Nested AD groups not working in Azure AD

Yiru Chen 681 Reputation points

Can someone from Microsoft confirm -

Does Azure AD support nested AD groups which is sync'd from AD on-prem?

We sync AD on-prem to Azure AD, but found nested AD groups either not sync'd or not taking effect when nested inside another AD group.

Here is what we found -

AD group A is inside AD group B, a user is member of Group A, Group B is assigned permission in SharePoint Online. But the user does not get the access to SharePoint Online. (Note, this scenario works in SharePoint on-prem ie the user does get the access via nested AD group)

Thanks for any advise!

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
16,517 questions
0 comments No comments
{count} votes

Accepted answer
  1. Alfredo Revilla (MSFT) 21,691 Reputation points Microsoft Employee

    Hello @Yiru Chen . Nested groups are currently not supported in Azure AD but work has started to leverage them.

    Let us know if this answer was helpful to you. If so, please remember to accept it so that others in the community with similar questions can more easily find a solution.

    2 people found this answer helpful.

3 additional answers

Sort by: Most helpful
  1. Alfredo Revilla (Personal Account)) 376 Reputation points

    Hello everybody, nested security groups are currently supported both in cloud and hybrid configurations.

    0 comments No comments

  2. 2022-06-13T14:54:50.45+00:00

    Does Azure AD support nested AD groups that are synced from AD on-prem?

    This is already supported in public preview now with some small gotchas ... but it works fine as per my testing!


    1. memberOf Any string value (valid group object ID) (user.memberof -any (group.objectId -in [‘value’]))
    2. memberOf Any string value (valid group object ID) (device.memberof -any (group.objectId -in [‘value’]))

    Example: device.memberof -any (group.objectId -in ['bf9f0a6d-bfbc-41d2-8005-ca51dbe118cf', '8c169afa-6fd5-4ce2-a857-9eb8e22d37b4'])

    More Details


  3. Guillaume Salva 1 Reputation point


    Any update or potential ETA to know when nested groups will be supported in AzureAD Enterprise applications users/groups assigned?

    Indeed, as a school, we have a full tree of AD groups: Students -> Cohort A, Cohort B, etc -> and in each Cohort A -> student 1, student 2, etc...
    So when we would like to unlock an application for the group Students only, we need to add ALL cohorts to our application, and not just the group Students.
    It's really annoying when we need to do that every month for a new cohort.

    Any help are welcomed.

    Thank you