Deploy an Intune App to a Specific User and Verify Installation

IT admins frequently receive software installation requests from individual users. Rather than granting local admin rights or manually installing software, the correct path in a Microsoft 365 / Intune-managed environment is to deploy the application through Intune's app catalog. This ensures the install is tracked, licensed, compliant with security policy, and uninstallable through the same channel.

This recipe walks through the full lifecycle for a single-user deployment: verifying the user exists and is active, confirming they have an Intune-enrolled device capable of receiving the app, locating the app (or importing it) into the Intune catalog, assigning it to the user (directly or via a group), and verifying the install reached the endpoint.

When to run this recipe

• A user requests a specific application (e.g., Figma, Slack, Adobe Reader) via a ticket or self-service portal.
• You need to push a licensed application to a new hire on their first day.
• You are replacing a manual install with a managed Intune deployment.

• The target user is confirmed as an active, licensed Microsoft 365 account with at least one Intune-enrolled device.
• The requested application exists in the Intune mobile app catalog (or has been added).
• An app assignment exists targeting the user (or a group containing the user) with the correct intent (Required or Available).
• Installation status has been verified on the user's device either via the Intune admin center or the Graph userAppInstallStatuses endpoint.
• A short audit note or ticket comment records the deployment and completion time.

Before you deploy

• Licensing: Confirm the app is appropriately licensed for the user. Deploying a paid app (e.g., Figma) without a purchased seat violates vendor terms.
• Device enrollment: If the user has no Intune-enrolled device, the assignment will sit in a pending state indefinitely. Verify enrollment first — do not create an assignment to a nonexistent endpoint.
• Assignment intent: required forces install (good for line-of-business apps), available publishes it to Company Portal for user-initiated install (preferred for optional productivity tools). Choose deliberately.
• Group assignments: Prefer assigning to a dynamic or static security group over direct user assignment — it scales and is easier to audit.
• App not in catalog: If the app is not yet in Intune, adding it (especially Win32 LOB or macOS PKG) is itself a multi-step task requiring packaging and is out of scope for a single-user deploy.

Common gotchas

• Case-sensitive $filter on displayName can miss apps — prefer contains() or list and match client-side.
• complianceState must be compliant for Conditional Access-protected apps to actually reach the device.
• Installs can take 15 minutes to several hours depending on device check-in cadence. Don't close the ticket before verifying.