I have an enterprise application in Azure with some roles defined, let's say:
- professor role
- student role
- staff role
Then I have some Active Directory groups which are nested, like:
- root professor group PROF
- nested professor group PROF1
- nested professor group PROF2
- and many more similar, even more nested...
- root student group STUD
- nested student group STUD1
- nested student group STUD2
- and many more similar, even more nested...
- root staff group STAFF
- nested student group STAFF1
- nested student group STAFF2
- and many more similar, even more nested...
I can assign users and AD groups to those roles. However, when I want to assign a group to a role, it works only when a user is a direct member of the group. If, for instance, I add the whole group STUD to a role, it does not work with role assignment. Therefore I have to add all the single nested roles to the role, which is quite time consuming. But that would have been acceptable as one-time-solution. Bad thing is, there are new groups and users constantly. And I'd have to keep the role assignments up-to-date manually all the time.
Ideally I'd like to say: everyone from the STUD root AD group gets the student role etc. Apparently this is not possible: https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/15718164-add-support-for-nested-groups-in-azure-ad-app-acc
Is it maybe possible to do it via some automated script? Maybe you have some other ideas? Thanks in advance!
