This blogpost is about assigning Intune policies/apps to a limited group of users or devices. I want to look into the different sections like Configuration Policies, Compliance Policies and Apps and explain what options you have regarding assigning them to a limited set of users/devices. For the policies (Configuration and Compliance) you can use the include and exclude assignment to exclude users/devices from a policy. For App assignments the include/exclude assignment is not available but you will have some other options!

Let’s start with explaining the assignment options we have from Intune by explaining the ‘exclude’ capabilities. We can exclude group of users or devices from every policy except app deployments. If you want to assign apps to a limited group of users/devices you will need to assign a second group with the install type ‘Not Applicable’. Another option for policies and app assignments is to use AzureAD dynamic groups. Based on the dynamic membership rules of these groups you can define which users/devices will be member of the group. Before you start with assigning policies and apps to a limited set of users or devices you have to decide if you’re going to assign the policy/app to users or devices. It’s not possible to assign a policy to a group of users and exclude a group of devices. More information about this can be found here. Now let’s take a look info the different policies in Intune:

Configuration Policies / PowerShell Scripts

Assign policies to a limited set of users/devices by using:

1. the Intune Include/Exclude policy assignments functionality
2. AzureAD dynamic groups and assign them within the ‘include’ policy assignment

Compliance Policies

Assign policies to a limited set of users/devices by using:

1. the Intune Include/Exclude policy assignments functionality
2. AzureAD dynamic groups and assign them within the ‘include’ policy assignment

App Assignments

Assign applications to a limited set of users/devices by assigning:

1. the group of users which you want exclude with the assignment type ‘Not Applicable’
2. a AzureAD dynamic group and assign them

Scenario 1: Using the Include/Exclude functionality

It’s time for a more practical case. In this case I want to configure some settings on Windows 10 clients but want to exclude the Windows 10 Mobile clients. We are going to configure this scenario based on include/exclude assignments in Intune and using dynamic groups of AzureAD:

1. Go to the Azure Portal
2. Create an AzureAD Group with all your enabled Windows 10 devices using a dynamic membership rule:
   
3. Create another AzureAD group with only the Windows 10 Mobile Devices using a dynamic membership rule:
   
4. Next step is to go to the Intune and the Configuration Profiles. Choose a Configuration profile which contains the settings which you want to enforce on all of your Windows 10 devices except the Windows 10 Mobile devices. Open the policy and go to assignments.
5. Select the AllWindows10Devices group in the Include section of the assignments:
   
6. And select the AllWindows10MobileDevices group in the exclude section of the assignments:
   
7. Save the policy

Now check on both devices and you will see that the settings are only applied on your non Windows 10 Mobile devices.

Scenario 2: Using AzureAD Dynamic Groups

In this second scenario we only want to assign a policy to Windows 10 1703 (10.0.15063) devices but we want to exclude the a version of Windows 10 1703 (10.0.15063.540) devices. We want to create an Azure AD dynamic device group based on these requirements:

1. Go to the Azure Portal
2. Create an AzureAD Group with all your enabled Windows 10 devices using a
   dynamic membership rule:
   
   With this group only the Windows 10 1703 devices will be added but the Windows 10 1703 devices with the specific update version 10.0.15063.540 will be excluded:

With above group you will only need the include assignment of a policy. Also the policy types which don’t support include/exclude assignments can be targeted to a limited set of resources based on this dynamics AzureAD group.

Scenario 3: Exclude User from App Assignments

In this third scenario we want to look into how we can exclude users from app assignments.

1. Go to the Azure Portal;
2. Create a group with the users which you want to exclude from an App assignment;
3. Go to Intune and open the assignment properties of the application;
4. Add the group created in step 2 and select assignment type ‘Not Applicable’:
   
5. Save the policy

After refreshing the settings you will see that the application will not be visible for the users which ae member of the group which has the assignment type ‘Not Applicable’.

UPDATE 07-02-2018:
This proces is changed.See this blogpost for updated information around assigning applications: https://blogs.technet.microsoft.com/intunesupport/2018/02/02/new-feature-new-app-assignment-process-in-intune-with-an-excluded-groups-option/

Conclusion:

We have great capabilities to exclude users or devices on policies and apps. We can either use the Intune functionality or use the AzureAD dynamic groups functionality. Of course you can combine both to get achieve your goals!