How can we improve Azure Active Directory?

Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)

A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.

Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.

Adding nested groups to Azure AD would add a lot of value to Azure AD.

791 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Michael shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    started  ·  AdminAzure AD Team (Admin, Microsoft Azure) responded  · 

    We’re continuing to investigate options for adding this support. There are technical challenges to overcome in order to make this happen. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important use cases involved with these scenarios.

    92 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • [Deleted User] commented  ·   ·  Flag as inappropriate

        Provisioning of nested groups are super important, as most customers use nested groups in on-prem AD.

      • Chris Stoneham commented  ·   ·  Flag as inappropriate

        This one is the most important to me;

        App role assignment (assigning a groups to an app (or app role within an app), both for access and for provisioning, applies only to direct members)

        First time setting up Enterprise Applications for Seamless Single-Sign On and I can't use this how I intended due to lack of Nested Group support.

      • Rochen commented  ·   ·  Flag as inappropriate

        Scenario where nested groups are not yet supported:
        - App role assignment (assigning a groups to an app (or app role within an app), both for access and for provisioning, applies only to direct members)
        - Group-based licensing (assigning a license automatically to all members of a group)

      • John Abrahamson commented  ·   ·  Flag as inappropriate

        I need to created Nested Groups for Dynamics 365 users license assignment; A Master Group with two SGs within it. One for Enterprise Developers licensees and One with Team member Licensees. The users will be in the Licensees SGs. If this is possible, is it necessary to have unique group membership? (i.e. - a user can NOT be a member of both groups.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Any Iiea when we can assign apps using nested groups? I'am really waiting for this feature.

      • jan gazda commented  ·   ·  Flag as inappropriate

        Missing this feature is total disaster for me.
        Flat groups could work only for really small teams or organisations.

        Especially after introduction of magical Office365 groups which claim to be cross application, but real behaviour is very much dependent on app (AAD/EXO..)

        I have simple requirement:
        Have dynamic o365 group with e-mail as a member of static o365group.

      • Robert Tucker commented  ·   ·  Flag as inappropriate

        please do not enable nested groups in O365. The key here is that users adding groups may provide unintended access to users who are nested. We want to keep O365 Groups controllable through individuals only.

      • chris commented  ·   ·  Flag as inappropriate

        I am unable to achieve the first item listed (add groups as members of other groups) in AAD. While the portal pops a notification indicating I have successfully added a group to a group, this is not reflected afterwards group members or memberships.

      • Karl Kendall commented  ·   ·  Flag as inappropriate

        It would be really useful if enterprise applications supported nested group assignment. Following some role based access control models it would be required to nest 1/2 layers.

        I understand that nested groups can cause things to become messy if organisations assign nested groups inside nested groups down it can go on and on until your 15 layers deep inside a group... So even if it was depth limited to 1/2 nested groups this would still be useful.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Please, add support for assignment of App roles to nested groups, As is stands we have to have a huge list of groups defined on the enterprise application level, this creates quite an overhead, we would prefer to be able to assign access to e.g. a Azure-AG-appname-readonly group assigned the readonly role, and have users in dynamic child groups e.g. Azure-AG-BU-Finance Azure-AG-BU-Sales etc to be automatically assigned the role.

      • Per-Erik Broz commented  ·   ·  Flag as inappropriate

        Please, add support for Group-based licensing (assigning a license automatically to all members of a group). We are using AGDLP heavily, and licenses are assigned to DL groups for roles and departments.

      • Mark van Lierop commented  ·   ·  Flag as inappropriate

        Is there any update about nested groups in group-based licensing or when it comes available? We are using AGDLP and we would like to continue using this method for Group-based licensing. We rather don't want to make exceptions...

      • Anonymous commented  ·   ·  Flag as inappropriate

        Why is this feature not already here after all those Years of Azure AD? its a "Basic" feature in On Prem AD why is it not in Azure ?

      • Anonymous commented  ·   ·  Flag as inappropriate

        Thank you for the update Philippe Signoret

        Please can you provide a timeline on when the unsupported scenarios will be supported please?

      • Hans-Joachim commented  ·   ·  Flag as inappropriate

        Nested groups are the best solution for having administration not redundant.
        That helps to keep the groups clean and up to date.
        For those who don’t believe in this, they maybe had only handled a group with a very limited numbers of accounts.

      • GradyD commented  ·   ·  Flag as inappropriate

        Allowing nested groups to control access in the Access Panel would also be awesome!!

      • Neil commented  ·   ·  Flag as inappropriate

        I've been able to use nested groups with Azure AD (non b2c - via the classic portal) but I can see it is not supported via b2c. (https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-limitations#restriction-on-nested-groups).

        This is a massive limitation for us where want to user Azure Ad for authentication AND authorisation via groups (hardly a new concept!) and mix Azure AD accounts and social logins.

      Feedback and Knowledge Base