This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 18%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYC%3C/text%3E%3C/svg%3E)
Can someone from Microsoft confirm -
Does Azure AD support nested AD groups which is sync'd from AD on-prem?
We sync AD on-prem to Azure AD, but found nested AD groups either not sync'd or not taking effect when nested inside another AD group.
Here is what we found -
AD group A is inside AD group B, a user is member of Group A, Group B is assigned permission in SharePoint Online. But the user does not get the access to SharePoint Online. (Note, this scenario works in SharePoint on-prem ie the user does get the access via nested AD group)
Thanks for any advise!
Hello @Yiru Chen . Nested groups are currently not supported in Azure AD but work has started to leverage them.
Let us know if this answer was helpful to you. If so, please remember to accept it so that others in the community with similar questions can more easily find a solution.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 81%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi @Alfredo Revilla (MSFT) the link is broken. Please could you confirm if nested groups are now available?
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 68%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIP%3C/text%3E%3C/svg%3E)
It's been little over a year. Does anyone know if any progress been made on nested groups? We are in a similar situation. Thank you in advance.
Hello everybody, nested security groups are currently supported both in cloud and hybrid configurations.
Does Azure AD support nested AD groups that are synced from AD on-prem?
This is already supported in public preview now with some small gotchas ... but it works fine as per my testing!
Syntax:
Example: device.memberof -any (group.objectId -in ['bf9f0a6d-bfbc-41d2-8005-ca51dbe118cf', '8c169afa-6fd5-4ce2-a857-9eb8e22d37b4'])
More Details https://www.anoopcnair.com/how-to-create-nested-azure-ad-dynamic-groups/
KR
Anoop
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 25%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERN%3C/text%3E%3C/svg%3E)
Hi @Anoop C Nair MVP Enterprise Mobility if the parent group has additional devices and i use memberOf to include devices from other groups. Does the parent group preserve the parent devices permissions or allow the permissions of the child devices?
Parent Group > DeviceA,DeviceB and include devices that are memberof childgroup
will the devices from the child group still preserve the permissions from the child group?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 60%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
Hello,
Any update or potential ETA to know when nested groups will be supported in AzureAD Enterprise applications users/groups assigned?
Indeed, as a school, we have a full tree of AD groups: Students -> Cohort A, Cohort B, etc -> and in each Cohort A -> student 1, student 2, etc...
So when we would like to unlock an application for the group Students only, we need to add ALL cohorts to our application, and not just the group Students.
It's really annoying when we need to do that every month for a new cohort.
Any help are welcomed.
Thank you
If you have Azure AD Premium P1 or higher you can now leverage dynamic groups to solve this - they recently added a feature to construct dynamic groups based on the membership a user has in other groups.