cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Nested groups and Azure AD

FuzzyWazHe
Copper Contributor

‎Feb 17 2022 08:37 AM

‎Feb 17 2022 08:37 AM

Nested groups and Azure AD

Our business with a single forest is doing the two nested group method for everything.  I have heard in discussions that in the Azure world this is no longer recommended practice and really only applied to multi domain worlds in the first place.

 

Is there any documentation on guidance and recommendations on not using nested groups?

70.9K Views
1 Like
4 Replies
Reply
4 Replies
Chhorn_Lim

‎Feb 17 2022 08:56 AM

‎Feb 17 2022 08:56 AM

Re: Nested groups and Azure AD

@FuzzyWazHe 

 

There is limited support for nested groups within Azure AD. Per the following doc (Service limits and restrictions - Azure Active Directory | Microsoft Docs), nested groups are only supported in certain scenarios. I've posted an excerpt from the doc below:


At this time, the following scenarios are supported with nested groups:

  • One group can be added as a member of another group, and you can achieve group nesting.
  • Group membership claims. When an app is configured to receive group membership claims in the token, nested groups in which the signed-in user is a member are included.
  • Conditional access (when a conditional access policy has a group scope).
  • Restricting access to self-serve password reset.
  • Restricting which users can do Azure AD Join and device registration.


The following scenarios are not supported with nested groups:

  • App role assignment, for both access and provisioning. Assigning groups to an app is supported, but any groups nested within the directly assigned group won't have access.
  • Group-based licensing (assigning a license automatically to all members of a group).
  • Microsoft 365 Groups.
3 Likes
Reply
brandonh-msft

‎Feb 03 2023 11:58 AM

‎Feb 03 2023 11:58 AM

Re: Nested groups and Azure AD

When will this
> any groups nested within the directly assigned group won't have access
be solved?
3 Likes
Reply
rejohnson

‎Aug 08 2023 08:52 AM

‎Aug 08 2023 08:52 AM

Re: Nested groups and Azure AD

Can you clarify this statement? "One group can be added as a member of another group, and you can achieve group nesting." Does that mean nested groups have limits on how many other groups can be added? One group only? Can nested groups be added to other nested groups? Not that we intend to do that, but I'm trying to understand the algorithm.
1 Like
Reply
Leon_Straathof

‎Sep 25 2023 05:29 AM

‎Sep 25 2023 05:29 AM

Re: Nested groups and Azure AD

@rejohnson The document does not state any limitations in number of groups nested in a certain group nor does it mention if there is a limitation how deep you can nest. That indeed is stupid of the document and a very valid question. The document only talks about what you can and cannot use nested groups for. Would be nice if MS would improve this document so it does not leave obvious questions unanswered. 

0 Likes
Reply