How can we improve Azure Active Directory?

Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)

A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.

Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.

Adding nested groups to Azure AD would add a lot of value to Azure AD.

1,002 votes
Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)

We’ll send you updates on this idea

Michael shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

114 comments

Sign in
(thinking…)
Sign in with: oidc
Signed in as (Sign out)
Submitting...
  • Chad H commented  ·   ·  Flag as inappropriate

    I don’t think Microsoft have thought about the management of the directory. The approach seems free for all rather than structured. Nesting groups would help at least give some flexibility to maintain control

  • Anonymous commented  ·   ·  Flag as inappropriate

    Starting this week, it seems that nested groups are no longer supported in Azure AD conditional access? "This is unbelievable lame" +1

  • Bill commented  ·   ·  Flag as inappropriate

    +1 vote need for nested group based licensing for Office365

  • Justin Siegard commented  ·   ·  Flag as inappropriate

    Specifically I'd like to nest local security groups from on prem into office 365 groups so we can build teams/SharePoint sites around these groups. Or even create dynamic groups based off existing group membership.

  • Joshua M commented  ·   ·  Flag as inappropriate

    Yikes - OKTA can support nested AD groups. So...

    We need nested groups. Would like to see the Azure AD cloud solutions be able to work with on-premises AD structures. Right now you're asking customers to re-work their org due to limitations on your cloud product....a limitation your competition doesn't have.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Nested groups is a key concept for implementing role based administration. The ability to have groups for assigning access to specific resources and then groups for defining resource access for specific roles helps administration as well as access auditing. I would love to see nested groups in Azure Active Directory.

  • Taklemakam Baf-ikybaf commented  ·   ·  Flag as inappropriate

    This is unbelievable lame. Workaround (and also a way how you should implement it) just to write script for "flattering" the nested group into one.

  • Milton Yates commented  ·   ·  Flag as inappropriate

    We have a *lot* of nested groups in our org, sometimes deeply nested, which are used for all sorts of permissions. I was quite surprised that this wasn't built into the product already, since it's so well-supported in pretty much all of Microsoft's existing product sets.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Key one for me is Nested Group App Role Assignment, our Enterprise App role blades are fairly unmanageable with two or 3 App's requiring a list of over 50 groups per app assigned with the right claim!, we have already had instances where the claims associated with a mobile app and a web app were inconstant, because the admin had set the wrong claim on one of the groups, even being only able to nest 1 level would be a massive step forward,

  • Ron commented  ·   ·  Flag as inappropriate

    can we add nested groups enabled please. this request has been posted 2 years ago!

  • Simon Butler commented  ·   ·  Flag as inappropriate

    Nested Group licensing please :-) Need it to replace over-complicated licence allocation scripting :-)

    Any ETA

  • F. Ludwig commented  ·   ·  Flag as inappropriate

    As Neil mentioned, apearently this is not yet supported if the AD is B2C. Is that also on the roadmap? It is difficult to understand why this important feature should not be available for b2c, also.
    My vote is dedicated to nested groups also in b2c.

  • Harvey Khela commented  ·   ·  Flag as inappropriate

    Any updated on the following points?

    "App role assignment (assigning a groups to an app (or app role within an app), both for access and for provisioning, applies only to direct members)
    Group-based licensing (assigning a license automatically to all members of a group)"

    Its vital for our organisation and Okta flattens groups out of the box.

Feedback and Knowledge Base