Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)
A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.
Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.
Adding nested groups to Azure AD would add a lot of value to Azure AD.
We’re continuing to investigate options for adding this support. There are technical challenges to overcome in order to make this happen. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important use cases involved with these scenarios.
Taklemakam Baf-ikybaf commented
This is unbelievable lame. Workaround (and also a way how you should implement it) just to write script for "flattering" the nested group into one.
Milton Yates commented
We have a *lot* of nested groups in our org, sometimes deeply nested, which are used for all sorts of permissions. I was quite surprised that this wasn't built into the product already, since it's so well-supported in pretty much all of Microsoft's existing product sets.
Key one for me is Nested Group App Role Assignment, our Enterprise App role blades are fairly unmanageable with two or 3 App's requiring a list of over 50 groups per app assigned with the right claim!, we have already had instances where the claims associated with a mobile app and a web app were inconstant, because the admin had set the wrong claim on one of the groups, even being only able to nest 1 level would be a massive step forward,
Jeffrey Johnson commented
any updates for the roles in nested groups feature ?
John Nowotny commented
Any timeline on this?
can we add nested groups enabled please. this request has been posted 2 years ago!
Simon Butler commented
Nested Group licensing please :-) Need it to replace over-complicated licence allocation scripting :-)
F. Ludwig commented
As Neil mentioned, apearently this is not yet supported if the AD is B2C. Is that also on the roadmap? It is difficult to understand why this important feature should not be available for b2c, also.
My vote is dedicated to nested groups also in b2c.
Harvey Khela commented
Any updated on the following points?
"App role assignment (assigning a groups to an app (or app role within an app), both for access and for provisioning, applies only to direct members)
Group-based licensing (assigning a license automatically to all members of a group)"
Its vital for our organisation and Okta flattens groups out of the box.
For medium to large size businesses it's crucial to have nested groups in App Role Assignments. Not having this creates a huge management overhead.
Nested Grouping in "App role assignment" is needed in our org for scalable application assignment for all our SaaS applications. This also allows us to stay true to a RBAC model.
[Deleted User] commented
Provisioning of nested groups are super important, as most customers use nested groups in on-prem AD.
Chris Stoneham commented
This one is the most important to me;
App role assignment (assigning a groups to an app (or app role within an app), both for access and for provisioning, applies only to direct members)
First time setting up Enterprise Applications for Seamless Single-Sign On and I can't use this how I intended due to lack of Nested Group support.
Scenario where nested groups are not yet supported:
- App role assignment (assigning a groups to an app (or app role within an app), both for access and for provisioning, applies only to direct members)
- Group-based licensing (assigning a license automatically to all members of a group)
John Abrahamson commented
I need to created Nested Groups for Dynamics 365 users license assignment; A Master Group with two SGs within it. One for Enterprise Developers licensees and One with Team member Licensees. The users will be in the Licensees SGs. If this is possible, is it necessary to have unique group membership? (i.e. - a user can NOT be a member of both groups.
Any Iiea when we can assign apps using nested groups? I'am really waiting for this feature.
Karl Kendall commented
This would be a very useful feature. Voted.
jan gazda commented
Missing this feature is total disaster for me.
Flat groups could work only for really small teams or organisations.
Especially after introduction of magical Office365 groups which claim to be cross application, but real behaviour is very much dependent on app (AAD/EXO..)
I have simple requirement:
Have dynamic o365 group with e-mail as a member of static o365group.
Robert Tucker commented
please do not enable nested groups in O365. The key here is that users adding groups may provide unintended access to users who are nested. We want to keep O365 Groups controllable through individuals only.
Peter Selch Dahl commented
I supported this idea. It is a HUGE ask among customers