Exclusion Clauses in Groups: Fix Your Intune Migration Configuration Issues

By Matt Shadbolt | Senior Service Engineer | https://blogs.technet.microsoft.com/ConfigMgrDogs/

Important: This guide is intended to explain how a migration blocker occurs, and how to remove the blocking issue. The guide is not intended to provide guidance on how to redesign your grouping/targeting to achieve functionality caused by the blocking issues.

We suggest you thoroughly review your grouping/targeting strategy before making any changes.

Exclusion groups are Intune Silverlight groups that exclude certain security groups or direct members. In Azure Active Directory (Azure AD), these types of groups are not supported.

To unblock your deployment, you need to remove the excludes from your Intune groups.

Removing an exclude group may have user impact. Users who are excluded from certain policies, terms and conditions, and apps may begin to receive them. Be sure you understand the impact before changing your grouping and targeting strategy.

1. Login to http://manage.microsoft.com with your Admin credentials.

2. Browse to Groups > All Users and select the first group in your list.


3. In the Detail window for that particular group, expand Membership Criteria.


4. You’re looking for any group that contains one or more values in the And security group is not one of or And member is not one of.


This example group is an Exclude Group. This means we need to modify its membership to remove these excludes.

5. Right-click the individual group and then click Edit.


6. Important: When editing an existing group that has an Include members rule, you must re-select the Empty Group option from the Start group membership with drop-down box. If you fail to perform this step, your Include membership rules will be removed and the group membership will include All Users.


7. In the Criteria Membership, find the Exclude members for these security groups section and then click Browse.


8. Click the group listed, click Remove, and then click OK.


9. Click Next to get to the Direct Membership section.

10. In the Exclude specific members section, click the Browse button.


11. Select all the individual users, click Remove, and then click OK.


12. Click the Finish button and you’re done.


13. Now repeat these steps for each of your Intune groups. Remember, you only need to edit the membership of those groups if they have excludes, which you would have seen in Step 4.

Your migration should now be unblocked for this issue. For more information about configurations that can block your Intune migration, see http://aka.ms/intunemigrationblockers.

Comments (2)

  1. Oh my goodness! Amazing article dude! Many thanks, However I am encounttering problems with your RSS.
    I don’t know the reason why I cannot subscribe to it.
    Is there anybody else having identical RSS
    problems? Anybody whho knows the solution will you kindly respond?

  2. Oh my goodness! Impressive article dude! Thank you,
    However I am experiencing troubles with your RSS.
    I don’t understand why I cannot join it. Is there anybody else
    getting similar RSS problems? Anyone whoo knows
    the answer can you kindy respond? Thanks!!

Skip to main content