Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)
A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.
Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.
Adding nested groups to Azure AD would add a lot of value to Azure AD.
We’re currently evaluating an option that will provide the functionality offered by nested groups, but removes the complexity nested groups adds. We appreciate your patience on this ask and want to ensure we deliver a solution that benefits all of our customers. Below are use cases that we’d like for you to stack rank, with #1 being priority for you. We thank you for the continued comments and feedback.
Use case A: nested group in a cloud security group inherits apps assignment
Use case B: nested group in a cloud security group inherits license assignment
Use case C: nesting groups under Office 365 groups
P Pelzer commented
The concept of inheritance has been around since ages and part of old AD's....why not in AAD. It works for Sharepoint and such but not for App's which is just ridiculous! Please MS, make this work.
Colin Pazdzior commented
Yes. Us too. This has been a standard feature of AD for years....
We also want this very bad for SAML integration.
Is there any timeframe on sorting this for group-based licensing as yet? You've indicated there were none in November 2017, but it has been 15 months... any progress? Anything?
There should be support for that for rollout of SSPR and MFA. Or for the meantime, it should at least warn in setup.
Does anyone have a work around for Enterprise applications??
Please can we have an update on this, nested groups are essential for our organisation for role based access assignment.
yes please do this it woudl make everything so much easier and neater and reduce errors
Stephan G commented
I wrote a script for that - it's a workaround until the feature is going live. Published it today at:
I hope this helps some of you
really shocking that this has taken years to get 'started' on. MS need to up there game in supporting and improving services that already have.
Group based licensing, group assignment to enterprise applications, and group assignment of conditional access policies.
On-premises ADDS was setup and configured based on recommended practices of nesting groups within other groups based on organizational structure, and an entire user life-cycle automation process was built around this structure. We will be in a hybrid Azure AD/On-premises for the foreseeable future, and it's not feasible to recreate and restructure everything to use flat groups.
Zak Lyles commented
This is actually pathetic... 2.5 years later and Azure AD doesn't support nested groups. Third party App SSO solutions like Okta and OneLogin have supported nested groups forever. Get your **** together Microsoft.
Christian Winther commented
How do you tackle this when the structure is already setup using Microsoft "Best Practice" IGDLA / AGDLP? Explicit permissions for all or?
I am surprised that AAD does not support Nested groups after starting SAML. Microsoft should support the nested group as soon as possible.
Is there any update on GBL on group nesting. Have a client that wants to add on an app a group that has another group on members.
we need this feature for structured way of managing access to cloud apps
We need this feature for a structured way of managing access to applications
We need nested groups to organize our devices. Nesting dynamic groups are even more necessary since we cannot provision device groups in Azure. Automated and self-service processes are limited and greatly increases administration overhead and user down time. Explicitly assigning applications to device groups is very tedious especially with limited iOS attributes leveraged by dynamic group memberships. We have 30 various departments across 48 sites with organizational, site, department and program budgets. We have over 30 thousand devices with hundreds of apps. We have months invested attempting to replace AD provisioning (leveraged in other MDMs) using dynamic groups . Please work on nesting dynamic device groups and all dynamic groups.
Public Company Azure User commented
Is there any way that this can be addressed? Amazon and Google don't seem to have issues with nested groups.
We could really use this as we are considering to move from on premise to azure. However our RBAC for company is based on nested groups. The sooner the better. And all other features which AAD can't do versus AD.