Quick Tip: Nested Groups for Intune App Protection (MAM-WE)

A really quick one here as I was asked this recently and tested it.


Can we use a nested Azure AD group for assigning Intune Application Protection (AKA MAM-WE) policies?


Short version: Yes, but give it a little thought first

Long version: I was asked this one recently and I wasn’t certain but thought it would most likely work. I set up an example where I had an on-premises Active Directory user named PeterOP, I added that user to an on-premises Active Directory security group which was then synchronised to Azure Active Directory with Azure AD Connect. The AD group was called MyAPPTest.

I then added that group to an Azure AD group called Android App Protection as you can see in the image.

So we have an on-prem user inside an on-prem AD group which is nested inside an Azure AD group.

The App Protection policy is then assigned to the AAD group – Android App Protection

Then I simply test by opening an application which is protected by this policy, in this case on a personal device. Then I log in as PeterOP – my on-premises AD user. On the device I see the regular prompts about the app being protected etc and it just works fine.

We can see this in the report through the Microsoft Endpoint Manager admin center. Note that I only actually tried Word and Outlook in this test as that sufficiently confirmed my test result.

Should we use this though?

Great question, I’m glad you asked :). We can see that although it does work, it may become somewhat convoluted and complicated as this scales out across a real-world organisation. I’m just using a simple targeted demo here and there’s a level of comprehension required to keep up with the nesting. With that in mind I’d generally try and steer you away from using nested groups in this scenario and indeed others for this reason. Note however, that although this works for App Protection I can’t say it will work for all features as I know that nested groups are not supported in all areas of Azure Active Directory or Intune/Endpoint Manager. In particular, group-based licensing often comes up as a requirement and isn’t currently supported (at the time of writing).

Hopefully that was or will be useful to someone at some stage.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.