Nested groups and Azure AD

FuzzyWazHe · ‎Feb 17 2022

Our business with a single forest is doing the two nested group method for everything. I have heard in discussions that in the Azure world this is no longer recommended practice and really only applied to multi domain worlds in the first place.

Is there any documentation on guidance and recommendations on not using nested groups?

Chhorn_Lim · ‎Feb 17 2022

@FuzzyWazHe

There is limited support for nested groups within Azure AD. Per the following doc (Service limits and restrictions - Azure Active Directory | Microsoft Docs), nested groups are only supported in certain scenarios. I've posted an excerpt from the doc below:

At this time, the following scenarios are supported with nested groups:

One group can be added as a member of another group, and you can achieve group nesting.
Group membership claims. When an app is configured to receive group membership claims in the token, nested groups in which the signed-in user is a member are included.
Conditional access (when a conditional access policy has a group scope).
Restricting access to self-serve password reset.
Restricting which users can do Azure AD Join and device registration.

The following scenarios are not supported with nested groups:

App role assignment, for both access and provisioning. Assigning groups to an app is supported, but any groups nested within the directly assigned group won't have access.
Group-based licensing (assigning a license automatically to all members of a group).
Microsoft 365 Groups.

BrandonH · ‎Feb 03 2023

When will this
> any groups nested within the directly assigned group won't have access
be solved?

Nested groups and Azure AD

Nested groups and Azure AD

Re: Nested groups and Azure AD

Re: Nested groups and Azure AD

Products (65)

Special Topics (44)

Video Hub (443)

Most Active Hubs

Most Active Hubs

Video Hub

Nested groups and Azure AD

Nested groups and Azure AD

Re: Nested groups and Azure AD

Re: Nested groups and Azure AD