We’re currently evaluating an option that will provide the functionality offered by nested groups, but removes the complexity nested groups adds. We appreciate your patience on this ask and want to ensure we deliver a solution that benefits all of our customers. Below are use cases that we’d like for you to stack rank, with #1 being priority for you. We thank you for the continued comments and feedback.
Use case A: nested group in a cloud security group inherits apps assignment
Use case B: nested group in a cloud security group inherits license assignment
Use case C: nesting groups under Office 365 groups
This is in our backlog, but votes and comments about how you would expect this to work are very helpful to our planning/designing the feature so please keep them coming.
Also, for some scenarios in this space Access Reviews (https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews) can be a good way of removing users who no longer need access, including those who don’t have accounts anymore. (Thanks Shawn for pointing that out for everyone!)
An error occurred while saving the commentYaroslav Solovyov commented
Ideally the behaviour shall be configurable to align to an individual organisation needs or policies. Upon detection of an account termination in the External AAD guest AAD can:
1. Automatically terminated in GuestAAD,
2. Automatically deactivate B2B user account in guest AAD (set "Block sign in" to "Yes") and initiate a review by a responsible person.
3. No change to an account and instigate a revision by a responsible person (central function or Manager field)
Current user account revision process lacks completeness and if a user account is neither a member of a group or assigned to an Application (eg. directly invited to the SharePoint site, or removed from groups) such account will not be reviewed. So, organisations willing to have 360 degree control over Azure AD accounts including B2B have a need to augment Azure AD with either a manual process or a 3rd party tool such as an Identity Governance and Administration Tool.
We do have some capabilities in this space by using either Access Reviews (https://docs.microsoft.com/en-us/azure/active-directory/governance/manage-guest-access-with-access-reviews) or the newly-released-to-preview Entitlement Management feature (https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview).
If neither of those fulfill your requirements, please add a comment with your scenario for the feature to help us prioritize and design it better.