Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)

A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.

Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.

Adding nested groups to Azure AD would add a lot of value to Azure AD.

1,819 votes

(thinking…)

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

We’ll send you updates on this idea

Michael shared this idea · August 19, 2016 · Flag idea as inappropriate… · Admin →

started ·

AdminAzure AD Team (Admin, Microsoft Azure) responded · February 12, 2020

We’re currently evaluating an option that will provide the functionality offered by nested groups, but removes the complexity nested groups adds. We appreciate your patience on this ask and want to ensure we deliver a solution that benefits all of our customers. Below are use cases that we’d like for you to stack rank, with #1 being priority for you. We thank you for the continued comments and feedback.

Use case A: nested group in a cloud security group inherits apps assignment
Use case B: nested group in a cloud security group inherits license assignment
Use case C: nesting groups under Office 365 groups

Show previous admin responses (4)

started ·

AdminAzure AD Team (Admin, Microsoft Azure) responded · February 12, 2020

Use case A: nested group in a cloud security group inherits apps assignment
Use case B: nested group in a cloud security group inherits license assignment
Use case C: nesting Office 365 groups, nesting security groups under Office 365 groups

started ·

AdminAzure AD Team (Product Owner, Microsoft Azure) responded · October 19, 2018

We’re continuing to investigate options for adding this support. There are technical challenges to overcome in order to make this happen. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important use cases involved with these scenarios.

started ·

AdminAzure AD Team (Software Engineer, Microsoft Azure) responded · November 01, 2017

Currently, the following scenarios DO support nested groups:

The concept (you can add groups as members of other groups)
Group membership claims (when an app is configured to receive group membership claims in the token, nested groups the signed-in user is a member of are included)
Conditional access (when scoping a conditional access policy to a group)
Restricting access to self-serve password reset
Restricting which users can do Azure AD Join and device registration

The following scenarios DO NOT supported nested groups:

App role assignment (assigning groups to an app is supported, but groups nested within the directly assigned group will not have access), both for access and for provisioning
Group-based licensing (assigning a license automatically to all members of a group)
Office 365 Groups

All of the scenarios where nested groups aren’t supported are being looked at, but we do not yet have any timelines to share. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important scenario for you.

started ·

AdminAzure AD Team (Software Engineer, Microsoft Azure) responded · July 24, 2017

Currently, the following scenarios DO support nested groups:

The concept (you can add groups as members of other groups)
Group membership claims (when an app is configured to receive group membership claims in the token, nested groups the signed-in user is a member of are included)
Conditional access (when scoping a conditional access policy to a group)
Restricting access to self-serve password reset
Restricting which users can do Azure AD Join and device registration

The following scenarios DO NOT supported nested groups:

App role assignment (assigning a groups to an app (or app role within an app), both for access and for provisioning, applies only to direct members)
Group-based licensing (assigning a license automatically to all members of a group)

— Philippe Signoret

400 comments

Add a comment…

Attach a File

(thinking…)

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

Submitting...

An error occurred while saving the comment

Burton Steele commented · June 05, 2020 07:36 · Flag as inappropriate

A,C,B

Submitting...
Douglas Gamache commented · June 05, 2020 06:15 · Flag as inappropriate

+1 for A, B, & C

Submitting...
Jack Siergiej commented · June 02, 2020 11:20 · Flag as inappropriate

Just make this work like regular windows security for God's sakes!! If I add a nested group to my enterprise app permissions, I should get access to the app if I'm a member of sub group. Plain and simple!!!

Not having nested group support makes for a administrative nightmare and now creates two different management models.. One for on-prem and a second for the cloud. C'mon guys!!

Submitting...
Sean Stark commented · May 29, 2020 09:08 · Flag as inappropriate

I don't think any of those use cases are what we are looking for. The primary use case is to support nested groups synced from Active Directory. Just as Active Directory supports nested groups this should be supported in Azure AD regardless of the group type. Both AD synced groups and Azure AD native groups.

Submitting...
Hasling, Sean commented · May 27, 2020 04:52 · Flag as inappropriate

+1
Rank:
Use Case B,
no to Use Case A (due to the way groups handle app membership in dynamic groups right now)
no to 3rd option

I would prefer though, for me be able to create group exceptions or requirements based on other group membership

Submitting...
Darren commented · May 19, 2020 22:11 · Flag as inappropriate

A use case is to nest groups for use in assigning a Security group to Azure resources, that contains groups containing different teams.

Submitting...
Ryan Green commented · May 19, 2020 10:26 · Flag as inappropriate

This would be very helpful and needed for us to transition from ADFS to Azure AD for SSO. It is working fine for us in ADFS and a gap for transition.

Submitting...
Noam Lesnik commented · May 18, 2020 11:52 · Flag as inappropriate

ABC

Submitting...
Abdulhaq Sayed commented · May 15, 2020 12:13 · Flag as inappropriate

Nested group in PowerBI V1 workspace group for managing workspace ownership to help team to manage the migration of workspace to V2.

Submitting...
shakshi commented · May 10, 2020 07:18 · Flag as inappropriate

really good status on rain it will make you day good
https://statusriver.com/in-the-rain-quotes/

Submitting...
Daniel commented · May 06, 2020 08:00 · Flag as inappropriate

> We’re currently evaluating an option that will provide the functionality offered by nested groups, but removes the complexity nested groups adds.

Since when do nested groups add complexity? Did I miss something?

Submitting...
Daniel commented · May 06, 2020 07:59 · Flag as inappropriate

BAC

Submitting...
Wainting commented · April 30, 2020 12:31 · Flag as inappropriate

C, A, B in that order

Submitting...
Doug commented · April 30, 2020 11:57 · Flag as inappropriate

ABC

Submitting...
Anonymous commented · April 29, 2020 12:11 · Flag as inappropriate

ABC

Submitting...
Anonymous commented · April 28, 2020 11:23 · Flag as inappropriate

all of the above

Submitting...
Anonymous commented · April 28, 2020 07:54 · Flag as inappropriate

we need this case for all cases

Submitting...
Advanced Computer Technology commented · April 23, 2020 16:21 · Flag as inappropriate

CBA

Submitting...
Jacob commented · April 22, 2020 22:16 · Flag as inappropriate

BAC

Submitting...
Andreas commented · April 22, 2020 04:49 · Flag as inappropriate

use case B #1

Submitting...