Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)

A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.

Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.

Adding nested groups to Azure AD would add a lot of value to Azure AD.

2,234 votes

(thinking…)

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

We’ll send you updates on this idea

Michael shared this idea · Aug 19, 2016 · Flag idea as inappropriate… · Admin →

started ·

AdminAzure AD Team (Admin, Microsoft Azure) responded · Feb 12, 2020

We’re currently evaluating an option that will provide the functionality offered by nested groups, but removes the complexity nested groups adds. We appreciate your patience on this ask and want to ensure we deliver a solution that benefits all of our customers. Below are use cases that we’d like for you to stack rank, with #1 being priority for you. We thank you for the continued comments and feedback.

Use case A: nested group in a cloud security group inherits apps assignment
Use case B: nested group in a cloud security group inherits license assignment
Use case C: nesting groups under Office 365 groups

Show previous admin responses (4)

started ·

AdminAzure AD Team (Admin, Microsoft Azure) responded · Feb 12, 2020

Use case A: nested group in a cloud security group inherits apps assignment
Use case B: nested group in a cloud security group inherits license assignment
Use case C: nesting Office 365 groups, nesting security groups under Office 365 groups

started ·

AdminAzure AD Team (Product Owner, Microsoft Azure) responded · Oct 19, 2018

We’re continuing to investigate options for adding this support. There are technical challenges to overcome in order to make this happen. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important use cases involved with these scenarios.

started ·

AdminAzure AD Team (Software Engineer, Microsoft Azure) responded · Nov 1, 2017

Currently, the following scenarios DO support nested groups:

The concept (you can add groups as members of other groups)
Group membership claims (when an app is configured to receive group membership claims in the token, nested groups the signed-in user is a member of are included)
Conditional access (when scoping a conditional access policy to a group)
Restricting access to self-serve password reset
Restricting which users can do Azure AD Join and device registration

The following scenarios DO NOT supported nested groups:

App role assignment (assigning groups to an app is supported, but groups nested within the directly assigned group will not have access), both for access and for provisioning
Group-based licensing (assigning a license automatically to all members of a group)
Office 365 Groups

All of the scenarios where nested groups aren’t supported are being looked at, but we do not yet have any timelines to share. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important scenario for you.

started ·

AdminAzure AD Team (Software Engineer, Microsoft Azure) responded · Jul 24, 2017

Currently, the following scenarios DO support nested groups:

The concept (you can add groups as members of other groups)
Group membership claims (when an app is configured to receive group membership claims in the token, nested groups the signed-in user is a member of are included)
Conditional access (when scoping a conditional access policy to a group)
Restricting access to self-serve password reset
Restricting which users can do Azure AD Join and device registration

The following scenarios DO NOT supported nested groups:

App role assignment (assigning a groups to an app (or app role within an app), both for access and for provisioning, applies only to direct members)
Group-based licensing (assigning a license automatically to all members of a group)

— Philippe Signoret

459 comments

Add a comment…

Attach a File

(thinking…)

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

Submitting...

An error occurred while saving the comment

Geert Maurissen commented · October 27, 2020 8:13 AM · Flag as inappropriate

CBA

Submitting...
Seth James commented · October 22, 2020 9:29 AM · Flag as inappropriate

Nested groups derived from AD is necessary for base-level RBAC schemas. Spent the last couple weeks getting everything set up in MyApps as an SSO solution for our org and now I'll have to unwind and go with a platform like OKTA which supports such basic functionality

Submitting...
Aaron Taylor commented · October 21, 2020 3:13 AM · Flag as inappropriate

C
A
B

Submitting...
Timothy commented · October 15, 2020 1:20 PM · Flag as inappropriate

How is this not a thing yet? Nested groups is not that complex and has been widely in use since NT. Why does it seem like the cloud often takes us back in time?

Submitting...
Gary Farrugia commented · October 15, 2020 9:15 AM · Flag as inappropriate

ABC + synchronised AD groups.

Submitting...
Jesper Madsen commented · October 14, 2020 7:35 AM · Flag as inappropriate

1:A
2:B
3:C

It is vital for assignment and provisioning for Enterprise applications. Right now we have so few possibilities.

Submitting...
Joe Fegley commented · October 13, 2020 9:33 AM · Flag as inappropriate

#1 A
#2 B
#3 C

Submitting...
Karl Alfaro commented · October 13, 2020 6:25 AM · Flag as inappropriate

BAC

Submitting...
Martin Wüthrich commented · October 11, 2020 10:15 AM · Flag as inappropriate

BAC

Submitting...
Bob Durie (RD-CA) commented · October 8, 2020 5:37 AM · Flag as inappropriate

ABC

2016? Folks! C'mon! Lets get this already! How the **** are large orgs managing without this? I'd love to live in a world without nested groups at all, so if people are doing so and not caring about this i'd love to hear about their workflow.

Submitting...
Anonymous commented · October 7, 2020 2:51 PM · Flag as inappropriate

Abc. Can anyone tell what is the planning of this? The world needs this right now. Are there work arounds possible?

Submitting...
Bart Dekker commented · October 7, 2020 12:09 AM · Flag as inappropriate

We also miss this feature. Thank you for evaluating a solution.
Our use case is: A

We want to be able to use our customers nested groups and determine what kind of roles they have assigned within the app domain. So we'd like to inherit assignments.

Submitting...
Konn, Victor commented · October 6, 2020 11:08 AM · Flag as inappropriate

ABC

Submitting...
Anonymous commented · October 6, 2020 6:36 AM · Flag as inappropriate

ABC

Submitting...
Jerome Copin commented · September 30, 2020 4:30 AM · Flag as inappropriate

ACB

Submitting...
Ismael Noble commented · September 26, 2020 3:26 PM · Flag as inappropriate

A
B
C

Submitting...
Chris Meador commented · September 25, 2020 10:19 AM · Flag as inappropriate

ABC

Submitting...
Jens Huzell commented · September 24, 2020 10:38 PM · Flag as inappropriate

ABC

Submitting...
Carlos Martinez commented · September 24, 2020 5:01 PM · Flag as inappropriate

A
B
C

Submitting...
Gert Boulliard commented · September 23, 2020 6:18 AM · Flag as inappropriate

ABC

Submitting...