SOLVED

Error/Failed/Difficulty Joining One Group to Another via Azure AD

Occasional Contributor

Hello dears,
I hope all is well with everyone.


Please don't pay too much attention to the text. I'm trying to make do with a translator.

 

Well, in a single Tenet environment, with multiple domains, within each of these domains there is a team responsible for the location. I'm talking about something close to 70/80 domains, in a universe of about 80 thousand users.

 

As an Administrator - and very new and with little experience in this position - of Tenet, we decided to limit the users who can, for example, create Teams via Microsoft Teams.

 

Well then. Given this, I imagined that each of these locations could have their IT users with this possibility. I created a group in Azure and tested it with one or two users, everything working fine.

 

Now I want, but I don't understand where I go wrong, which is to add to this group, small groups of users from each of these domains, so that some IT users of these places could have this possibility.

 

I apologize, but I read and reread Article "https://docs.microsoft.com/pt-br/azure/active-directory/fundamentals/active-directory-groups-member... and do not understand my mistake. What would I be doing wrong?

 

Thank you very much for your attention
I remain at your disposal for further clarification.

 

Hugs

 

 

3 Replies
Nesting groups is not universally supported across M365/Azure AD. In particular, the "limit who can create groups" requires that you create a security group, and you can only add other security groups as members (so no M365 groups, Distribution groups or mail-enabled security groups).
Hi
Sorry for the delay in getting back.
And thank you very much for your attention

Well, let's see...
When it says that there is no universal support, I understand that it is not just any group that I can add to another.

In my case, I generated a Security group which has permissions to perform a certain task. Instead of adding users directly, I would like to add groups, which I believe is best practice. This last group also has to be Security. This is it?

These groups must be created via Azure AD, right?

And when it says "no to M365 groups, distribution or mail-enabled security groups" does it mean that these would not be possible to fulfill my wish?

I reinforce the apology with these doubts of mine, but I believe that my doubts are being fully clarified.

Thank you,
I remain at your disposal for further clarification.

Sincerely,

TB
best response confirmed by tcboeira (Occasional Contributor)
Solution
It should work if you use Azure AD security groups (even synchronized from on-premises). Create a "parent" security group, then add as many "child" security groups to it.