MicrosoftIs there a plan to allow nested groups? Like Azure roles have it today? I don't believe you should allow endless nested groups, there should be a limit, and the limit should be small, and only two layers deep.
I have a design like the following:
Company-Specific-Groups (Such as Developers, Dev-Ops, Insfrastructure, Support, etc)
I have Azure Role Groups (Two for every role - One Active, one Eligible)
I place the users in the Company-Specific groups, place the Company-Specific groups into all the Azure Role Groups they require, and each Azure Role Group is permanently assigned to it's corresponding Azure role.
For example:
XXX-Developers (Contains all developers)
XXX-Active-Subsc1-Contributor (One for each Azure role), assigned permanently Active to Subscription#1's Azure Contributor role
XXX-Eligible-Subsc1-Contributor (One for each Azure role), assigned permanently Eligible to Subscription#1's Azure Contributor role
With this design, when a new Developer joins the company, or leaves:
1. I simply add/remove them from a single group to allow/revoke everything a Developer needs access to.
2. It keeps the constant in/out of PIM to a minimum
3. It keeps cleanup easy as there's not the leftover GUID/ObjectID stuck in the role's assignment list.
Auditing is a challenge, Access Reviews are a challenge. But I'm hoping Microsoft is accounting for simplified designs like these. Very recently, something changed with the AzureAD role-assignable groups, as I was able to assign groups to those AzureAD groups, but that has recently disappeared. Was that a bug? Something that should've never been released? It offered hope that the design was going to be like Azure role groups.
