By Matt Shadbolt | Senior Service Engineer | https://blogs.technet.microsoft.com/ConfigMgrDogs/
Important: This guide is intended to explain how a migration blocker occurs, and how to remove the blocking issue. The guide is not intended to provide guidance on how to redesign your grouping/targeting to achieve functionality caused by the blocking issues.
We suggest you thoroughly review your grouping/targeting strategy before making any changes.
There is no concept of ‘Ungrouped Users/Devices’ in Azure Active Directory. Your Intune tenant migration will be blocked if you have any apps, terms and conditions, or policies deployed to these groups, because there is no way to migrate the deployments.
There are three steps to resolving this blocker.
First, we suggest moving any ungrouped users/devices into groups, so that they’re targeted by the correct apps, terms, and policies. If all of your deployments are targeted at ‘All Users’ or ‘All Devices’, you won’t need to create the temporary group described in the next section.
1. Login to https://manage.microsoft.com using your admin credentials.
2. Browse to Groups > All Users > Ungrouped Users and click the Users tab.
3. Select all of the users and then click Create Group from Selection.
4. In the Create Group dialog, give your new group a name. For the long-term, we recommend adding these users into deliberate, production-targeted groups. For now, create this group as a temporary measure to ensure your users don’t lose anything that should be deployed to them.
5. Leave the Membership Criteria page empty, and then click Next.
6. Your selected users should automatically show up. Click Next.
7. Click Finish.
8. Now repeat the process for Ungrouped Devices.
Now you need to remove any deployment that is targeted at the Ungrouped Devices or Ungrouped Users groups. We’ll start with App deployments.
1. Login to https://manage.microsoft.com using your admin credentials
2. Browse to Apps and click Apps.
3. Sort your apps list by Deployed.
4. For each app that Deployed = Yes, select the app and right-click. Click Manage Deployment.
5. In the Manage Deployment dialog, view the Selected groups pane. You’re looking for any apps that are targeted at Ungrouped Devices or Ungrouped Users. If there are no Ungrouped Devices/Users, you can move onto the next app in your list.
6. If you see Ungrouped Devices or Ungrouped Users, click these deployments and click Remove.
7. Next, add the new group you created by selecting the group and clicking Add.
8. Click Next until you close the wizard.
9. Do this for every app where Deployment = Yes.
Next, we need to remove policy deployments.
1. Login to https://manage.microsoft.com using your Admin credentials.
2. Browse to Policy > Configuration Policies.
3. On each of your Configuration Policies, click the Management Deployment button.
4. Remove the Ungrouped Users and add in the newly created temp group and click OK.
5. Add your temp group and click OK.
6. After you’ve checked your Configuration Policies, check your Compliance Policies. Click the Compliance Policies node and select the policy.
7. Select the Manage Deployment button, remove the Ungrouped Users/Devices, and add in your temp group.
8. Finally, any deployed Intune Terms and Conditions to ungrouped users/devices need to be removed. Browse to Policy > Terms and Conditions to view the Terms and Conditions Policies.
9. Select each policy and click Manage Deployment.
10. Just like the other policies, if the Ungrouped Users is selected, click Remove.
Your migration should now be unblocked for this issue. For more information about configurations that can block your Intune migration, see http://aka.ms/intunemigrationblockers.