Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)
A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.
Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.
Adding nested groups to Azure AD would add a lot of value to Azure AD.
We’re continuing to investigate options for adding this support. There are technical challenges to overcome in order to make this happen. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important use cases involved with these scenarios.
+1 on this idea
Michael Switzer commented
umm... yes please
This is a MUST have for Large Enterprises. We do not want to be forced in Micro management!!!
Role Based Access requires the support for netsted groups!
Eric W commented
Please dont do this. We love the fact that complexity has been removed. Given Azure AD / O365 is very much end user self service, groups in groups would make this to hard for end users to manage. I would however be open to using dynamic group logic to include members from another group.
Patrik Lilja commented
It would be useful if migrated and native Azure AD security group could be a member of an Office 365/Teams group or vice versa. Then you would not have to manage parallel groups with the same members.
Is there any chance on some feedback? There has been no update (other than to say 'we're investigating') for 3 years!
Adam Butler commented
This simplifies complexity of managing SSO access for deployments of all sizes. Your competitors have it...
Denis Bogunic commented
Anyone from the MS teams care to comment?
We need this Feature ASAP to keep managing Ressources by best practice RBAC group management.
So there are ressource groups nested in role groups.
Mike Pagán commented
With best practices generally being use groups in groups for management, it would be helpful if Azure AD would support them also.
Has anyone come up with work arounds for this?
Is there any news?
Vin Latus commented
As to the question of use cases from October 19th, using local groups to assign permissions has been a best practice recommendation for ages. In my mind it still applies in these Azure AD situations.
any news about this topic since october 2018?
Rob West commented
Please, please, please. This seems like a significant design issue. We cannot properly implement Role Based Access for applications without nested group support.
please resolve this issue. nesting should have been a day one requirement
Vadlamani, Ramesh (RVadlamani) commented
We are very keen on getting this feature that supports the provisioning of nested groups.
Quirijn van Tilburg commented
We require group nesting for the scenarios where it's not supported. Please add support for those scenarios:
- App role assignment (assigning groups to an app is supported, but groups nested within the directly assigned group will not have access), both for access and for provisioning
- Group-based licensing (assigning a license automatically to all members of a group)
- Office 365 Groups