Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)

A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.

Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.

Adding nested groups to Azure AD would add a lot of value to Azure AD.

1,124 votes

(thinking…)

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

We’ll send you updates on this idea

Michael shared this idea · August 19, 2016 · Flag idea as inappropriate… · Admin →

started ·

AdminAzure AD Team (Product Owner, Microsoft Azure) responded · October 19, 2018

We’re continuing to investigate options for adding this support. There are technical challenges to overcome in order to make this happen. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important use cases involved with these scenarios.

Show previous admin responses (2)

started ·

AdminAzure AD Team (Software Engineer, Microsoft Azure) responded · November 01, 2017

Currently, the following scenarios DO support nested groups:

The concept (you can add groups as members of other groups)
Group membership claims (when an app is configured to receive group membership claims in the token, nested groups the signed-in user is a member of are included)
Conditional access (when scoping a conditional access policy to a group)
Restricting access to self-serve password reset
Restricting which users can do Azure AD Join and device registration

The following scenarios DO NOT supported nested groups:

App role assignment (assigning groups to an app is supported, but groups nested within the directly assigned group will not have access), both for access and for provisioning
Group-based licensing (assigning a license automatically to all members of a group)
Office 365 Groups

All of the scenarios where nested groups aren’t supported are being looked at, but we do not yet have any timelines to share. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important scenario for you.

started ·

AdminAzure AD Team (Software Engineer, Microsoft Azure) responded · July 24, 2017

Currently, the following scenarios DO support nested groups:

The concept (you can add groups as members of other groups)
Group membership claims (when an app is configured to receive group membership claims in the token, nested groups the signed-in user is a member of are included)
Conditional access (when scoping a conditional access policy to a group)
Restricting access to self-serve password reset
Restricting which users can do Azure AD Join and device registration

The following scenarios DO NOT supported nested groups:

App role assignment (assigning a groups to an app (or app role within an app), both for access and for provisioning, applies only to direct members)
Group-based licensing (assigning a license automatically to all members of a group)

— Philippe Signoret

135 comments

Add a comment…

Attach a File

(thinking…)

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

Submitting...

An error occurred while saving the comment

Denis Bogunic commented · August 21, 2019 08:07 · Flag as inappropriate

Anyone from the MS teams care to comment?

Submitting...
Lukas commented · August 21, 2019 06:45 · Flag as inappropriate

We need this Feature ASAP to keep managing Ressources by best practice RBAC group management.
So there are ressource groups nested in role groups.

Submitting...
Mike Pagán commented · August 20, 2019 12:50 · Flag as inappropriate

With best practices generally being use groups in groups for management, it would be helpful if Azure AD would support them also.

Submitting...
Anonymous commented · August 20, 2019 08:55 · Flag as inappropriate

Has anyone come up with work arounds for this?

Submitting...
Anonymous commented · August 12, 2019 07:18 · Flag as inappropriate

Is there any news?

Submitting...
Vin Latus commented · August 12, 2019 06:01 · Flag as inappropriate

As to the question of use cases from October 19th, using local groups to assign permissions has been a best practice recommendation for ages. In my mind it still applies in these Azure AD situations.

https://social.technet.microsoft.com/wiki/contents/articles/52587.active-directory-design-considerations-and-best-practices.aspx#AD_Group_Management

https://en.wikipedia.org/wiki/AGDLP

Submitting...
Anonymous commented · August 12, 2019 02:39 · Flag as inappropriate

any news about this topic since october 2018?

Submitting...
Rob West commented · August 05, 2019 13:56 · Flag as inappropriate

Please, please, please. This seems like a significant design issue. We cannot properly implement Role Based Access for applications without nested group support.

Submitting...
Anonymous commented · July 18, 2019 14:16 · Flag as inappropriate

please resolve this issue. nesting should have been a day one requirement

Submitting...
Vadlamani, Ramesh (RVadlamani) commented · July 18, 2019 06:32 · Flag as inappropriate

We are very keen on getting this feature that supports the provisioning of nested groups.

Submitting...
Quirijn van Tilburg commented · July 15, 2019 06:51 · Flag as inappropriate

We require group nesting for the scenarios where it's not supported. Please add support for those scenarios:
- App role assignment (assigning groups to an app is supported, but groups nested within the directly assigned group will not have access), both for access and for provisioning
- Group-based licensing (assigning a license automatically to all members of a group)
- Office 365 Groups

Submitting...
Stefano Belluomini commented · July 12, 2019 03:44 · Flag as inappropriate

3 years on and still nothing. How is RBAC simply being ignored here? And this is why people haven’t gone cloud native yet.

Submitting...
hasitha.dealwis commented · July 11, 2019 17:29 · Flag as inappropriate

Added my vote.

Submitting...
Tom Brown commented · July 11, 2019 06:05 · Flag as inappropriate

Added my vote.

Submitting...
Adam Millerchip commented · July 09, 2019 05:26 · Flag as inappropriate

Added my vote, why is this not an out the box thing?

Submitting...
Baraya, Nawaf commented · July 08, 2019 07:46 · Flag as inappropriate

added my vote

Submitting...
Jordan commented · July 03, 2019 12:05 · Flag as inappropriate

Added my vote, and still don't feel the love since this looks over a year old. On-Prem, we live on Nested Groups.

Submitting...
Anonymous commented · June 28, 2019 07:37 · Flag as inappropriate

How is this not already fixed? This seems like an absolute no brainer. This reminds me of how Teams Voice doesn't support caller-id pass through. MS thinks 90% working is good enough.

Submitting...
Anonymous commented · June 27, 2019 01:16 · Flag as inappropriate

Please add this feature.

Submitting...
Anonymous commented · June 25, 2019 14:15 · Flag as inappropriate

Really need this feature in our environment.

Submitting...