Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)
A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.
Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.
Adding nested groups to Azure AD would add a lot of value to Azure AD.
We’re continuing to investigate options for adding this support. There are technical challenges to overcome in order to make this happen. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important use cases involved with these scenarios.
[Deleted User] commented
Provisioning of nested groups are super important, as most customers use nested groups in on-prem AD.
Chris Stoneham commented
This one is the most important to me;
App role assignment (assigning a groups to an app (or app role within an app), both for access and for provisioning, applies only to direct members)
First time setting up Enterprise Applications for Seamless Single-Sign On and I can't use this how I intended due to lack of Nested Group support.
Scenario where nested groups are not yet supported:
- App role assignment (assigning a groups to an app (or app role within an app), both for access and for provisioning, applies only to direct members)
- Group-based licensing (assigning a license automatically to all members of a group)
John Abrahamson commented
I need to created Nested Groups for Dynamics 365 users license assignment; A Master Group with two SGs within it. One for Enterprise Developers licensees and One with Team member Licensees. The users will be in the Licensees SGs. If this is possible, is it necessary to have unique group membership? (i.e. - a user can NOT be a member of both groups.
Any Iiea when we can assign apps using nested groups? I'am really waiting for this feature.
Karl Kendall commented
This would be a very useful feature. Voted.
jan gazda commented
Missing this feature is total disaster for me.
Flat groups could work only for really small teams or organisations.
Especially after introduction of magical Office365 groups which claim to be cross application, but real behaviour is very much dependent on app (AAD/EXO..)
I have simple requirement:
Have dynamic o365 group with e-mail as a member of static o365group.
Robert Tucker commented
please do not enable nested groups in O365. The key here is that users adding groups may provide unintended access to users who are nested. We want to keep O365 Groups controllable through individuals only.
Peter Selch Dahl commented
I supported this idea. It is a HUGE ask among customers
I am unable to achieve the first item listed (add groups as members of other groups) in AAD. While the portal pops a notification indicating I have successfully added a group to a group, this is not reflected afterwards group members or memberships.
Karl Kendall commented
It would be really useful if enterprise applications supported nested group assignment. Following some role based access control models it would be required to nest 1/2 layers.
I understand that nested groups can cause things to become messy if organisations assign nested groups inside nested groups down it can go on and on until your 15 layers deep inside a group... So even if it was depth limited to 1/2 nested groups this would still be useful.
Please, add support for assignment of App roles to nested groups, As is stands we have to have a huge list of groups defined on the enterprise application level, this creates quite an overhead, we would prefer to be able to assign access to e.g. a Azure-AG-appname-readonly group assigned the readonly role, and have users in dynamic child groups e.g. Azure-AG-BU-Finance Azure-AG-BU-Sales etc to be automatically assigned the role.
Per-Erik Broz commented
Please, add support for Group-based licensing (assigning a license automatically to all members of a group). We are using AGDLP heavily, and licenses are assigned to DL groups for roles and departments.
Mark van Lierop commented
Is there any update about nested groups in group-based licensing or when it comes available? We are using AGDLP and we would like to continue using this method for Group-based licensing. We rather don't want to make exceptions...
Why is this feature not already here after all those Years of Azure AD? its a "Basic" feature in On Prem AD why is it not in Azure ?
Andrew Collins commented
I am also interested in the timeline on when the unsupported scenarios will be supported.
Thank you for the update Philippe Signoret
Please can you provide a timeline on when the unsupported scenarios will be supported please?
Nested groups are the best solution for having administration not redundant.
That helps to keep the groups clean and up to date.
For those who don’t believe in this, they maybe had only handled a group with a very limited numbers of accounts.
Allowing nested groups to control access in the Access Panel would also be awesome!!
I've been able to use nested groups with Azure AD (non b2c - via the classic portal) but I can see it is not supported via b2c. (https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-limitations#restriction-on-nested-groups).
This is a massive limitation for us where want to user Azure Ad for authentication AND authorisation via groups (hardly a new concept!) and mix Azure AD accounts and social logins.