Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)

A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.

Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.

Adding nested groups to Azure AD would add a lot of value to Azure AD.

1,006 votes

(thinking…)

oidc

Forgot password?

Create a password

Signed in as (Sign out)

We’ll send you updates on this idea

Michael shared this idea · August 19, 2016 · Flag idea as inappropriate… · Admin →

started ·

AdminAzure AD Team (Product Owner, Microsoft Azure) responded · October 19, 2018

We’re continuing to investigate options for adding this support. There are technical challenges to overcome in order to make this happen. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important use cases involved with these scenarios.

Show previous admin responses (2)

started ·

AdminAzure AD Team (Software Engineer, Microsoft Azure) responded · November 01, 2017

Currently, the following scenarios DO support nested groups:

The concept (you can add groups as members of other groups)
Group membership claims (when an app is configured to receive group membership claims in the token, nested groups the signed-in user is a member of are included)
Conditional access (when scoping a conditional access policy to a group)
Restricting access to self-serve password reset
Restricting which users can do Azure AD Join and device registration

The following scenarios DO NOT supported nested groups:

App role assignment (assigning groups to an app is supported, but groups nested within the directly assigned group will not have access), both for access and for provisioning
Group-based licensing (assigning a license automatically to all members of a group)
Office 365 Groups

All of the scenarios where nested groups aren’t supported are being looked at, but we do not yet have any timelines to share. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important scenario for you.

started ·

AdminAzure AD Team (Software Engineer, Microsoft Azure) responded · July 24, 2017

Currently, the following scenarios DO support nested groups:

The concept (you can add groups as members of other groups)
Group membership claims (when an app is configured to receive group membership claims in the token, nested groups the signed-in user is a member of are included)
Conditional access (when scoping a conditional access policy to a group)
Restricting access to self-serve password reset
Restricting which users can do Azure AD Join and device registration

The following scenarios DO NOT supported nested groups:

App role assignment (assigning a groups to an app (or app role within an app), both for access and for provisioning, applies only to direct members)
Group-based licensing (assigning a license automatically to all members of a group)

— Philippe Signoret

115 comments

Add a comment…

Attach a File

(thinking…)

oidc

Forgot password?

Create a password

Signed in as (Sign out)

Submitting...

Steven Cuthill commented · June 19, 2019 10:57 · Flag as inappropriate

any updates ? its been 8 months ...
Anonymous commented · June 13, 2019 08:45 · Flag as inappropriate

Despite constant Votes for this and comments over the last few months we continue to be ignored by the Azure AD Team...
Anonymous commented · June 03, 2019 07:42 · Flag as inappropriate

Any update from the Azure AD team would be helpful...
Olivier Lauzon commented · May 28, 2019 11:56 · Flag as inappropriate

This feature is the cornerstone of a good RBAC system and needs to be implemented ASAP as working around it is a pain and really redundant.

Could you please update us with an ETA for this feature?

Thank you
Todd commented · May 23, 2019 11:35 · Flag as inappropriate

Seriously? How was this an afterthought?
Anonymous commented · May 17, 2019 07:18 · Flag as inappropriate

Same as the others...not having this feature makes migration to AAD more complex than it should be. Concerning that it wasn't there from the start.
Anonymous commented · May 16, 2019 10:53 · Flag as inappropriate

i cant believe this isnt a thing.
Ed Hirst commented · May 16, 2019 08:48 · Flag as inappropriate

Concerning that this has taken so long to get started and wasn't there from the beginning.
Luckily we are just designing our RBAC structure so can work around this, but given how many apps we have and are integrated with Azure this negates one of the biggest benefits of RBAC.
Anonymous commented · May 15, 2019 08:46 · Flag as inappropriate

Why is this not supported. Nested groups is a rather basic feature.
Anonymous commented · May 14, 2019 17:23 · Flag as inappropriate

Can Microsoft please put priority for this. We are trying to move apps from ADFS to Azure and this is a road block.
LynnG commented · May 09, 2019 10:15 · Flag as inappropriate

hitting this issue as well. This is something everyone will need.
Leif Martin Nielsen commented · April 29, 2019 05:19 · Flag as inappropriate

Please make this happen
Mario Steinmeyer commented · April 10, 2019 23:18 · Flag as inappropriate

There is absolutly need to simple manage registered Apps with RBAC.
Tim McLaughlin commented · April 10, 2019 13:36 · Flag as inappropriate

Yes, please! We are using AAD more and more via SAML and OAuth, and users are asking for the ability to use their existing group structures.
Denis Bogunic commented · April 10, 2019 03:41 · Flag as inappropriate

I'd like to throw my hat in here and second everything mentioned below. This is really a critical omission and needs to get sorted ASAP.

Any ETA?
Martin Thibeault commented · April 05, 2019 06:28 · Flag as inappropriate

This absolutly need to be present for licencing affectation
Anonymous commented · April 02, 2019 01:56 · Flag as inappropriate

As per all the comments below!
P Pelzer commented · March 29, 2019 04:24 · Flag as inappropriate

The concept of inheritance has been around since ages and part of old AD's....why not in AAD. It works for Sharepoint and such but not for App's which is just ridiculous! Please MS, make this work.
Colin Pazdzior commented · March 26, 2019 13:45 · Flag as inappropriate

Yes. Us too. This has been a standard feature of AD for years....
Anonymous commented · March 12, 2019 06:13 · Flag as inappropriate

We also want this very bad for SAML integration.