Nested Security Groups Not Working

%3CLINGO-SUB%20id%3D%22lingo-sub-572433%22%20slang%3D%22en-US%22%3ERe%3A%20Nested%20Security%20Groups%20Not%20Working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-572433%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20not%20aware%20of%20any%20update%20that%20removes%20nesting%20support.%20However%2C%20while%20nesting%20is%20still%20technically%20possible%2C%20there%20are%20very%20few%20places%2Ffeatures%20where%20delegating%20access%2Fpermissions%20via%20nested%20groups%20will%20actually%20work.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2499438%22%20slang%3D%22en-US%22%3ERe%3A%20Nested%20Security%20Groups%20Not%20Working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2499438%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F268623%22%20target%3D%22_blank%22%3E%40Danny_M%3C%2FA%3E%26nbsp%3B%20I%20seem%20to%20be%20having%20a%20similar%20issue.%26nbsp%3B%20I've%20been%20using%20nested%20AAD%20group%20membership%20with%20Azure%20SQL%20for%20some%20time%20now%20and%20it%20has%20been%20working%2C%20but%20just%20recently%20I%20seem%20to%20be%20getting%20a%20number%20of%20reports%20of%20people%20having%20issues%20doing%20some%20functions%20which%20were%20working%20fine.%26nbsp%3B%20When%20I%20add%20a%20direct%20group%20it%20seems%20to%20resolve%20the%20problem%2C%20but%20the%20nested%20group%20is%20acting%20very%20odd.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2501415%22%20slang%3D%22en-US%22%3ERe%3A%20Nested%20Security%20Groups%20Not%20Working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2501415%22%20slang%3D%22en-US%22%3EHave%20to%20also%20echo%20what%20was%20said%20by%20Vasil%2C%20not%20aware%20of%20any%20recent%20changes%2C%20which%20doesn't%20mean%20there%20aren't%20any%20of%20course.%20But%20nested%20security%20group%20support%20has%20always%20been%20somewhat%20of%20an%20%22unsupported%20feature%22%20for%20many%20parts%20of%20Azure%20AD.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2795628%22%20slang%3D%22en-US%22%3ERe%3A%20Nested%20Security%20Groups%20Not%20Working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2795628%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F268623%22%20target%3D%22_blank%22%3E%40Danny_M%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESame%20here.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-570328%22%20slang%3D%22en-US%22%3ENested%20Security%20Groups%20Not%20Working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-570328%22%20slang%3D%22en-US%22%3E%3CP%3ENested%20security%20groups%20are%20not%20working.%20Has%20anybody%20else%20had%20this%20problem%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20one%20Azure%20AD%20Security%20group%20with%20multiple%20user%20IDs%20in%20it.%20However%2C%20I%20want%20to%20replace%20all%20of%20the%20user%20IDs%20with%20security%20groups%20those%20IDs%20are%20a%20part%20of.%20I%20have%20successfully%20done%20this%20many%20times%20before%20and%20it%20is%20not%20working%20now.%20It%20adds%20the%20group%2C%20with%20the%20user%20IDs%20included%2C%20to%20the%20larger%20security%20group%20but%20then%20does%20not%20recognize%20the%20individual%20user%20IDs%20being%20a%20part%20of%20the%20large%20security%20group.%20Has%20there%20been%20an%20update%20recently%20that%20removed%20the%20ability%20to%20nest%20security%20groups%3F%20Has%20anybody%20else%20tried%20this%20and%20been%20having%20a%20problem%20as%20well%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-570328%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%20(AAD)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Senior Member

Nested security groups are not working. Has anybody else had this problem?

 

I have one Azure AD Security group with multiple user IDs in it. However, I want to replace all of the user IDs with security groups those IDs are a part of. I have successfully done this many times before and it is not working now. It adds the group, with the user IDs included, to the larger security group but then does not recognize the individual user IDs being a part of the large security group. Has there been an update recently that removed the ability to nest security groups? Has anybody else tried this and been having a problem as well? 

 

Thanks.

4 Replies

I'm not aware of any update that removes nesting support. However, while nesting is still technically possible, there are very few places/features where delegating access/permissions via nested groups will actually work.

@Danny_M  I seem to be having a similar issue.  I've been using nested AAD group membership with Azure SQL for some time now and it has been working, but just recently I seem to be getting a number of reports of people having issues doing some functions which were working fine.  When I add a direct group it seems to resolve the problem, but the nested group is acting very odd. 

Have to also echo what was said by Vasil, not aware of any recent changes, which doesn't mean there aren't any of course. But nested security group support has always been somewhat of an "unsupported feature" for many parts of Azure AD.

@Danny_M 

 

Same here.