How can we improve Azure Active Directory?

← Azure Active Directory

Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)

A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.

Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.

Adding nested groups to Azure AD would add a lot of value to Azure AD.

1,243 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Michael shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

144 comments

Attach a File
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Anonymous commented  ·   ·  Flag as inappropriate

    This is a MUST have for Large Enterprises. We do not want to be forced in Micro management!!!
    Role Based Access requires the support for netsted groups!

  • Eric W commented  ·   ·  Flag as inappropriate

    Please dont do this. We love the fact that complexity has been removed. Given Azure AD / O365 is very much end user self service, groups in groups would make this to hard for end users to manage. I would however be open to using dynamic group logic to include members from another group.

  • Patrik Lilja commented  ·   ·  Flag as inappropriate

    It would be useful if migrated and native Azure AD security group could be a member of an Office 365/Teams group or vice versa. Then you would not have to manage parallel groups with the same members.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Is there any chance on some feedback? There has been no update (other than to say 'we're investigating') for 3 years!

  • Michael commented  ·   ·  Flag as inappropriate

    This simplifies complexity of managing SSO access for deployments of all sizes. Your competitors have it...

  • Lukas commented  ·   ·  Flag as inappropriate

    We need this Feature ASAP to keep managing Ressources by best practice RBAC group management.
    So there are ressource groups nested in role groups.

  • Mike Pagán commented  ·   ·  Flag as inappropriate

    With best practices generally being use groups in groups for management, it would be helpful if Azure AD would support them also.

  • Vin Latus commented  ·   ·  Flag as inappropriate

    As to the question of use cases from October 19th, using local groups to assign permissions has been a best practice recommendation for ages. In my mind it still applies in these Azure AD situations.

    https://social.technet.microsoft.com/wiki/contents/articles/52587.active-directory-design-considerations-and-best-practices.aspx#AD_Group_Management

    https://en.wikipedia.org/wiki/AGDLP

  • Rob West commented  ·   ·  Flag as inappropriate

    Please, please, please. This seems like a significant design issue. We cannot properly implement Role Based Access for applications without nested group support.

  • Anonymous commented  ·   ·  Flag as inappropriate

    please resolve this issue. nesting should have been a day one requirement

  • Quirijn van Tilburg commented  ·   ·  Flag as inappropriate

    We require group nesting for the scenarios where it's not supported. Please add support for those scenarios:
    - App role assignment (assigning groups to an app is supported, but groups nested within the directly assigned group will not have access), both for access and for provisioning
    - Group-based licensing (assigning a license automatically to all members of a group)
    - Office 365 Groups

← Previous 1 3 4 5 6 7 8

Azure Active Directory: SaaS Applications

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice