How can we improve Azure Active Directory?

Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)

A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.

Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.

Adding nested groups to Azure AD would add a lot of value to Azure AD.

897 votes
Sign in
(thinking…)
Password icon
Signed in as (Sign out)

We’ll send you updates on this idea

Michael shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

103 comments

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Submitting...
  • Tim McLaughlin commented  ·   ·  Flag as inappropriate

    Yes, please! We are using AAD more and more via SAML and OAuth, and users are asking for the ability to use their existing group structures.

  • Denis Bogunic commented  ·   ·  Flag as inappropriate

    I'd like to throw my hat in here and second everything mentioned below. This is really a critical omission and needs to get sorted ASAP.

    Any ETA?

  • P Pelzer commented  ·   ·  Flag as inappropriate

    The concept of inheritance has been around since ages and part of old AD's....why not in AAD. It works for Sharepoint and such but not for App's which is just ridiculous! Please MS, make this work.

  • Justin commented  ·   ·  Flag as inappropriate

    Is there any timeframe on sorting this for group-based licensing as yet? You've indicated there were none in November 2017, but it has been 15 months... any progress? Anything?

  • Kazzan commented  ·   ·  Flag as inappropriate

    There should be support for that for rollout of SSPR and MFA. Or for the meantime, it should at least warn in setup.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Please can we have an update on this, nested groups are essential for our organisation for role based access assignment.

  • t commented  ·   ·  Flag as inappropriate

    yes please do this it woudl make everything so much easier and neater and reduce errors

  • steven.cuthill commented  ·   ·  Flag as inappropriate

    really shocking that this has taken years to get 'started' on. MS need to up there game in supporting and improving services that already have.

  • Josh commented  ·   ·  Flag as inappropriate

    Group based licensing, group assignment to enterprise applications, and group assignment of conditional access policies.

    On-premises ADDS was setup and configured based on recommended practices of nesting groups within other groups based on organizational structure, and an entire user life-cycle automation process was built around this structure. We will be in a hybrid Azure AD/On-premises for the foreseeable future, and it's not feasible to recreate and restructure everything to use flat groups.

  • Zak Lyles commented  ·   ·  Flag as inappropriate

    This is actually pathetic... 2.5 years later and Azure AD doesn't support nested groups. Third party App SSO solutions like Okta and OneLogin have supported nested groups forever. Get your **** together Microsoft.

  • Christian Winther commented  ·   ·  Flag as inappropriate

    How do you tackle this when the structure is already setup using Microsoft "Best Practice" IGDLA / AGDLP? Explicit permissions for all or?

  • Anonymous commented  ·   ·  Flag as inappropriate

    I am surprised that AAD does not support Nested groups after starting SAML. Microsoft should support the nested group as soon as possible.

  • Alfredo commented  ·   ·  Flag as inappropriate

    Is there any update on GBL on group nesting. Have a client that wants to add on an app a group that has another group on members.

← Previous 1 3 4 5 6

Feedback and Knowledge Base