For those of us working with hybrid on-premise ad/entra id environments, it can be a constant nuisance that entra does not support nested groups for lots of things, for example app role assigments. [1]
It would be incredibly helpful to have a flatten parameter on the microsoft.ad.group module, which, when going over set/add/remove items, checks if that item is a group, and, if it is, replaces that with its (flattened) members.
The resulting group will therefore be flat (only having direct members, no groups as members), making it suitable for use with azure ad.
SUMMARY
For those of us working with hybrid on-premise ad/entra id environments, it can be a constant nuisance that entra does not support nested groups for lots of things, for example app role assigments. [1]
It would be incredibly helpful to have a
flattenparameter on themicrosoft.ad.groupmodule, which, when going over set/add/remove items, checks if that item is a group, and, if it is, replaces that with its (flattened) members.The resulting group will therefore be flat (only having direct members, no groups as members), making it suitable for use with azure ad.
[1] " App role assignment, for both access and provisioning. Assigning groups to an app is supported, but any groups nested within the directly assigned group won't have access.", https://learn.microsoft.com/en-us/entra/identity/users/directory-service-limits-restrictions
ISSUE TYPE
COMPONENT NAME
microsoft.ad.group