Nested Groups: Fix Your Intune Migration Configuration Issues

By Matt Shadbolt | Senior Service Engineer |

Important: This guide is intended to explain how a migration blocker occurs, and how to remove the blocking issue. The guide is not intended to provide guidance on how to redesign your grouping/targeting to achieve functionality caused by the blocking issues.

We suggest you thoroughly review your grouping/targeting strategy before making any changes.

Nested groups are often misunderstood in Intune, where many IT Pros use them for creating hierarchies. Nested groups actually limit group membership by their parent, and are not meant to be used for organizing the console.

A child group cannot have any more members than the parent group. For example, let’s say you have 100 users in All users, and 10 users in a group called “Parent”. If you create a nested group under “Parent”, whatever the membership criteria you use (AD group membership for example) will be limited to the 10 users found in the “Parent” group.

Azure Active Directory (Azure AD) does not have any nested grouping, so for migration to Azure we need to “un-nest” everything. Here’s how:

1. Login to with your Admin credentials.

2. Browse to Groups > All Users. In the Groups list, you’ll notice the nested groups as they’ll have an expansion button.


3. If you’re not using this group, you can just delete it and you’re done. If you need the group, skip to step 4.

a. Right-click the group and then click Delete.


b. Click Yes when prompted for confirmation.


4. If you need to use these child groups for targeting/reporting/etc, you need to move these users into a supported group before you delete the child group.
Select the child group, then click the Users tab and select all the users who are members.


5. Click Create Group from Selection.


6. Give the group a name that makes sense, and then be sure to select All Users as the parent group. If you select any group other than All Users, you’ll be in exactly the same situation as before!


7. You can now go ahead and delete the original group using Step 3 instructions.

NOTE: If you had any policies, terms and conditions, or apps targeted at the original child group, you will need to go to each deployment and re-target them to the new group! After you do, you should be unblocked for this issue for migration.

For more information about configurations that can block your Intune migration, see

Comments (0)

Skip to main content