Tech Community Live: Windows edition
Jun 05 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community

Nested groups and Azure AD

Copper Contributor

Our business with a single forest is doing the two nested group method for everything.  I have heard in discussions that in the Azure world this is no longer recommended practice and really only applied to multi domain worlds in the first place.

 

Is there any documentation on guidance and recommendations on not using nested groups?

4 Replies

@FuzzyWazHe 

 

There is limited support for nested groups within Azure AD. Per the following doc (Service limits and restrictions - Azure Active Directory | Microsoft Docs), nested groups are only supported in certain scenarios. I've posted an excerpt from the doc below:


At this time, the following scenarios are supported with nested groups:

  • One group can be added as a member of another group, and you can achieve group nesting.
  • Group membership claims. When an app is configured to receive group membership claims in the token, nested groups in which the signed-in user is a member are included.
  • Conditional access (when a conditional access policy has a group scope).
  • Restricting access to self-serve password reset.
  • Restricting which users can do Azure AD Join and device registration.


The following scenarios are not supported with nested groups:

  • App role assignment, for both access and provisioning. Assigning groups to an app is supported, but any groups nested within the directly assigned group won't have access.
  • Group-based licensing (assigning a license automatically to all members of a group).
  • Microsoft 365 Groups.
When will this
> any groups nested within the directly assigned group won't have access
be solved?
Can you clarify this statement? "One group can be added as a member of another group, and you can achieve group nesting." Does that mean nested groups have limits on how many other groups can be added? One group only? Can nested groups be added to other nested groups? Not that we intend to do that, but I'm trying to understand the algorithm.

@rejohnson The document does not state any limitations in number of groups nested in a certain group nor does it mention if there is a limitation how deep you can nest. That indeed is stupid of the document and a very valid question. The document only talks about what you can and cannot use nested groups for. Would be nice if MS would improve this document so it does not leave obvious questions unanswered.