Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)

A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.

Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.

Adding nested groups to Azure AD would add a lot of value to Azure AD.

897 votes

Your name

Your email address

(thinking…)

Password

Forgot password?

Create a password

Signed in as (Sign out)

We’ll send you updates on this idea

Michael shared this idea · Aug 19, 2016 · Flag idea as inappropriate… · Admin →

started ·

AdminAzure AD Team (Product Owner, Microsoft Azure) responded · Oct 19, 2018

We’re continuing to investigate options for adding this support. There are technical challenges to overcome in order to make this happen. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important use cases involved with these scenarios.

Show previous admin responses (2)

started ·

AdminAzure AD Team (Software Engineer, Microsoft Azure) responded · Nov 1, 2017

Currently, the following scenarios DO support nested groups:

The concept (you can add groups as members of other groups)
Group membership claims (when an app is configured to receive group membership claims in the token, nested groups the signed-in user is a member of are included)
Conditional access (when scoping a conditional access policy to a group)
Restricting access to self-serve password reset
Restricting which users can do Azure AD Join and device registration

The following scenarios DO NOT supported nested groups:

App role assignment (assigning groups to an app is supported, but groups nested within the directly assigned group will not have access), both for access and for provisioning
Group-based licensing (assigning a license automatically to all members of a group)
Office 365 Groups

All of the scenarios where nested groups aren’t supported are being looked at, but we do not yet have any timelines to share. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important scenario for you.

started ·

AdminAzure AD Team (Software Engineer, Microsoft Azure) responded · Jul 24, 2017

Currently, the following scenarios DO support nested groups:

The concept (you can add groups as members of other groups)
Group membership claims (when an app is configured to receive group membership claims in the token, nested groups the signed-in user is a member of are included)
Conditional access (when scoping a conditional access policy to a group)
Restricting access to self-serve password reset
Restricting which users can do Azure AD Join and device registration

The following scenarios DO NOT supported nested groups:

App role assignment (assigning a groups to an app (or app role within an app), both for access and for provisioning, applies only to direct members)
Group-based licensing (assigning a license automatically to all members of a group)

— Philippe Signoret

103 comments

Add a comment…

Your name

Your email address

(thinking…)

Password

Forgot password?

Create a password

Signed in as (Sign out)

Submitting...

Mario Steinmeyer commented · April 10, 2019 11:18 PM · Flag as inappropriate

There is absolutly need to simple manage registered Apps with RBAC.
Tim McLaughlin commented · April 10, 2019 1:36 PM · Flag as inappropriate

Yes, please! We are using AAD more and more via SAML and OAuth, and users are asking for the ability to use their existing group structures.
Denis Bogunic commented · April 10, 2019 3:41 AM · Flag as inappropriate

I'd like to throw my hat in here and second everything mentioned below. This is really a critical omission and needs to get sorted ASAP.

Any ETA?
Martin Thibeault commented · April 5, 2019 6:28 AM · Flag as inappropriate

This absolutly need to be present for licencing affectation
Anonymous commented · April 2, 2019 1:56 AM · Flag as inappropriate

As per all the comments below!
P Pelzer commented · March 29, 2019 4:24 AM · Flag as inappropriate

The concept of inheritance has been around since ages and part of old AD's....why not in AAD. It works for Sharepoint and such but not for App's which is just ridiculous! Please MS, make this work.
Colin Pazdzior commented · March 26, 2019 1:45 PM · Flag as inappropriate

Yes. Us too. This has been a standard feature of AD for years....
Anonymous commented · March 12, 2019 6:13 AM · Flag as inappropriate

We also want this very bad for SAML integration.
Justin commented · February 25, 2019 5:19 PM · Flag as inappropriate

Is there any timeframe on sorting this for group-based licensing as yet? You've indicated there were none in November 2017, but it has been 15 months... any progress? Anything?
Kazzan commented · February 21, 2019 2:11 PM · Flag as inappropriate

There should be support for that for rollout of SSPR and MFA. Or for the meantime, it should at least warn in setup.
Anonymous commented · February 21, 2019 4:45 AM · Flag as inappropriate

Does anyone have a work around for Enterprise applications??
Anonymous commented · February 13, 2019 1:31 AM · Flag as inappropriate

Please can we have an update on this, nested groups are essential for our organisation for role based access assignment.
t commented · February 8, 2019 3:40 AM · Flag as inappropriate

yes please do this it woudl make everything so much easier and neater and reduce errors
Stephan G commented · February 4, 2019 7:02 AM · Flag as inappropriate

I wrote a script for that - it's a workaround until the feature is going live. Published it today at:
https://gallery.technet.microsoft.com/office/Nested-AD-groups-for-06f9ff9e
I hope this helps some of you
steven.cuthill commented · January 30, 2019 2:26 AM · Flag as inappropriate

really shocking that this has taken years to get 'started' on. MS need to up there game in supporting and improving services that already have.
Josh commented · January 29, 2019 12:26 PM · Flag as inappropriate

Group based licensing, group assignment to enterprise applications, and group assignment of conditional access policies.

On-premises ADDS was setup and configured based on recommended practices of nesting groups within other groups based on organizational structure, and an entire user life-cycle automation process was built around this structure. We will be in a hybrid Azure AD/On-premises for the foreseeable future, and it's not feasible to recreate and restructure everything to use flat groups.
Zak Lyles commented · January 28, 2019 7:43 AM · Flag as inappropriate

This is actually pathetic... 2.5 years later and Azure AD doesn't support nested groups. Third party App SSO solutions like Okta and OneLogin have supported nested groups forever. Get your **** together Microsoft.
Christian Winther commented · December 21, 2018 5:57 AM · Flag as inappropriate

How do you tackle this when the structure is already setup using Microsoft "Best Practice" IGDLA / AGDLP? Explicit permissions for all or?
Anonymous commented · December 7, 2018 4:21 PM · Flag as inappropriate

I am surprised that AAD does not support Nested groups after starting SAML. Microsoft should support the nested group as soon as possible.
Alfredo commented · November 29, 2018 2:21 PM · Flag as inappropriate

Is there any update on GBL on group nesting. Have a client that wants to add on an app a group that has another group on members.