How can we improve Azure Active Directory?

Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)

A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.

Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.

Adding nested groups to Azure AD would add a lot of value to Azure AD.

671 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Michael shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    started  ·  AdminAzure AD Team (Admin, Microsoft Azure) responded  · 

    We’re continuing to investigate options for adding this support. There are technical challenges to overcome in order to make this happen. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important use cases involved with these scenarios.

    79 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Per-Erik Broz commented  ·   ·  Flag as inappropriate

        Please, add support for Group-based licensing (assigning a license automatically to all members of a group). We are using AGDLP heavily, and licenses are assigned to DL groups for roles and departments.

      • Mark van Lierop commented  ·   ·  Flag as inappropriate

        Is there any update about nested groups in group-based licensing or when it comes available? We are using AGDLP and we would like to continue using this method for Group-based licensing. We rather don't want to make exceptions...

      • Anonymous commented  ·   ·  Flag as inappropriate

        Thank you for the update Philippe Signoret

        Please can you provide a timeline on when the unsupported scenarios will be supported please?

      • Hans-Joachim commented  ·   ·  Flag as inappropriate

        Nested groups are the best solution for having administration not redundant.
        That helps to keep the groups clean and up to date.
        For those who don’t believe in this, they maybe had only handled a group with a very limited numbers of accounts.

      • GradyD commented  ·   ·  Flag as inappropriate

        Allowing nested groups to control access in the Access Panel would also be awesome!!

      • Neil commented  ·   ·  Flag as inappropriate

        I've been able to use nested groups with Azure AD (non b2c - via the classic portal) but I can see it is not supported via b2c. (https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-limitations#restriction-on-nested-groups).

        This is a massive limitation for us where want to user Azure Ad for authentication AND authorisation via groups (hardly a new concept!) and mix Azure AD accounts and social logins.

      • Michael commented  ·   ·  Flag as inappropriate

        I have tried this for a couple of weeks in different scenarios. Azure AD groups in Azure AD Groups. Synced AD groups added into Azure AD Groups, and it works. But is it supported? :)
        Regards Michael

      • DalyDBA commented  ·   ·  Flag as inappropriate

        It is crazy that nesting groups, a best practice with on prem. AD is completely missing from Azure AD. From what I've found on the web, smart people have been asking for this for over 2 years. Why isn't this basic feature part of Azure AD?

      • Anonymous commented  ·   ·  Flag as inappropriate

        Dynamic groups do provide value, but cannot be used in all situations and relies on attributes of an AD user account which is not practical in a large enterprise environment. These are static and don't change nor do we delegate to users the ability to change. In cases where we want to delegate to system owners the ability to manage access (say a CRM instance) we typically would authorize via an AD group and give ManageBy rights to the owner. In a Hybrid environment you want to try a limit the number of places where users\teams need to manage their groups. we don't want them having to manage in both AD and Azure. In the example of CRM online, we authorize via a Group, but it has to be an Azure Group as external users (3rd party support) needs access and since they cannot be added to an AD sync group they must be added to the Azure group. All of the on-premises users are a members of the AD sync'd group which would allow the owner to manage as they have always, but since nesting breaks here the user have to be a member of both groups. Seem ridicules . this is just one example where Nesting is needed.

      • Anonymous commented  ·   ·  Flag as inappropriate

        as Microsoft is starting to use ressource groups (licensing) you definitly need nested groups Support

      • Michael commented  ·   ·  Flag as inappropriate

        @Owen I manage an Azure AD with +30.000 users synced from 5 on-prem ADs. How many nested on-premise groups do you think exists in those AD´s that I would like to leverage in Azure AD? Many. Regards Michael

      • Owen commented  ·   ·  Flag as inappropriate

        @Michael, what you say is well and good in small environment, as it would be a small inconvenience as you say. Less so when dealing with corporate environments of 20K users, and I disagree that groups are going to be purely for roles even in Azure AD in the not too distant future.

      • Michael commented  ·   ·  Flag as inappropriate

        I am strongly against this. Org trees are for hierarchy, groups are for roles. The minor convenience gained with this change would not in my opinion be worth the additional complexity of querying membership. For janky setups, dynamic groups provide a workaround.

      • David R commented  ·   ·  Flag as inappropriate

        This is annoying, work around for us has been to use the dynamic groups:
        https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-manage-groups
        https://docs.microsoft.com/en-us/azure/active-directory/active-directory-accessmanagement-groups-with-advanced-rules

        example: (user.accountEnabled -eq true) -and (user.mail -ne $Null) -and (user.department -ne $Null) or similar will get you a group with all of your 'live' users.

      • Anonymous commented  ·   ·  Flag as inappropriate

        It's funny that you have a feedback category of "Role-based Access Control" yet the directory itself fails to provide the most basic role based control possible.

        Why does Azure AD still not support Nested Groups? You provide the ability to add a group within a group but you cannot use them. This is incredibly frustrating that I must create groups and directly populate them with users and it must be even more frustrating for organisations which sync their onsite AD with AAD only to find that the groups can't be used but must be flattened.

        Please can you provide a timeline of when you will support Nested Groups both for licensing and SaaS applications.

        Thanks
        David Pattie

      1 2 4 Next →

      Feedback and Knowledge Base