![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 0%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
11,709 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
To add to @Michael Durkan 's answer, all three group types/scopes (Universal, Global, and Domain Local) can be synchronized, but there are limitations around the domain local and global scopes.
If you use group writeback, for instance, all groups are written back with the group scope of universal.
Currently, Azure AD Connect does also not recognize nested groups for authorization.
Additionally, ADFS does not pull Domain Local groups, only universal and global groups. This is because domain local groups would be extremely slow since every domain would have to be queried as they aren't replicated.
Let me know if this helps and if you have further questions.
-
If the information helped you, please Accept the answer. This will help us as well as other members of the community who might be researching similar information.
