在 Microsoft Intune 中指派使用者和裝置設定檔Assign user and device profiles in Microsoft Intune

在您建立設定檔之後,可以將設定檔指派至 Azure Active Directory (Azure AD) 群組。After you create a profile, you can assign the profile to Azure Active Directory (Azure AD) groups.

指派裝置設定檔Assign a device profile

  1. Azure 入口網站中,選取 [所有服務],並搜尋 Microsoft IntuneIn the Azure portal, select All Services, and search for Microsoft Intune.

  2. Microsoft Intune 中,選取 [裝置設定],然後選取 [設定檔]。In Microsoft Intune, select Device configuration, and select Profiles.

  3. 在設定檔清單中,選取您要指派的設定檔,然後選取 [指派]。In the list of profiles, select the profile you want to assign, and then select Assignments.

  4. 選擇 [包含] 群組或 [排除] 群組,然後選取群組。Choose to Include groups or Exclude groups, and then select groups.

    在設定檔指派中包含或排除群組的選項螢幕擷取畫面

  5. 當您選取群組時,會選擇 Azure AD 群組。When you select your groups, you're choosing an Azure AD group. 若要選取多個群組,請按住 Ctrl 鍵。To select multiple groups, hold down the Ctrl key.

  6. 完成之後,請選取 [儲存]。When you are done, select Save.

從設定檔指派排除群組Exclude groups from a profile assignment

Intune 裝置組態設定檔可讓您從原則指派排除群組。Intune device configuration profiles let you exclude groups from policy assignment. 例如,您可以將裝置設定檔指派給所有公司使用者群組,但排除資深管理層群組的任何成員。For example, you can assign a device profile to the All corporate users group, but exclude any members of the Senior Management Staff group.

如果您排除指派的群組、只排除使用者,或只排除裝置群組 (不是群組的混合),則 Intune 不會視為任何使用者與裝置關聯性。When you exclude groups from an assignment, exclude only users, or only exclude device groups (not a mixture of groups), Intune doesn't consider any user-to-device relationship. 包含使用者群組的同時排除裝置群組,可能不會建立您預期的結果。Including user groups while excluding device groups might not create the results you expect. 如果使用混合群組,或發生其他衝突,則包含的優先順序高於排除。When mixed groups are used, or if there are other conflicts, inclusion takes precedence over exclusion.

例如,您想要將裝置設定檔指派給組織中 Kiosk 裝置以外的所有裝置。For example, you want to assign a device profile to all devices in your organization, except kiosk devices. 您包含所有使用者群組,但是排除所有裝置群組。You include the All Users group, but exclude the All Devices group. 在此情況下,所有的使用者及其裝置都受原則約束,即使使用者的裝置屬於所有裝置群組。In this case, all your users and their devices get the policy, even if the user’s device is part of the All Devices group.

排除只會查看群組的直屬成員,不包含與使用者建立關聯的裝置。Exclusion only looks at the direct members of the groups, and doesn't include devices that are associated with a user. 不過,沒有使用者的裝置則無法取得原則。However, devices that don't have a user don't get the policy. 發生原因是這些裝置不具有與所有使用者群組的關聯性。This occurs because those devices have no relationship to the All Users group.

如果您包含所有裝置,並排除所有使用者,則所有裝置都會收到原則。If you include All Devices, and exclude All Users, then all the devices receive the policy. 在此情況下,目的是要排除此原則中有相關聯使用者的裝置。In this scenario, the intent is to exclude devices that have an associated user from this policy. 不過,它不會排除裝置,因為排除只會比對直屬群組成員。However, it doesn't exclude the devices because the exclusion only compares direct group members.

提示

合規性原則或應用程式指派無法使用排除。Exclusions aren't available for compliance policies or app assignment. 若要從指派排除成員,您可以使用可用不適用指派。To exclude members from an assignment, you can use the Available and Not applicable assignments. 例如,您將應用程式指派給具有可用目的的所有公司使用者,並將應用程式指派給具有不適用目的的資深管理層For example, you assign an app to All corporate users with the Available intent, and assign the app to Senior Management Staff with the Not applicable intent. 應用程式會指派給所有使用者,但資深管理層群組的使用者「除外」。The app is assigned to all users except users in the Senior Management Staff group. 如果您將應用程式指派給具有必要目的的所有公司使用者,則也會包含資深管理層群組的使用者。If you assign the app to All corporate users with the Required intent, the users in the Senior Management Staff group are also included.

後續步驟Next steps

請參閱如何監視裝置設定檔以取得監視裝置設定檔指派的指示。See How to monitor device profiles for guidance on monitoring device profile assignments.