Assign user and device profiles in Microsoft Intune
You create a profile, and it includes all the settings you entered. The next step is to deploy or "assign" the profile to your Azure Active Directory (Azure AD) user or device groups. When it's assigned, the users and devices receive your profile, and the settings you entered are applied.
This article shows you how to assign a profile, and includes some information on using scope tags on your profiles.
Assign a device profile
Sign in to Intune.
Select Device configuration > Profiles. All the profiles are listed.
Select the profile you want to assign > Assignments.
Choose to Include groups or Exclude groups, and then select your groups. When you select your groups, you're choosing an Azure AD group. To select multiple groups, hold down the Ctrl key, and select your groups.
Save your changes.
Evaluate how many users are targeted
When you assign the profile, you can also Evaluate how many users are affected. This feature calculates users; it doesn't calculate devices.
- In Intune, select Device configuration > Profiles.
- Select a profile > Assignments > Evaluate. A message shows you how many users are targeted by this profile.
If the Evaluate button is grayed out, make sure the profile is assigned to one or more groups.
Use scope tags or applicability rules
When you create or update a profile, you can also add scope tags and applicability rules to the profile.
Scope tags are a great way to assign and filter policies to specific groups, such as Human Resources or All US-NC employees. Use RBAC and scope tags for distributed IT has more information.
On Windows 10 devices, you can add applicability rules so the profile only applies to a specific OS version or a specific Windows edition. Applicability rules has more information.
Exclude groups from a profile assignment
Intune device configuration profiles let you exclude groups from policy assignment. For example, you can assign a device profile to the All corporate users group, but exclude members in the Senior Management Staff group.
Intune doesn't look at user-to-device relationships. Including user groups while excluding device groups may not get the results you expect. Inclusion takes precedence over exclusion:
- When using mixed groups
- If there are other conflicts
For example, you want to assign a device profile to all devices in your organization, except kiosk devices. You include the All Users group, but exclude the All Devices group. In this case, all your users and their devices get the policy, even if the user’s device is in the All Devices group.
Exclusion only looks at the direct members of the group. It doesn't include devices that are associated with a user. However, devices that don't have a user, don't get the policy. This behavior happens because devices without users have no relationship to the All Users group.
If you include All Devices, and exclude All Users, then all the devices receive the policy. In this scenario, the intent is to exclude devices that have an associated user from this policy. However, it doesn't exclude the devices because the exclusion only compares direct group members.
See monitor device profiles for guidance on monitoring your profiles, and the devices running your profiles.