Assigning all users to an Azure AD Enterprise app registration

Stumbled across a glaring problem with Azure this morning, Azure security groups don’t support nesting!

From this article in the azure docs they quote:

Group-based assignment is supported only for security groups. Nested group memberships are not supported for group-based assignment to applications at this time.

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/groups-saasapps

The Azure feedback channel linked below states that they are currently looking at the issue, it’s obviously an issue for a lot of users.

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/15718164-add-support-for-nested-groups-in-azure-ad-app-acc

We have a complex role based user permission model burnt into our Active Directory that heavily relies on security group nesting. To add all users into an Application Registration for access at the single group level would require adding around 50 groups… which is totally unmanageable.

The workaround I’ve gone with for the time being is to set the “User assignment required?” option in the “Properties” blade on the enterprise side of the app registration to no, which allows all logged in users to have access to the service.

No very granular but will temporarily grant an “Everyone” equivalent to the app registration for global access.

Lets hope they get it fixed up soon.

Leave a Reply

Your email address will not be published. Required fields are marked *