Intune policy deployed to EAS-based device groups: Fix your Intune Migration Configuration Issues


Important: This guide is intended to explain how a migration blocker occurs, and how to remove the blocking issue. The guide is not intended to provide guidance on how to redesign your grouping/targeting to achieve functionality caused by the blocking issues.

We suggest you thoroughly review your grouping/targeting strategy before making any changes.

Devices that are managed by Exchanged Active Sync used to be able to get a mailbox policy deployed to them, even if the device was not enrolled for mobile device management. We stopped supporting that mailbox policy for EAS devices over a year ago. Mailbox policy was a special thing we built for EAS, but you've never been able to deploy any other type of policy to devices that are managed only by EAS; a device had to be dual-managed (managed by both EAS and MDM) before it could get any other type of policy. Even though we stopped supporting groups comprised of devices managed by EAS only, you might still have policies deployed to those groups. Since we don't support those deployments, we can't recreate that configuration with Azure groups. Follow these steps to find and fix EAS-based device groups.

  1. Login to https://manage.microsoft.com with your Admin credentials.
  2. Browse to Groups > All Devices and select the first group in your list.
  3. In the Detail window for that particular group, expand Membership Criteria.

     

  4. You're looking for any group with the criteria Only include mobile devices that are managed by Exchange ActiveSync.

  5. If you're not using this group, you can just delete it and you're done. If you need the group for targeting dual-managed devices, keep going.
  6. Right-click the individual group and then click Edit.
  7. On the Criteria Membership tab, change Only include mobile devices that are managed by Exchange ActiveSync to Only include mobile devices that are managed Microsoft Intune direct management.

  8. Click the Finish button.

Now repeat these steps for each of your Intune groups. Remember, you only need to edit the membership of those groups if they include mobile devices that are managed by Exchange ActiveSync.

Your migration should now be unblocked for this issue. For more information about configurations that can block your Intune migration, see http://aka.ms/intunemigrationblockers.


Skip to main content