Licensing of nested groups in Entra ID
How can I simplify the licensing of nested groups in Entra ID? Entra ID is a powerful identity and access management platform. However, when it comes to group licensing in Entra ID, the lack of support for nested groups is a problem for many administrators. Especially in hybrid environments, where companies have been working with nested groups for years, this poses a significant challenge.
What is the problem with nested groups in Entra ID?
In on-premises Active Directory (AD), the nesting of groups is a proven practice for simplifying authorization management. In Entra ID, however, this structure is not consistently supported, especially not for licensing. This means that users who are indirectly members of a licensed group through nested groups do not automatically receive a license.
A concrete example: In educational institutions, there are often different license levels, such as A3 for “employees” (e.g. teachers and administrators) and A1 for other employees. However, companies cannot simply apply licenses to nested groups in Entra ID, which makes automatic assignment much more difficult.
This is what the nested group structure in AD could look like:
The groups in blue should receive an A1 license and the groups in orange an A3 license.
Problem:
– Entra ID only assigns licenses to direct members of a group.
– Nested groups are ignored when assigning licenses and are left empty-handed.
In Entra, we had to assign a license for each of the following groups
- Students → A1 license
- Guest users → A1 license
- Teachers → A3 license
- Administrators → A3 license
The more complex the nesting, the more complex the license assignment and the more error-prone the process.
Licensing of nested groups: Restrictions and solutions
Fortunately, there are various solutions to avoid the limitations of nested groups.
Automated scripts and workflows
PowerShell scripts or automation tools such as Microsoft Graph API can be used to create workflows that regularly sort users into static groups.
However, this requires continuous maintenance and monitoring. Further information and script examples can be found directly on microsoft.com.
Dynamic groups in Entra ID
With the help of dynamic groups, users can be automatically assigned based on certain attributes. For example, rules can be defined to automatically assign teachers or administrators to an A3 license group.
Restriction: This function requires paid upgrades to Entra ID P1 or P2 licenses.
In addition, it is not possible to use complex nested filters to precisely assign members to a target group. With Entra’s on-board tools, there is only a maximum of 5 filters that can be added linearly.
Dynamic groups with our cost-effective DynamicSync solution – allocate licenses precisely
As we have described in the sections above, manual license assignment in nested groups in Entra ID is time-consuming and error-prone. It leads to a high level of frustration for administrators.
A more efficient solution is to create dynamic groups.
Our DynamicSync solution offers a more cost-effective alternative to the expensive Entra ID P1 and P2 licenses. Dynamic groups with P1 licenses only support up to 5 linear filters. DynamicSync offers a fast alternative solution for assigning licenses with up to 500 filters to efficiently manage even complex nested groups.
Dynamic groups based on attributes such as department, location or user role automatically assign users to the corresponding groups that receive the appropriate license. In our example, students and guest users belong to the A1 license group, while teachers, research assistants (WM) and administrators are automatically assigned to the A3 license group.
DynamicSync also allows you to synchronize group memberships from the on-premises Active Directory with Entra ID groups. This means that you can continue to use local AD groups while licensing in Entra ID is based on these groups. This reduces complexity and saves time as group management is automatically applied to both environments.
Summary
The lack of support for licensing nested groups in Entra ID presents companies with considerable challenges, especially when it comes to license management. However, DynamicSync offers an efficient and scalable solution. By using dynamic groups and the ability to synchronize group memberships in the on-premises Active Directory with Entra ID groups, license allocation is greatly simplified.
DynamicSync makes it possible to manage even complex structures quickly and error-free thanks to dynamic filters, allowing companies to drastically reduce the effort required for manual license assignments.