How can we improve Azure Active Directory?

Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)

A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.

Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.

Adding nested groups to Azure AD would add a lot of value to Azure AD.

892 votes
Sign in
(thinking…)
Password icon
Signed in as (Sign out)

We’ll send you updates on this idea

Michael shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

103 comments

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Submitting...
  • Taklemakam Baf-ikybaf commented  ·   ·  Flag as inappropriate

    This is unbelievable lame. Workaround (and also a way how you should implement it) just to write script for "flattering" the nested group into one.

  • Milton Yates commented  ·   ·  Flag as inappropriate

    We have a *lot* of nested groups in our org, sometimes deeply nested, which are used for all sorts of permissions. I was quite surprised that this wasn't built into the product already, since it's so well-supported in pretty much all of Microsoft's existing product sets.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Key one for me is Nested Group App Role Assignment, our Enterprise App role blades are fairly unmanageable with two or 3 App's requiring a list of over 50 groups per app assigned with the right claim!, we have already had instances where the claims associated with a mobile app and a web app were inconstant, because the admin had set the wrong claim on one of the groups, even being only able to nest 1 level would be a massive step forward,

  • Ron commented  ·   ·  Flag as inappropriate

    can we add nested groups enabled please. this request has been posted 2 years ago!

  • Simon Butler commented  ·   ·  Flag as inappropriate

    Nested Group licensing please :-) Need it to replace over-complicated licence allocation scripting :-)

    Any ETA

  • F. Ludwig commented  ·   ·  Flag as inappropriate

    As Neil mentioned, apearently this is not yet supported if the AD is B2C. Is that also on the roadmap? It is difficult to understand why this important feature should not be available for b2c, also.
    My vote is dedicated to nested groups also in b2c.

  • Harvey Khela commented  ·   ·  Flag as inappropriate

    Any updated on the following points?

    "App role assignment (assigning a groups to an app (or app role within an app), both for access and for provisioning, applies only to direct members)
    Group-based licensing (assigning a license automatically to all members of a group)"

    Its vital for our organisation and Okta flattens groups out of the box.

  • Anonymous commented  ·   ·  Flag as inappropriate

    For medium to large size businesses it's crucial to have nested groups in App Role Assignments. Not having this creates a huge management overhead.

  • BJH commented  ·   ·  Flag as inappropriate

    Nested Grouping in "App role assignment" is needed in our org for scalable application assignment for all our SaaS applications. This also allows us to stay true to a RBAC model.

  • [Deleted User] commented  ·   ·  Flag as inappropriate

    Provisioning of nested groups are super important, as most customers use nested groups in on-prem AD.

  • Chris Stoneham commented  ·   ·  Flag as inappropriate

    This one is the most important to me;

    App role assignment (assigning a groups to an app (or app role within an app), both for access and for provisioning, applies only to direct members)

    First time setting up Enterprise Applications for Seamless Single-Sign On and I can't use this how I intended due to lack of Nested Group support.

  • Rochen commented  ·   ·  Flag as inappropriate

    Scenario where nested groups are not yet supported:
    - App role assignment (assigning a groups to an app (or app role within an app), both for access and for provisioning, applies only to direct members)
    - Group-based licensing (assigning a license automatically to all members of a group)

  • John Abrahamson commented  ·   ·  Flag as inappropriate

    I need to created Nested Groups for Dynamics 365 users license assignment; A Master Group with two SGs within it. One for Enterprise Developers licensees and One with Team member Licensees. The users will be in the Licensees SGs. If this is possible, is it necessary to have unique group membership? (i.e. - a user can NOT be a member of both groups.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Any Iiea when we can assign apps using nested groups? I'am really waiting for this feature.

  • jan gazda commented  ·   ·  Flag as inappropriate

    Missing this feature is total disaster for me.
    Flat groups could work only for really small teams or organisations.

    Especially after introduction of magical Office365 groups which claim to be cross application, but real behaviour is very much dependent on app (AAD/EXO..)

    I have simple requirement:
    Have dynamic o365 group with e-mail as a member of static o365group.

  • Robert Tucker commented  ·   ·  Flag as inappropriate

    please do not enable nested groups in O365. The key here is that users adding groups may provide unintended access to users who are nested. We want to keep O365 Groups controllable through individuals only.

Feedback and Knowledge Base