Tech Community Live: Windows edition
May 31 2023, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community

Nested groups and Azure AD

Senior Member

Our business with a single forest is doing the two nested group method for everything.  I have heard in discussions that in the Azure world this is no longer recommended practice and really only applied to multi domain worlds in the first place.


Is there any documentation on guidance and recommendations on not using nested groups?

2 Replies



There is limited support for nested groups within Azure AD. Per the following doc (Service limits and restrictions - Azure Active Directory | Microsoft Docs), nested groups are only supported in certain scenarios. I've posted an excerpt from the doc below:

At this time, the following scenarios are supported with nested groups:

  • One group can be added as a member of another group, and you can achieve group nesting.
  • Group membership claims. When an app is configured to receive group membership claims in the token, nested groups in which the signed-in user is a member are included.
  • Conditional access (when a conditional access policy has a group scope).
  • Restricting access to self-serve password reset.
  • Restricting which users can do Azure AD Join and device registration.

The following scenarios are not supported with nested groups:

  • App role assignment, for both access and provisioning. Assigning groups to an app is supported, but any groups nested within the directly assigned group won't have access.
  • Group-based licensing (assigning a license automatically to all members of a group).
  • Microsoft 365 Groups.
When will this
> any groups nested within the directly assigned group won't have access
be solved?