Synchronize nested AD groups in Entra ID
It is now possible to synchronize nested AD groups in the cloud. There are a few points you should be aware of, however. In many environments, local AD structures and Entra ID are used at the same time. If user accounts and groups are synchronized, things quickly become complicated.
It creates a lot of administrative work, but also security risks. For example, users are still members of groups for which they do not require access. However, the right planning and additional solutions can avoid such problems and simplify the maintenance of groups.
Index
What are nested groups, and why do you need them?
Nested groups have been an important method of controlling authorizations in domains and Active Directory ever since Windows domains have existed. If a group of employees requires common authorizations, it makes sense to assign them to a common group. However, if there are other employees within these groups who require additional authorizations, it makes sense to include these employees in a group and subordinate them to another group.
By subdividing the new group to the existing group, the employees also receive all the rights of the higher-level group. This
- avoids duplicate configurations,
- simplifies set-up and
- ensures more order when assigning authorizations.
Special features of nested groups in AD
Nested groups have various options and names in Active Directory:
(Domain-)Local groups are used to summarize global groups or, in exceptional cases, directly for grouping users in domains or on individual servers. Local groups can therefore be used for authorizations on a local server or within an AD domain.
Local groups automatically become domain-local groups in the Active Directory. The difference is that these groups can be seen on all member systems of the domain. The advantage is that a local group only needs to be defined once per domain. This group can contain various global groups that are granted access to resources on the respective servers.
Global groups are visible and usable in the complete overall structure, but can only contain members from their own domain. However, global groups can be members of local and universal groups. You can also nest global groups, i.e. include other global groups in a higher-level group. This allows you to create flexible authorization models.
There are also universal groups. All information about membership of universal groups is stored on the global catalog servers in Active Directory. Universal groups are available in all domains of the overall structure and can contain members from all domains.
Special features of nested groups in Entra ID
Differences between nesting in Entra ID and AD
In Azure Active Directory (Azure AD)/Entra ID, it is also generally possible to nest groups. This means that you can add a group as a member of another group. This functionality can be very useful to simplify the management of users and access to resources, just like in Active Directory.
However, nested groups in Entra ID do not work in the same way as in Active Directory. In Entra ID there are only groups. These groups can be members of other groups.
If a group has another group as a member, all members of the subordinate group inherit the access rights and role assignments of the parent group. This works in exactly the same way as in Active Directory, but without the distinction between local, global and universal groups. This distinction does not exist in Entra ID.
For example, you could have a parent group called “Paris” with several subordinate groups for different departments, for example “Marketing” and “Sales”. Each of these subordinate groups inherits the access rights and role assignments of the parent group, “Paris”. At the same time, you can assign additional rights to the members of the subordinate groups that only apply to the members of this group.
Restrictions on the nesting of groups in Entra ID
However, there are some restrictions on the nesting of Entra ID groups. For example, security groups in Entra ID support nesting, whereas this is not the case with Microsoft 365 groups.
Therefore, it is important to understand the specific requirements and restrictions for nesting groups in your environment and how to assign permissions based on each group.
Microsoft regularly brings out new releases. Here is a more detailed list of what is possible or not with groups in Entra ID: Service Limits and Restrictions – Microsoft Entra ID | Microsoft Learn
How to synchronize nested groups from AD to Entra ID
Nested groups from Active Directory can be synchronized to Entra ID via Azure AD Connect. Here, Azure AD Connect transfers the local groups to groups in Entra ID. These groups can be used to assign authorizations. You will find more information about Azure AD Connect in the following articles “Install Azure AD Connect” and “Azure AD Connect and Azure AD Connect Cloud Sync“. No group resolution is required for the synchronization of nested AD groups.
This makes it possible to control group memberships much more efficiently, especially when synchronizing between AD and Entra ID.
Hybrid use of nested groups: DynamicGroup and DynamicSync
If groups are used in the local AD and in Entra ID, and if AD groups also have to be synchronized in Entra ID, administration quickly becomes complicated. Difficult administration can mean loss of time and security risks.
DynamicGroup offers the advantage that companies can say goodbye to the complicated concept of different group types in AD. DynamicGroup automates the management of memberships in groups by doing this dynamically on the basis of attributes. This saves a lot of configuration and planning work.
it makes sense to combine and In this case, DynamicGroup ensures that the group memberships are not only maintained in Active Directory, but also in parallel in Entra ID via dynamic group memberships.
This automates the management of groups in hybrid environments. The advantage of using both tools is that the group memberships always match. DynamicSync ensures that local AD groups can continue to be used in Entra ID. It maximizes security in the entire environment, provides more flexibility and simplifies administration.
About FirstAttribute
FirstAttribute is an independent cloud services and software company focused on Identity & Access Management (IAM) for AD and M365/Entra ID. You can learn more about our team at Company.
DynamicGroup has been a popular tool for AD administrators for many years to manage group memberships in AD in a coordinated and secure way. The application is used worldwide by companies in a wide range of industries. Continuous updates ensure that the application remains up to the growing demands in IT and does exactly what it promises.
DynamicSync is an automation software for cloud groups. As a pure cloud service (SaaS), DynamicSync specializes in dynamic and automatic group synchronization in Entra ID.