Share via

PIM for groups doesn't work for nested groups

210vadim 0 Reputation points
2025-08-13T09:20:40.4166667+00:00

Hello,

Could anyone help. me to realize why just-in-time access doesn't work for member of nested group, please?

I have group A with user Test in the group as a permanent member. Group A eligible to activate a member of group B in PIM. Group B has Reader permissions for Subscription1. User Test doesn't have any assigned roles or direct permissions across Azure resources. Both groups not Entra role-assignable.

I login with user Test to the portal and don't see any resources - this is expected. Next, I go to PIM -> Groups -> Activate membership in the group B. After activation of membership, I'm able to see Management groups structure to Subscription1 but I get 401 error as no access when try to open subscription itself.

If I add eligible assignment to the Group B for the Test user directly, after activation, I can see any settings of Subscription1 without any problems.

Regarding documentation nested groups should be supported but looks like I missing something in configuration or it doesn't work actually.

Microsoft Security | Microsoft Entra | Microsoft Entra Private Access
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alan La Pietra (CSA) 165 Reputation points Microsoft Employee
    2025-08-25T13:08:12.2033333+00:00

    PIM for Groups does support nested groups, but with important limitations and nuances:

    • Activation Scope: If a user is an active member of Group A, and Group A is an eligible member of Group B, the user can activate their membership in Group B. However, this activation applies only to the individual user, not to the entire Group A. This means Group A does not become an active member of Group B as a whole

    Performance Considerations: Nested group configurations can introduce delays in permission propagation, especially in services like Microsoft Purview. Users have reported activation delays ranging from 10 minutes to over an hour, particularly for complex roles like Content Explorer.

    Configuration Caveats: Misconfigurations or unsupported group types (e.g., dynamic groups or on-prem synced groups) can cause nested group activation to fail. A user in a nested group may not receive access unless explicitly assigned.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.