Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)
A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.
Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.
Adding nested groups to Azure AD would add a lot of value to Azure AD.

We’re currently evaluating an option that will provide the functionality offered by nested groups, but removes the complexity nested groups adds. We appreciate your patience on this ask and want to ensure we deliver a solution that benefits all of our customers. Below are use cases that we’d like for you to stack rank, with #1 being priority for you. We thank you for the continued comments and feedback.
Use case A: nested group in a cloud security group inherits apps assignment
Use case B: nested group in a cloud security group inherits license assignment
Use case C: nesting groups under Office 365 groups
487 comments
-
Matthias Fleschütz commented
A (incl. logins and provisioning)
C
B@MSFT: anything regarding roadmap scheduling here?
-
Matthias Suberg commented
A
C
B -
Shruti modi commented
Till the late nineties, Goregaon was known as a middle-class private neighborhood. But, with the advancement of time, it is turning into one of the wealthiest suburbs of Surat.
Website: http://www.shrutimodi.com
-
A
B
C -
Tapio Paananen commented
Nested groups for apps assignment is an absolute must have, especially in larger corporate environments!
A
B
C -
Seth James commented
A - must work with both cloud and ad synced groups (per RBAC best practices)
B
C -
Anonymous commented
No puedo entrar ami cuenta
-
Dino Maglinte commented
A
B
C -
De Greyt Jurgen commented
A
B
C
We use departemental groups which we assign to resource groups. A resource group could be a OnPrem group (Synced) which is added to a SharePoint Online site. Currently we see that some users have access, while others do not. -
Martin commented
This is another shortfall in AAD, I can use nested groups in other cloud platforms that sync with AD without issues, nested groups are a design principal of AD management and LDAP.
-
Peter Kjær commented
1. A
2. C
3. B -
Koen commented
1. b
2. Nested groups for app role assignment -
Mike's Garage commented
Hi,
Here is my answer
1. A
2. B
3. C
Cheers -
Anonymous commented
Nested groups for app role assignment is an absolute must have, especially in larger corporate environments!
#1 A
#2 C
#3 B -
Rhys commented
#1 B
#2 C
#3 A -
Anonymous commented
All cases appear to not support on-prem synced security groups? This is a MUST have for the model corporate RBAC structure.
Azure resource permissions support this just fine along with many other microsoft components. How does nested groups bring in complexity!? -
Young, Shaun, SOE commented
A
C
BNested groups for app role assignment is an absolute must have, especially in larger corporate environments!
-
Matt commented
BAC
-
BT-RivianAutomotive commented
Use case C: nesting groups under Office 365 groups
Use case B: nested group in a cloud security group inherits license assignment
Use case A: nested group in a cloud security group inherits apps assignment -
Andrew T commented
#1 A
#2 B
#3 C