Skip to main content
App assignment resources enable you to deploy applications to users and devices with flexible targeting options and install intents.

Available Resources

Mobile App Assignment

Resource: microsoft365_graph_beta_device_and_app_management_mobile_app_assignmentAssign mobile apps to users, devices, or groups with customizable settings.

Assignment Example

resource "microsoft365_graph_beta_device_and_app_management_mobile_app_assignment" "firefox_all_devices" {
  mobile_app_id = microsoft365_graph_beta_device_and_app_management_win32_app.firefox.id
  intent        = "required"
  source        = "direct"
  
  target = {
    target_type                                      = "allDevices"
    device_and_app_management_assignment_filter_type = "none"
  }
}

Install Intents

Configure how the app should be deployed:
IntentDescriptionUser Action Required
requiredApp installs automaticallyNo
availableApp available in Company PortalYes
uninstallApp is removed from devicesNo
availableWithoutEnrollmentAvailable without device enrollmentYes

Required Intent

resource "microsoft365_graph_beta_device_and_app_management_mobile_app_assignment" "required_app" {
  mobile_app_id = microsoft365_graph_beta_device_and_app_management_win32_app.app.id
  intent        = "required"
  source        = "direct"
  
  target = {
    target_type = "allDevices"
  }
}

Available Intent

resource "microsoft365_graph_beta_device_and_app_management_mobile_app_assignment" "available_app" {
  mobile_app_id = microsoft365_graph_beta_device_and_app_management_win_get_app.app.id
  intent        = "available"
  source        = "direct"
  
  target = {
    target_type = "allLicensedUsers"
  }
}

Uninstall Intent

resource "microsoft365_graph_beta_device_and_app_management_mobile_app_assignment" "uninstall_app" {
  mobile_app_id = microsoft365_graph_beta_device_and_app_management_win32_app.old_app.id
  intent        = "uninstall"
  source        = "direct"
  
  target = {
    target_type = "groupAssignment"
    group_id    = microsoft365_graph_beta_groups_group.pilot.id
  }
}

Target Types

Define who or what receives the app:
Target TypeDescriptionRequires Group ID
allDevicesAll enrolled devicesNo
allLicensedUsersAll users with Intune licensesNo
groupAssignmentSpecific Azure AD groupYes
exclusionGroupAssignmentExclude specific groupYes

Assignment Settings

Different app types support different assignment settings:

WinGet App Settings

resource "microsoft365_graph_beta_device_and_app_management_mobile_app_assignment" "winget_with_settings" {
  mobile_app_id = microsoft365_graph_beta_device_and_app_management_win_get_app.app.id
  intent        = "required"
  source        = "direct"
  
  target = {
    target_type = "allDevices"
  }
  
  settings = {
    win_get = {
      notifications = "showAll"
      install_time_settings = {
        use_local_time     = true
        deadline_date_time = "2025-06-01T18:00:00Z"
      }
      restart_settings = {
        grace_period_in_minutes                         = 240
        countdown_display_before_restart_in_minutes     = 30
        restart_notification_snooze_duration_in_minutes = 60
      }
    }
  }
}

iOS Store App Settings

resource "microsoft365_graph_beta_device_and_app_management_mobile_app_assignment" "ios_with_settings" {
  mobile_app_id = microsoft365_graph_beta_device_and_app_management_ios_store_app.app.id
  intent        = "required"
  source        = "direct"
  
  target = {
    target_type = "groupAssignment"
    group_id    = microsoft365_graph_beta_groups_group.ios_users.id
  }
  
  settings = {
    ios_store = {
      is_removable                = true
      prevent_managed_app_backup  = false
      uninstall_on_device_removal = true
      vpn_configuration_id        = "80f8c0a5-f3ec-4936-bcbc-420dc0ca3665"
    }
  }
}

Assignment Filters

Use assignment filters for granular targeting: 
# Create assignment filter
resource "microsoft365_graph_beta_device_management_assignment_filter" "windows_11" {
  display_name = "Windows 11 Devices"
  description  = "Filter for Windows 11 devices only"
  platform     = "windows10AndLater"
  
  rule = "(device.osVersion -startsWith \"10.0.22\") or (device.osVersion -startsWith \"10.0.23\")"
}

# Use filter in assignment
resource "microsoft365_graph_beta_device_and_app_management_mobile_app_assignment" "filtered_assignment" {
  mobile_app_id = microsoft365_graph_beta_device_and_app_management_win32_app.app.id
  intent        = "required"
  source        = "direct"
  
  target = {
    target_type                                      = "allDevices"
    device_and_app_management_assignment_filter_id   = microsoft365_graph_beta_device_management_assignment_filter.windows_11.id
    device_and_app_management_assignment_filter_type = "include"
  }
}

Exclusion Groups

# Assign to all users
resource "microsoft365_graph_beta_device_and_app_management_mobile_app_assignment" "all_users" {
  mobile_app_id = microsoft365_graph_beta_device_and_app_management_win32_app.app.id
  intent        = "required"
  source        = "direct"
  
  target = {
    target_type = "allLicensedUsers"
  }
}

# Exclude specific group
resource "microsoft365_graph_beta_device_and_app_management_mobile_app_assignment" "exclude_pilots" {
  mobile_app_id = microsoft365_graph_beta_device_and_app_management_win32_app.app.id
  intent        = "required"
  source        = "direct"
  
  target = {
    target_type = "exclusionGroupAssignment"
    group_id    = microsoft365_graph_beta_groups_group.pilot_users.id
  }
}

Multiple Assignments

You can create multiple assignments for the same app: 
# Required for IT department
resource "microsoft365_graph_beta_device_and_app_management_mobile_app_assignment" "it_required" {
  mobile_app_id = microsoft365_graph_beta_device_and_app_management_win32_app.app.id
  intent        = "required"
  source        = "direct"
  
  target = {
    target_type = "groupAssignment"
    group_id    = microsoft365_graph_beta_groups_group.it_department.id
  }
}

# Available for all other users
resource "microsoft365_graph_beta_device_and_app_management_mobile_app_assignment" "others_available" {
  mobile_app_id = microsoft365_graph_beta_device_and_app_management_win32_app.app.id
  intent        = "available"
  source        = "direct"
  
  target = {
    target_type = "allLicensedUsers"
  }
}

# Exclude executives
resource "microsoft365_graph_beta_device_and_app_management_mobile_app_assignment" "exclude_execs" {
  mobile_app_id = microsoft365_graph_beta_device_and_app_management_win32_app.app.id
  intent        = "available"
  source        = "direct"
  
  target = {
    target_type = "exclusionGroupAssignment"
    group_id    = microsoft365_graph_beta_groups_group.executives.id
  }
}

Import Syntax

terraform import microsoft365_graph_beta_device_and_app_management_mobile_app_assignment.example <app-id>_<assignment-id>

Best Practices

Deploy apps to small pilot groups first before expanding to larger populations.
Leverage assignment filters to target specific OS versions, device models, or other attributes.
Use exclusion groups to prevent app deployment to specific users or devices that shouldn’t receive the app.
Regularly check app installation status and failures through Intune reporting.
For required apps, give users adequate time to install before enforcement deadlines.

Build docs developers (and LLMs) love

Get started for freeTalk to us