Azure Entra nested groups and Directory Sync: Limitations and workarounds

When using Directory Sync with Azure Entra ID, a common issue arises where users in child groups are not provisioned into applications due to SCIM's lack of support for nested group expansion. Azure Entra ID supports nested groups internally, but during SCIM provisioning, only the literal membership of the assigned group is synced, excluding users in nested groups. This design choice by Microsoft can result in various operational challenges, such as users being unable to log in, unexpected group hierarchies appearing flattened, and silent permission failures. To address these issues, organizations can choose to flatten group memberships, assign child groups directly, or supplement SCIM with the Microsoft Graph API for transitive member lookups. These solutions depend on the structure of the customer's Entra directory and their ability to manage these configurations. Unlike Google Workspace, which natively supports nested groups through pull-based APIs, Entra requires careful management and documentation to avoid provisioning issues and ensure accurate user access.