV:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Security Baseline;IT Admins;Include;Add;;
```
Before:
* Policy has "All Users" assignment
After:
* Policy has "All Users" assignment
* Policy has "IT Admins" group assignment
***
**Scenario: Add Assignment with Exclusion Group**
CSV:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
App Protection;All Users;Include;Add;;
App Protection;Test Users;Exclude;Add;;
```
Result:
* Policy assigned to all users
* Test Users group included separately (can be excluded via filters)
***
#### Remove Action
Removes specific assignments **without affecting** others.
**Scenario: Remove Included Group Assignment**
CSV:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Old Policy;Finance Team;Include;Remove;;
```
Before:
* Policy assigned to: "Finance Team", "Sales Team", "All Devices"
After:
* Policy assigned to: "Sales Team", "All Devices"
* "Finance Team" assignment removed
**Scenario: Remove Excluded Group Assignment**
CSV:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Old Policy;Excluded IT Team;Exclude;Remove;;
```
Before:
* Policy assigned to: "Finance Team", "Sales Team", "All Devices" and excluded "Excluded IT Team"
After:
* Policy assigned to: "Finance Team", "Sales Team", "All Devices"
* "Excluded IT Team" exclusion removed
***
**Scenario: Remove All Users Assignment**
CSV:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Pilot Policy;All Users;Include;Remove;;
```
Before:
* Policy assigned to "All Users"
After:
* Policy has no assignments
***
#### Replace Action
Removes **all existing assignments** and adds the new one(s).
**Scenario: Replace Group with Another Group**
CSV:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Security Policy;New Security Group;Include;Replace;;
```
Before:
* Policy assigned to: "Old Group A", "Old Group B", "All Users"
After:
* Policy assigned to: "New Security Group" only
***
**Scenario: Replace Multiple Assignments with All Devices**
CSV:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Device Config;All Devices;Include;Replace;;
```
Before:
* Policy assigned to: "Group 1", "Group 2", "Group 3"
After:
* Policy assigned to: "All Devices" only
#### Update Action
Updates the current assignment row.
**Scenario: Replace filter for another**
The current assignment at policy name Security Policy with group Security Group, no filter.\
To update that work to include a filter use **Update.**
CSV:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Security Policy;Security Group;Include;Update;FilterForWindows;Include
```
Before:
* Policy assigned to: "SecurityGroup (no filter)"
After:
* Policy assigned to: "Security Group" with filter include FilterForWindows
**Scenario: Remove filter**
The current assignment at policy name Security Policy with group Security Group, with included filter FilterForWindows.\
To update that work to include a filter use **Update.**
CSV:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Security Policy;Security Group;Include;Update;;
```
Before:
* Policy assigned to: "Security Group" with filter include FilterForWindows
After:
* Policy assigned to: "SecurityGroup (no filter)"
#### Clear (NoAssignment) Action
Removes **all existing assignments** from the policy.
**Scenario: Clear All Assignments**
CSV:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Obsolete Policy;; ;NoAssignment;;
```
Before:
* Policy assigned to: "Group A", "Group B", "All Users"
After:
* Policy has no assignments
***
### Assignment Filters
Assignment filters allow you to include or exclude devices based on device properties.
#### Filter Types
* **Include** - Apply policy only to devices matching the filter
* **Exclude** - Apply policy to all devices except those matching the filter
#### Filter Platform Matching
Important
Assignment Filter platform must match the policy platform.
| Policy Platform | Compatible Filter Platform |
| -------------------------------------------- | -------------------------- |
| Windows10AndLater, Windows8AndLater, Windows | Windows |
| iOS | iOS |
| Android | Android |
| macOS | macOS |
***
#### Scenario: Add Assignment with Include Filter
CSV:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Windows Compliance;All Devices;Include;Add;Windows 11 Only;Include
```
Result:
* Policy assigned to all devices
* Only applied to devices matching "Windows 11 Only" filter
***
#### Scenario: Add Assignment with Exclude Filter
CSV:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Security Baseline;All Users;Include;Add;Test Devices;Exclude
```
Result:
* Policy assigned to all users
* Not applied to devices matching "Test Devices" filter
***
#### Scenario: Remove Assignment with Specific Filter
CSV:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
App Config;Sales Team;Include;Remove;VIP Devices;Exclude
```
Before:
* Policy assigned to "Sales Team" with "VIP Devices" (Exclude)
* Policy assigned to "Sales Team" without filter
After:
* Only the assignment with the matching filter is removed
* Assignment without filter remains
***
### Common Scenarios
#### Scenario 1: Migrate Policy from One Group to Another
Goal: Move policy from "Pilot Users" to "All Users"
CSV:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
New Feature Policy;All Users;Include;Replace;;
```
Result: All previous assignments removed, policy now assigned to "All Users"
***
#### Scenario 2: Add Exclusion to Existing Assignment
Goal: Keep current assignments but exclude test devices
CSV:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Compliance Policy;All Devices;Exclude;Add;Test Devices;Exclude
```
Result: Policy applies to all devices except those matching "Test Devices" filter
***
#### Scenario 3: Change Filter Direction
Goal: Change from excluding test devices to including only production devices
CSV:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Security Policy;All Devices;Include;Replace;Production Devices;Include
```
Result: All previous assignments removed, policy now applies only to production devices
***
#### Scenario 4: Batch Migration Multiple Policies
CSV:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Policy A;Finance Team;Include;Replace;;
Policy B;Finance Team;Include;Replace;;
Policy C;Finance Team;Include;Replace;;
Policy D;All Users;Include;Replace;;
```
Result: Multiple policies migrated to new assignments in one operation
***
#### Scenario 5: Replace and Add Exclusion
Goal: Replace assignment and immediately add exclusion group
CSV:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
App Protection;All Users;Include;Replace;;
App Protection;Excluded Users;Exclude;Add;;
```
Processing Order:
{% stepper %}
{% step %}
Replace removes all assignments and adds "All Users"
{% endstep %}
{% step %}
Add includes "Excluded Users" group
{% endstep %}
{% endstepper %}
Note
This creates two assignments — you may want to use filters instead for exclusions.
***
#### Scenario 6: Clear All Assignments from Multiple Policies
CSV:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Old Policy 1;; ;NoAssignment;;
Old Policy 2;; ;NoAssignment;;
Old Policy 3;; ;NoAssignment;;
```
Result: All assignments removed from specified policies
***
#### Scenario 7: Implement new policies (Update ring 1) for Pilot Group only
CSV:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Production policy - v1 ;Pilot Group;Exclude;Add;;
New production policy - v1.1 ;Pilot Group;Include;Add;;
```
This will keep the existing production policy for all users but exclude the pilot group. The new production policy will be assigned only to the pilot group.
***
### Validation Rules
#### Rule 1: Cannot Mix All Users/All Devices with Groups
Invalid
Cannot mix **All Users / All Devices** with group assignments in the same policy batch.
❌ Invalid:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
My Policy;All Users;Include;Add;;
My Policy;Finance Team;Include;Add;;
```
Error: "Cannot mix 'All Users' with group assignments"
✅ Solution (use Replace):
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
My Policy;All Users;Include;Replace;;
```
***
#### Rule 2: Filter Platform Must Match Policy Platform
❌ Invalid:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Windows Security Baseline;All Devices;Include;Add;iOS Device Filter;Include
```
Error: "Filter platform 'iOS' does not match policy platform 'Windows'"
✅ Valid:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Windows Security Baseline;All Devices;Include;Add;Windows 11 Filter;Include
```
***
#### Rule 3: Cannot Have Conflicting Actions in Same Batch
❌ Invalid:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
My Policy;Finance Team;Include;Add;;
My Policy;Finance Team;Include;Remove;;
```
Error: "Conflicting assignment actions detected for the same assignment"
Reason: Adding and removing the same assignment in one batch creates a conflict.
***
#### Rule 4: Cannot Add Same Assignment with Different Filters
❌ Invalid:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
My Policy;IT Team;Include;Add;Filter A;Include
My Policy;IT Team;Include;Add;Filter B;Exclude
```
Error: "Conflicting filter types for the same assignment"
Reason: Same group cannot have both Include and Exclude filters simultaneously.
***
### Best Practices
#### 1. Test Before Production
Always test your CSV with a small subset of policies first:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Test Policy 1;Test Group;Include;Add;;
```
#### 2. Use Replace for Clean Migrations
When migrating policies, use **Replace** to avoid orphaned assignments:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Production Policy;Production Users;Include;Replace;;
```
#### 3. Verify Group Names
Ensure group names match exactly (case-sensitive):
❌ `finance team` ≠ `Finance Team` ✅ `Finance Team` = `Finance Team`
#### 4. Check Filter Names
Filter names must exist in your tenant before migration:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
My Policy;All Devices;Include;Add;Corporate Devices;Include
```
Verify "Corporate Devices" filter exists first.
#### 5. Batch Similar Operations
Group similar operations together:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Policy 1;Finance;Include;Replace;;
Policy 2;Finance;Include;Replace;;
Policy 3;Finance;Include;Replace;;
```
#### 6. Order of Operations
When using multiple actions, they execute in CSV row order:
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
My Policy;All Users;Include;Replace;;
My Policy;Excluded Group;Exclude;Add;;
```
Result:
{% stepper %}
{% step %}
Replace removes all assignments and adds "All Users"
{% endstep %}
{% step %}
Add includes "Excluded Group"
{% endstep %}
{% endstepper %}
***
### MSP Scenario Examples
#### New Customer Onboarding (MSPs)
You have used other tools like Inforcer, Coreview or just added all those policies manually in a customer tenant. Now you can use the Assignments Manager to user your standardized assignment template from your pilot tenant and use it for future customers.
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;Filter;Filter Type
Windows Security Baseline;All Devices;Include;Replace;;
iOS Compliance Policy;All Users;Include;Replace;;
Android App Protection;All Users;Include;Replace;;
BYOD Compliance;All Users;Include;Replace;Corporate Devices;Exclude
```
***
#### Pilot to Production Migration
You have new policies added to a tenant and want to test it in a pilot group first.
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;Filter;Filter Type
Old Feature Policy;Pilot Group;Exclude;Add;;
New Feature Policy;Pilot Group;Include;Add;;
```
***
### Error Messages
| Error Message | Cause | Solution |
| ----------------------------- | ------------------------------------ | ------------------------------- |
| "Policy not found" | Policy name doesn't exist | Verify policy name spelling |
| "Group not found" | Group name doesn't exist | Check Entra ID group name |
| "Filter not found" | Filter name doesn't exist | Verify assignment filter exists |
| "Platform mismatch" | Filter platform ≠ policy platform | Use matching platform filter |
| "Cannot mix assignment types" | Mixing All Users/Devices with groups | Use Replace action |
| "Conflicting actions" | Same assignment has Add + Remove | Remove duplicate |
***
### Examples by Policy Type
#### Configuration Policies
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Windows Update Policy;All Devices;Include;Replace;Production Devices;Include
Windows Update Policy;Test Devices Group;Include;Add;Test Device Filter;Exclude
```
#### Compliance Policies
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Device Compliance - iOS;All Users;Include;Replace;;
Device Compliance - iOS;Executives;Include;Add;VIP Devices;Include
```
#### App Protection Policies
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
MAM Policy - Android;All Users;Include;Replace;;
MAM Policy - Android;BYOD Users;Include;Add;Personal Devices;Exclude
```
#### Security Baselines
```
PolicyName;GroupName;AssignmentDirection;AssignmentAction;FilterName;FilterType
Windows Security Baseline v2;All Devices;Include;Replace;Managed Devices;Include
```
***
### FAQ
Q: What happens if I add the same assignment twice?
A: The operation is idempotent - only one assignment is created.
Q: Can I remove an assignment that doesn't exist?
A: No, during compare phase it checks if the assignment exists. If it doesn't exist it is not ready for migration.
Q: Can I use Replace multiple times in one CSV?
A: Yes, but each Replace overwrites the previous one for that policy.
Q: Can I migrate assignments between tenants?
A: No, group and filter names must exist in the target tenant.
Q: What happens if a filter name is wrong?
A: Error: "Assignment filter not found" - operation fails for that row.
***
### Support
{% stepper %}
{% step %}
Verify CSV format matches examples above
{% endstep %}
{% step %}
Check validation rules section
{% endstep %}
{% step %}
Review error messages table
{% endstep %}
{% step %}
Contact your system administrator
{% endstep %}
{% endstepper %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.intuneassistant.cloud/extensions/assignments-manager/intune-assignments/supported-scenarios.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.