Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)

A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.

Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.

Adding nested groups to Azure AD would add a lot of value to Azure AD.

2,428 votes

(thinking…)

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

We’ll send you updates on this idea

Michael shared this idea · Aug 19, 2016 · Flag idea as inappropriate… · Admin →

started ·

AdminAzure AD Team (Admin, Microsoft Azure) responded · Feb 12, 2020

We’re currently evaluating an option that will provide the functionality offered by nested groups, but removes the complexity nested groups adds. We appreciate your patience on this ask and want to ensure we deliver a solution that benefits all of our customers. Below are use cases that we’d like for you to stack rank, with #1 being priority for you. We thank you for the continued comments and feedback.

Use case A: nested group in a cloud security group inherits apps assignment
Use case B: nested group in a cloud security group inherits license assignment
Use case C: nesting groups under Office 365 groups

Show previous admin responses (4)

started ·

AdminAzure AD Team (Admin, Microsoft Azure) responded · Feb 12, 2020

Use case A: nested group in a cloud security group inherits apps assignment
Use case B: nested group in a cloud security group inherits license assignment
Use case C: nesting Office 365 groups, nesting security groups under Office 365 groups

started ·

AdminAzure AD Team (Product Owner, Microsoft Azure) responded · Oct 19, 2018

We’re continuing to investigate options for adding this support. There are technical challenges to overcome in order to make this happen. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important use cases involved with these scenarios.

started ·

AdminAzure AD Team (Software Engineer, Microsoft Azure) responded · Nov 1, 2017

Currently, the following scenarios DO support nested groups:

The concept (you can add groups as members of other groups)
Group membership claims (when an app is configured to receive group membership claims in the token, nested groups the signed-in user is a member of are included)
Conditional access (when scoping a conditional access policy to a group)
Restricting access to self-serve password reset
Restricting which users can do Azure AD Join and device registration

The following scenarios DO NOT supported nested groups:

App role assignment (assigning groups to an app is supported, but groups nested within the directly assigned group will not have access), both for access and for provisioning
Group-based licensing (assigning a license automatically to all members of a group)
Office 365 Groups

All of the scenarios where nested groups aren’t supported are being looked at, but we do not yet have any timelines to share. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important scenario for you.

started ·

AdminAzure AD Team (Software Engineer, Microsoft Azure) responded · Jul 24, 2017

Currently, the following scenarios DO support nested groups:

The concept (you can add groups as members of other groups)
Group membership claims (when an app is configured to receive group membership claims in the token, nested groups the signed-in user is a member of are included)
Conditional access (when scoping a conditional access policy to a group)
Restricting access to self-serve password reset
Restricting which users can do Azure AD Join and device registration

The following scenarios DO NOT supported nested groups:

App role assignment (assigning a groups to an app (or app role within an app), both for access and for provisioning, applies only to direct members)
Group-based licensing (assigning a license automatically to all members of a group)

— Philippe Signoret

487 comments

Add a comment…

Attach a File

(thinking…)

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

Submitting...

An error occurred while saving the comment

Matthias Fleschütz commented · January 25, 2021 12:10 PM · Flag as inappropriate

A (incl. logins and provisioning)
C
B

@MSFT: anything regarding roadmap scheduling here?

Submitting...
Matthias Suberg commented · January 22, 2021 7:09 AM · Flag as inappropriate

A
C
B

Submitting...
Shruti modi commented · January 19, 2021 9:39 AM · Flag as inappropriate

Till the late nineties, Goregaon was known as a middle-class private neighborhood. But, with the advancement of time, it is turning into one of the wealthiest suburbs of Surat.

Website: http://www.shrutimodi.com

Submitting...
Fehlmann Christian (IT-SWE-CC3 - Extern /A) commented · January 15, 2021 12:37 AM · Flag as inappropriate

A
B
C

Submitting...
Tapio Paananen commented · January 14, 2021 2:25 AM · Flag as inappropriate

Nested groups for apps assignment is an absolute must have, especially in larger corporate environments!

A
B
C

Submitting...
Seth James commented · January 11, 2021 12:29 PM · Flag as inappropriate

A - must work with both cloud and ad synced groups (per RBAC best practices)
B
C

Submitting...
Anonymous commented · January 4, 2021 10:10 AM · Flag as inappropriate

No puedo entrar ami cuenta

Submitting...
Dino Maglinte commented · January 4, 2021 5:26 AM · Flag as inappropriate

A
B
C

Submitting...
De Greyt Jurgen commented · December 30, 2020 3:49 AM · Flag as inappropriate

A
B
C
We use departemental groups which we assign to resource groups. A resource group could be a OnPrem group (Synced) which is added to a SharePoint Online site. Currently we see that some users have access, while others do not.

Submitting...
Martin commented · December 22, 2020 5:09 AM · Flag as inappropriate

This is another shortfall in AAD, I can use nested groups in other cloud platforms that sync with AD without issues, nested groups are a design principal of AD management and LDAP.

Submitting...
Peter Kjær commented · December 16, 2020 4:53 PM · Flag as inappropriate

1. A
2. C
3. B

Submitting...
Koen commented · December 10, 2020 7:14 AM · Flag as inappropriate

1. b
2. Nested groups for app role assignment

Submitting...
Mike's Garage commented · December 8, 2020 11:55 PM · Flag as inappropriate

Hi,

Here is my answer
1. A
2. B
3. C
Cheers

Submitting...
Anonymous commented · December 8, 2020 6:31 AM · Flag as inappropriate

Nested groups for app role assignment is an absolute must have, especially in larger corporate environments!
#1 A
#2 C
#3 B

Submitting...
Rhys commented · December 6, 2020 8:58 PM · Flag as inappropriate

#1 B
#2 C
#3 A

Submitting...
Anonymous commented · December 4, 2020 11:35 AM · Flag as inappropriate

All cases appear to not support on-prem synced security groups? This is a MUST have for the model corporate RBAC structure.
Azure resource permissions support this just fine along with many other microsoft components. How does nested groups bring in complexity!?

Submitting...
Young, Shaun, SOE commented · December 4, 2020 2:10 AM · Flag as inappropriate

A
C
B

Nested groups for app role assignment is an absolute must have, especially in larger corporate environments!

Submitting...
Matt commented · December 2, 2020 8:15 AM · Flag as inappropriate

BAC

Submitting...
BT-RivianAutomotive commented · November 30, 2020 1:38 PM · Flag as inappropriate

Use case C: nesting groups under Office 365 groups
Use case B: nested group in a cloud security group inherits license assignment
Use case A: nested group in a cloud security group inherits apps assignment

Submitting...
Andrew T commented · November 30, 2020 12:34 PM · Flag as inappropriate

#1 A
#2 B
#3 C

Submitting...