Add support for nested groups in Azure AD (app access and provisioning, group-based licensing)
A lot of organizations use nested groups in on-premise AD. Syncronizing these groups to Azure AD have no value today. But the group itself have value on-premise
Creating new group in AD with only users and then synchronize it to Azure AD creates extra administration for administrators and confusion for end-users.
Dynamic Groups in Azure AD as of today don’t have support for “Member Of” or similar hence don’t solve the problem.
Adding nested groups to Azure AD would add a lot of value to Azure AD.
We’re continuing to investigate options for adding this support. There are technical challenges to overcome in order to make this happen. We thank you for all your valuable comments so far, and welcome any additional feedback you have on what are the most important use cases involved with these scenarios.
Please, add support for assignment of App roles to nested groups, As is stands we have to have a huge list of groups defined on the enterprise application level, this creates quite an overhead, we would prefer to be able to assign access to e.g. a Azure-AG-appname-readonly group assigned the readonly role, and have users in dynamic child groups e.g. Azure-AG-BU-Finance Azure-AG-BU-Sales etc to be automatically assigned the role.
Per-Erik Broz commented
Please, add support for Group-based licensing (assigning a license automatically to all members of a group). We are using AGDLP heavily, and licenses are assigned to DL groups for roles and departments.
Mark van Lierop commented
Is there any update about nested groups in group-based licensing or when it comes available? We are using AGDLP and we would like to continue using this method for Group-based licensing. We rather don't want to make exceptions...
Why is this feature not already here after all those Years of Azure AD? its a "Basic" feature in On Prem AD why is it not in Azure ?
Andrew Collins commented
I am also interested in the timeline on when the unsupported scenarios will be supported.
Thank you for the update Philippe Signoret
Please can you provide a timeline on when the unsupported scenarios will be supported please?
Nested groups are the best solution for having administration not redundant.
That helps to keep the groups clean and up to date.
For those who don’t believe in this, they maybe had only handled a group with a very limited numbers of accounts.
Allowing nested groups to control access in the Access Panel would also be awesome!!
I've been able to use nested groups with Azure AD (non b2c - via the classic portal) but I can see it is not supported via b2c. (https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-limitations#restriction-on-nested-groups).
This is a massive limitation for us where want to user Azure Ad for authentication AND authorisation via groups (hardly a new concept!) and mix Azure AD accounts and social logins.
+1 - Real PITA.
I have tried this for a couple of weeks in different scenarios. Azure AD groups in Azure AD Groups. Synced AD groups added into Azure AD Groups, and it works. But is it supported? :)
It is crazy that nesting groups, a best practice with on prem. AD is completely missing from Azure AD. From what I've found on the web, smart people have been asking for this for over 2 years. Why isn't this basic feature part of Azure AD?
Dynamic groups do provide value, but cannot be used in all situations and relies on attributes of an AD user account which is not practical in a large enterprise environment. These are static and don't change nor do we delegate to users the ability to change. In cases where we want to delegate to system owners the ability to manage access (say a CRM instance) we typically would authorize via an AD group and give ManageBy rights to the owner. In a Hybrid environment you want to try a limit the number of places where users\teams need to manage their groups. we don't want them having to manage in both AD and Azure. In the example of CRM online, we authorize via a Group, but it has to be an Azure Group as external users (3rd party support) needs access and since they cannot be added to an AD sync group they must be added to the Azure group. All of the on-premises users are a members of the AD sync'd group which would allow the owner to manage as they have always, but since nesting breaks here the user have to be a member of both groups. Seem ridicules . this is just one example where Nesting is needed.
as Microsoft is starting to use ressource groups (licensing) you definitly need nested groups Support
@Owen I manage an Azure AD with +30.000 users synced from 5 on-prem ADs. How many nested on-premise groups do you think exists in those AD´s that I would like to leverage in Azure AD? Many. Regards Michael
@Michael, what you say is well and good in small environment, as it would be a small inconvenience as you say. Less so when dealing with corporate environments of 20K users, and I disagree that groups are going to be purely for roles even in Azure AD in the not too distant future.
I am strongly against this. Org trees are for hierarchy, groups are for roles. The minor convenience gained with this change would not in my opinion be worth the additional complexity of querying membership. For janky setups, dynamic groups provide a workaround.
David R commented
This is annoying, work around for us has been to use the dynamic groups:
example: (user.accountEnabled -eq true) -and (user.mail -ne $Null) -and (user.department -ne $Null) or similar will get you a group with all of your 'live' users.
Harvey Khela commented
Any updates on this? Would like to see nested groups implemented for Azure AD.
Azure AD should support nested group feature.