Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)
A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.
Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.
Adding nested groups to Azure AD would add a lot of value to Azure AD.
We’re continuing to investigate options for adding this support. There are technical challenges to overcome in order to make this happen. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important use cases involved with these scenarios.
Christoph Tost commented
Anytime a product group tries to release something that doesn't support nested groups, it needs to be denied immediately. Draw a line in the sand and don't allow this to happen anymore. This is a core requirement for role based access controls. These one-off functions that don't support using nested groups makes administration very challenging and increases risk.
We have pci requirements and compliance requirements for role based access. We absolutely need nested group support. Why is this not an extremely high priority.
My question is, why would this not be included? For large organizations with 84,000 + users and all the departments that access software how could this not be supported? If I add groups with tens or thousands of staff it causes issues because large groups take forever to add or remove. I constantly have to enable\disable the warning in AD Connect to allow large numbers of changes.
Bart Hoofd commented
This is a critical feature for design and control of Azure / Office365 features.
Uwe Grohne commented
Actually nested groups are working when assigning an aad app (like Azure App Proxy App), if all nested groups are security groups. Members of nested distribution groups will not have access.
Without this we cannot use our existing nested groups, so will consider OKTA.
I hope for more support
Andreas Hoferiter commented
Any news when the feature will come up?
This is much needed: 'App role assignment (assigning groups to an app is supported, but groups nested within the directly assigned group will not have access), both for access and for provisioning'
When will this be implemented?
Sujit Koduru commented
This is a must feature and is causing lot of applications to go through a churn. When you have added group based management for SaaS applications, allowing for nested group based management for SaaS application is very doable. lack of this feature is becoming an investigation hassle and management nightmare for org-wide applications.
You can use this feature only after you start an Azure AD Premium trial or purchase Azure AD Premium license plan. Group-based assignment is supported only for security groups. Nested group memberships are not supported for group-based assignment to applications at this time.
+1 on this idea
Michael Switzer commented
umm... yes please
This is a MUST have for Large Enterprises. We do not want to be forced in Micro management!!!
Role Based Access requires the support for netsted groups!
Eric W commented
Please dont do this. We love the fact that complexity has been removed. Given Azure AD / O365 is very much end user self service, groups in groups would make this to hard for end users to manage. I would however be open to using dynamic group logic to include members from another group.
Patrik Lilja commented
It would be useful if migrated and native Azure AD security group could be a member of an Office 365/Teams group or vice versa. Then you would not have to manage parallel groups with the same members.
Is there any chance on some feedback? There has been no update (other than to say 'we're investigating') for 3 years!
Adam Butler commented
This simplifies complexity of managing SSO access for deployments of all sizes. Your competitors have it...