Azure AD and nested groups

Just enabled AAD and to my surprise, nested group membership is not working correctly. Got an on-premise AD, synchronizing users and some security groups to AAD. Have octopus specific security groups created in AAD and the on-prem security groups added as members. Not working.

I can see a similar case in Nested AD Security Groups not resolving anymore, but I’m unsure this is similar to my case.

Can anyone give me a status on the AAD integration?

Hi @jasper

Thanks for getting in touch! Sorry to hear that you’ve run into an issue with Azure AD and nested groups.

I believe your case is similar to the linked topic. I’ve looked further into this for you, and it appears that the nested issue is something that is being worked on but, unfortunately, I wouldn’t be able to give you a timescale on when a fix will be released.

For now, the workaround is that you’d need to either get everything on one domain or un-nest.

I’m sorry that I don’t have a more positive response for you but thank you for bringing this to our attention.

Regards,

Hi Stuart,

Thanks for replying. Just to make sure - we have a single on-prem domain, where users and security groups are replicated to AAD. Is this not supported? I would think that from OD’s point of view, it’s a single AD, right?

Hi @jasper

Thanks for your patience with me on this while I look further into the issue. Your setup should work, but I’m going to attempt to replicate the issue.

While I’m doing this, and if you haven’t already, would you be able to run through our AAD documentation, please? The reason I ask it to check if there’s anything that stands out that could be stopping this from working for you.

Regards,

Hi Stuart,

Just been through the documentation and everything seems to be in order. No additional settings or configuration in the manifest seems to specify how to support nested AAD groups.

Hi @jasper

Thanks again for your patience with me on this. I’ve been attempting to reproduce your issue, and I think I may have found the stumbling block here.

When I attempted to assign a group to access the application in Azure AD, I noticed the following message:

Would you be able to add the nested groups directly to the users and groups section of the app registration in Azure AD?

For example, I had the OctoStu group (local AD) nested within the test_security_group (Azure AD) and it wouldn’t work. Instead, I added the OctoStu group directly to the app and was then able to login to my local Octopus instance with the user in that group. Like this:

image

Please let me know how you get on or if there’s something else I may have missed.

Regards,

Hi Stu,

That’s a pretty good idea - I’ll try it out.

1 Like