A really quick one here as I was asked this recently and tested it.
Can we use a nested Azure AD group for assigning Intune Application Protection (AKA MAM-WE) policies?
Short version: Yes, but give it a little thought first
Long version: I was asked this one recently and I wasn’t certain but thought it would most likely work. I set up an example where I had an on-premises Active Directory user named PeterOP, I added that user to an on-premises Active Directory security group which was then synchronised to Azure Active Directory with Azure AD Connect. The AD group was called MyAPPTest.
I then added that group to an Azure AD group called Android App Protection as you can see in the image.
So we have an on-prem user inside an on-prem AD group which is nested inside an Azure AD group.
The App Protection policy is then assigned to the AAD group – Android App Protection
Then I simply test by opening an application which is protected by this policy, in this case on a personal device. Then I log in as PeterOP – my on-premises AD user. On the device I see the regular prompts about the app being protected etc and it just works fine.
We can see this in the report through the Microsoft Endpoint Manager admin center. Note that I only actually tried Word and Outlook in this test as that sufficiently confirmed my test result.
Should we use this though?
Great question, I’m glad you asked :). We can see that although it does work, it may become somewhat convoluted and complicated as this scales out across a real-world organisation. I’m just using a simple targeted demo here and there’s a level of comprehension required to keep up with the nesting. With that in mind I’d generally try and steer you away from using nested groups in this scenario and indeed others for this reason. Note however, that although this works for App Protection I can’t say it will work for all features as I know that nested groups are not supported in all areas of Azure Active Directory or Intune/Endpoint Manager. In particular, group-based licensing often comes up as a requirement and isn’t currently supported (at the time of writing).
Hopefully that was or will be useful to someone at some stage.