As mandated by Microsoft, the Intune App Protection policy can be assigned to only user groups. This policy cannot be assigned to individual users or to devices. You also need to ensure that the selected user group is part of the same user context associated while configuring Microsoft Graph API. For more information, see User Association. When the policy is assigned, ZENworks calls the Azure REST APIs and the same policy assignment is replicated in Azure, after which the protection settings are enforced on the users’ devices. The user group in Azure is identified based on the OnPremisesSecurityIdentifier value, which is matched with the objectsid attribute value of the user group selected in ZENworks.
After assigning the policy, it is recommended that you review the policy message logs to identify any errors that might have occurred while replicating the policy assignment in Azure. To view the policy logs, navigate to the summary page of the policy (click the policy in the Policies panel) and view the message logs to identify the reason for failure, if any. For more information on the possible reasons for failure, see Protecting Intune Apps.
To assign the policy to the user group, from the Policies list, select the check box in front of the policy, then click Action > Assign to User.
In the Select Object dialog box, browse for and select the user group to whom you want to assign the policy, click OK to add them to the list and then click Next.
Review the summary page and click Finish to complete the assignment.