Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)

A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.

Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.

Adding nested groups to Azure AD would add a lot of value to Azure AD.

2,559 votes

Michael shared this idea · August 19, 2016 · Flag idea as inappropriate… · Admin →

started ·

AdminAzure AD Team (Admin, Microsoft Azure) responded · February 12, 2020

We’re currently evaluating an option that will provide the functionality offered by nested groups, but removes the complexity nested groups adds. We appreciate your patience on this ask and want to ensure we deliver a solution that benefits all of our customers. Below are use cases that we’d like for you to stack rank, with #1 being priority for you. We thank you for the continued comments and feedback.

Use case A: nested group in a cloud security group inherits apps assignment
Use case B: nested group in a cloud security group inherits license assignment
Use case C: nesting groups under Office 365 groups

Show previous admin responses (4)

started ·

AdminAzure AD Team (Admin, Microsoft Azure) responded · February 12, 2020

Use case A: nested group in a cloud security group inherits apps assignment
Use case B: nested group in a cloud security group inherits license assignment
Use case C: nesting Office 365 groups, nesting security groups under Office 365 groups

started ·

AdminAzure AD Team (Product Owner, Microsoft Azure) responded · October 19, 2018

We’re continuing to investigate options for adding this support. There are technical challenges to overcome in order to make this happen. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important use cases involved with these scenarios.

started ·

AdminAzure AD Team (Software Engineer, Microsoft Azure) responded · November 01, 2017

Currently, the following scenarios DO support nested groups:

The concept (you can add groups as members of other groups)
Group membership claims (when an app is configured to receive group membership claims in the token, nested groups the signed-in user is a member of are included)
Conditional access (when scoping a conditional access policy to a group)
Restricting access to self-serve password reset
Restricting which users can do Azure AD Join and device registration

The following scenarios DO NOT supported nested groups:

App role assignment (assigning groups to an app is supported, but groups nested within the directly assigned group will not have access), both for access and for provisioning
Group-based licensing (assigning a license automatically to all members of a group)
Office 365 Groups

All of the scenarios where nested groups aren’t supported are being looked at, but we do not yet have any timelines to share. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important scenario for you.

started ·

AdminAzure AD Team (Software Engineer, Microsoft Azure) responded · July 24, 2017

Currently, the following scenarios DO support nested groups:

The concept (you can add groups as members of other groups)
Group membership claims (when an app is configured to receive group membership claims in the token, nested groups the signed-in user is a member of are included)
Conditional access (when scoping a conditional access policy to a group)
Restricting access to self-serve password reset
Restricting which users can do Azure AD Join and device registration

The following scenarios DO NOT supported nested groups:

App role assignment (assigning a groups to an app (or app role within an app), both for access and for provisioning, applies only to direct members)
Group-based licensing (assigning a license automatically to all members of a group)

— Philippe Signoret

509 comments

An error occurred while saving the comment

Frank GUILAIN commented · April 08, 2021 09:47 · Flag as inappropriate

#1: A
#2: B
#3: C

Submitting...
VAN DEN EEDE Wesley EXT commented · April 07, 2021 01:32 · Flag as inappropriate

#1: A, #2: C, #3: B

Submitting...
Thomas Zarnhofer commented · April 02, 2021 00:41 · Flag as inappropriate

#1: B, #2: A, #3: C

Submitting...
Dipal Sharma commented · April 01, 2021 02:23 · Flag as inappropriate

Use case A: nested group in a cloud security group inherits apps assignment
https://dipal.in/

Submitting...
Anonymous commented · March 29, 2021 16:04 · Flag as inappropriate

1 - Use case A: nested group in a cloud security group inherits apps assignment
2 - Use case B: nested group in a cloud security group inherits license assignment
3 - Use case C: nesting groups under Office 365 groups

Submitting...
ADM - Fuchs, Michael commented · March 26, 2021 05:27 · Flag as inappropriate

Use case B: nested group in a cloud security group inherits license assignment
Use case C: nesting groups under Office 365 groups
Use case A: nested group in a cloud security group inherits apps assignment

Submitting...
Josh Turnbull commented · March 26, 2021 04:46 · Flag as inappropriate

I've just been able to authenticate a member of a nested group to a workspace in Power BI. The group was sourced from on premise AD. Does this mean nested groups are now supported in Azure AD? I can't find any announcements about this?

Submitting...
nope commented · March 24, 2021 00:51 · Flag as inappropriate

So one year on from your "Testing" and still this is not implemented. Basic features like this missing is what is holding AAD back, the current upper management team should be fired if after 5 years, of which one was spent "testing" this is still not supported, but hay teams has a slightly different UI now, WOW!

A,B,C

Submitting...
FM commented · March 19, 2021 09:58 · Flag as inappropriate

Please add this option especially if you want people to move to using Azure AD totally or mostly for SSO when you have hundreds of users in various groups to add.

Submitting...
Anonymous commented · March 18, 2021 23:32 · Flag as inappropriate

CBA

Submitting...
Adrian Pechal commented · March 18, 2021 02:12 · Flag as inappropriate

CBA

Submitting...
Anonymous commented · March 16, 2021 17:06 · Flag as inappropriate

waiting for that solution

A B C

Submitting...
David commented · March 08, 2021 11:35 · Flag as inappropriate

Absolutely crazy that this still doesn't work!

Submitting...
Anonymous commented · March 03, 2021 13:43 · Flag as inappropriate

A,C,B and yes any update on this

Submitting...
Matthias Fleschütz commented · February 25, 2021 23:29 · Flag as inappropriate

@Admin: you flagged this as started in 2017, 4 years ago! Any update here?
Regarding the use cases asked about: whats your result here?
The 'community' is desperately needing this.

Submitting...
Richard Summers commented · February 23, 2021 14:51 · Flag as inappropriate

C, B, A

Submitting...
Anonymous commented · February 20, 2021 12:50 · Flag as inappropriate

last feedback on february 2020. I don't know if it will work anytime !!!.

Please, if you want we could use AAP easily, it is a must.

Submitting...
Anonymous commented · February 16, 2021 13:30 · Flag as inappropriate

A, C, B

Submitting...
Shawn C commented · February 16, 2021 10:48 · Flag as inappropriate

C, B, A

Submitting...
Tim Nagels commented · February 15, 2021 04:27 · Flag as inappropriate

CBA

Submitting...