Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)
A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.
Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.
Adding nested groups to Azure AD would add a lot of value to Azure AD.
We’re continuing to investigate options for adding this support. There are technical challenges to overcome in order to make this happen. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important use cases involved with these scenarios.
Mario Steinmeyer commented
There is absolutly need to simple manage registered Apps with RBAC.
Tim McLaughlin commented
Yes, please! We are using AAD more and more via SAML and OAuth, and users are asking for the ability to use their existing group structures.
Denis Bogunic commented
I'd like to throw my hat in here and second everything mentioned below. This is really a critical omission and needs to get sorted ASAP.
Martin Thibeault commented
This absolutly need to be present for licencing affectation
As per all the comments below!
P Pelzer commented
The concept of inheritance has been around since ages and part of old AD's....why not in AAD. It works for Sharepoint and such but not for App's which is just ridiculous! Please MS, make this work.
Colin Pazdzior commented
Yes. Us too. This has been a standard feature of AD for years....
We also want this very bad for SAML integration.
Is there any timeframe on sorting this for group-based licensing as yet? You've indicated there were none in November 2017, but it has been 15 months... any progress? Anything?
There should be support for that for rollout of SSPR and MFA. Or for the meantime, it should at least warn in setup.
Does anyone have a work around for Enterprise applications??
Please can we have an update on this, nested groups are essential for our organisation for role based access assignment.
yes please do this it woudl make everything so much easier and neater and reduce errors
Stephan G commented
I wrote a script for that - it's a workaround until the feature is going live. Published it today at:
I hope this helps some of you
really shocking that this has taken years to get 'started' on. MS need to up there game in supporting and improving services that already have.
Group based licensing, group assignment to enterprise applications, and group assignment of conditional access policies.
On-premises ADDS was setup and configured based on recommended practices of nesting groups within other groups based on organizational structure, and an entire user life-cycle automation process was built around this structure. We will be in a hybrid Azure AD/On-premises for the foreseeable future, and it's not feasible to recreate and restructure everything to use flat groups.
Zak Lyles commented
This is actually pathetic... 2.5 years later and Azure AD doesn't support nested groups. Third party App SSO solutions like Okta and OneLogin have supported nested groups forever. Get your **** together Microsoft.
Christian Winther commented
How do you tackle this when the structure is already setup using Microsoft "Best Practice" IGDLA / AGDLP? Explicit permissions for all or?
I am surprised that AAD does not support Nested groups after starting SAML. Microsoft should support the nested group as soon as possible.
Is there any update on GBL on group nesting. Have a client that wants to add on an app a group that has another group on members.