List All Nested Groups in Microsoft Entra ID

Native Solution

Microsoft 365 Permission Required

High

Least Privilege

Group Admin

Highest Privilege

Global Admin

Option 1 Using PowerShell

Connect to Microsoft Graph PowerShell Module with 'GroupMember.Read.All' permission.

Windows PowerShell

 Connect-MgGraph -Scopes GroupMember.Read.All

Then, run the following cmdlet to get all nested groups within a specific group in Microsoft 365.

Windows PowerShell

 Get-MgGroupMemberAsGroup –GroupId <GroupId>

Option 2 Using Powershell Script

Note that the above PowerShell cmdlet returns nested groups only for a specified group. However, it won't check each group or retrieve a complete list of nested groups across your organization.
To overcome this limitation, we have developed a user-friendly PowerShell script that retrieves all nested groups within your M365 tenant.
Download and run the script in Administrator PowerShell to export all nested groups in Microsoft 365.

M365NestedGroups.ps1

AdminDroid Solution

This report and 150+ more reports are under free editionFREE

AdminDroid Permission Required

Delegated

Any user with report access delegated by the Super Admin.

StepsUsing AdminDroid

Log in to the AdminDroid Office 365 portal.
Navigate to the Nested Groups report under Reports»Azure AD»Group Reports.

Here, you can view all nested groups in M365, along with details like group name, group mail, group type, total members count, nested group name, nested group email, and more.

nested-groups-graphical-charts-admindroid

Utilize the built-in graphical charts to easily identify nested groups along with their parent group counts, allowing you to filter and manage them with just a few clicks!

Explore a full range of reporting options

Get all Nested Groups in Microsoft 365 with Ease!

Eliminate the challenges of navigating through multiple groups to identify the ones that were nested. Gain a unified view of all nested groups within your Microsoft 365 environment using AdminDroid.

Witness the report in action using the

Live Demo

Important Tips

Since Microsoft 365 group-based licensing doesn't apply to members of nested groups, make sure that all users who require licenses are direct members of the licensed groups.

Use nested groups as includeTarget or excludeTarget in system-preferred MFA setting to enable the most-secured authentication methods for the nested group members.

As Microsoft Entra supports nested groups, you can create and add them for wider deployment while enabling the self-service password reset based on your organization needs.

Azure ADManage Nested Groups in Microsoft 365 to Streamline Access Management Effectively

Showing 1 of 4

How to create a nested group in Entra Admin Center? Can distribution groups be nested in Microsoft 365? What are the benefits and limitations of nested groups in Azure AD? How to assign licenses to nested group members in Microsoft 365?

How to create a nested group in Entra Admin Center?

Nested groups in Microsoft 365 allow you to enhance access management by adding one group as a member of another group. It supports various scenarios, including group membership claims, Conditional Access policies assignments, and manage access permissions on self-service password resets and Microsoft Entra device registrations.

Steps to create a nested group in the Entra Admin Center

Navigate to All groups under Identity»Groups in the Microsoft Entra admin center.
Click on New group and select the Group type as Security.
Enter the Group name and select Membership type as Assigned.
Click on the link under Members and select a group that you want to nest in this group & click 'Select'.
Then, hit the 'Create' button to create a parent group with groups nested under it.

While Microsoft 365 admin portals lack the ability to audit nested group management activities, AdminDroid offers a robust solution!

In AdminDroid's Group Member Changes report, use the Advanced customization to display items where "Operation" as "Add Group Member" and "Added/Removed User" starts with "Group".
This granular filtering enables you to easily audit the nested group creations with details, such as activity time, group name, operation, result status, activity performed on, performed by, etc.

audit-group-nesting-activities-admindroid

Can distribution groups be nested in Microsoft 365?

Yes, creating nested distribution groups in Microsoft 365 enables efficient management of email communications by organizing multiple groups under a single parent distribution list. It simplifies the process of sending emails to a larger audience and maintains organized group memberships for better communication within your organization.

Steps to create nested distribution group using Exchange admin center

Navigate to Distribution list tab under Recipients»Groups in the Exchange admin center.
Click the group where you want to nest another group.
In the side pane, choose Members tab and select 'View all and manage members' to see all members of the group.
Click Add Members to select the groups that you want to include as members of this group.
Finally, click 'Add' button to create a nested distribution list in Microsoft 365.

Steps to create nested distribution group using PowerShell

To create a nested distribution group, first connect to the Exchange Online PowerShell.

Connect-ExchangeOnline

Then, run the below cmdlet to add a group as a member of another group.

Add-DistributionGroupMember -Identity <ParentGroup> -Member <NestedGroup>

Moreover, you can use the script below to export a report of all nested distribution group members in Microsoft 365.

GetNestedDistributionGroupMembers.ps1

With AdminDroid, you can easily export nested distribution groups report in various formats such as HTML, PDF, CSV, XLS, and XLSX.

Utilize the AdminDroid’s Distribution Group Members report with "Member Type" filter as "Group" to access the nested distribution groups in your Microsoft 365 environment.
This report provides details, such as group name, group mail, nested DL name, nested DL email, member type, etc.

get-nested-distribution-group-report-admindroid

Pro Tip: Click on the Download/Export icon to download the report in your desired format.

What are the benefits and limitations of nested groups in Azure AD?

While nested groups in Microsoft Entra ID offer several benefits, they also come with certain limitations. Here's a look at both the benefits and limitations.

Benefits of nested groups in Entra ID

Conditional Access: Nested groups are supported when a Conditional Access policy is applied with a group scope.
Self-Service Password Reset: Since SSPR access is limited to a single group, nested groups allow users within them to inherit access, enabling them to perform SSPR.
Device Registration: Nested groups can be used to limit which users can do Microsoft Entra join and device registrations.

Limitations of nested groups in Entra ID

App Role Assignment: Nested group membership and app role assignments to an application are not supported.
Group-based Licensing: Licenses for nested groups do not inherit from their parent groups. You must apply licenses to each nested group individually.
Microsoft 365 Groups: Adding Microsoft 365 groups to security groups and vice versa is not supported.
Azure RBAC Nested Groups: Nesting is currently not supported for groups that can be assigned to a role.

How to assign licenses to nested group members in Microsoft 365?

As we know, nested groups do not support group-based licensing in Microsoft Entra ID. However, admins can create dynamic membership groups that automatically include members based on specified attributes. This allows admins to assign licenses to the direct members of nested groups.

Let’s take a scenario:

Imagine you have Group A, which contains Group B and Group C as nested groups. Since licenses assigned to Group A don’t inherit to its child groups due to this nesting, you can create dynamic groups, say 'Dynamic Group D', that automatically include members from Group B and Group C based on the 'memberOf' attribute.

Steps to create a group membership from Azure AD dynamic groups

Navigate to All groups under Identity»Groups in the Microsoft Entra admin center
Click on New group, fill in the group details and select the Group type as Security or Microsoft 365, and the Membership type as dynamic user.
Select the 'Add dynamic query' and click on 'Edit' to write the rule in the Rule syntax box.
user.memberof -any (group.objectId -in ['GroupA_Id', 'GroupB_Id', 'GroupC_Id'])
Click 'OK' and 'Create' to add members of other groups using the memberOf attribute.

By creating dynamic groups in Microsoft Entra ID, you can effectively flatten group membership, allowing direct members of Group A, Group B and Group C to be included in Dynamic group D. Once set up, you can assign licenses to this dynamic group, ensuring other group members receive the proper licenses without facing limitations from nested group structures.

AdminDroid Azure AD ReporterFinding all Microsoft 365 nested groups made easy!

The AdminDroid’s Azure AD reporting tool simplifies the process of retrieving all nested groups in your Microsoft 365 environment. It offers detailed reports on M365 groups, facilitating effective management and control over group-related activities in your organization.

A Quick Summary

Locate Nested Groups with Advanced Filtering in Ease

Enhance your ability to locate nested groups efficiently through AdminDroid rich filtering, allowing you to easily filter groups based on properties, such as group type, mail-enabled status, and more.

Stay Informed about Changes in Group Memberships

Gain insights into Microsoft 365 group activities with detailed audit reports. Track changes and stay informed about modifications in group memberships, making it easier to monitor your organization’s group activities.

Detailed Analysis of Microsoft 365 Groups

Access comprehensive insights on Microsoft 365 group reports that detail memberships, ownerships, and group types like security, distribution, and mail-enabled groups to enhance group management.

Get Regular Updates on Nested Groups in M365

Schedule the nested groups report to receive updates in your inbox daily, weekly, or monthly. This ensures you stay informed about nested groups and gain better insights into group memberships and configurations.

Easily Manage Empty Groups in Microsoft 365

The Empty Groups report lets you easily spot M365 groups without members. You can quickly decide whether to delete or retain these groups, helping you maintain a clutter-free and efficient M365 environment.

Simplified Dashboard for Efficient Group Management

The Microsoft 365 group dashboard gives you a centralized view of all group-related metrics and activities within Azure AD at a glance, that reduces the time spent navigating various interfaces.

Overall, AdminDroid helps you easily find nested groups, making the process quick and effortless with just a few clicks. AdminDroid’s Azure AD auditing tool allows you to monitor user permissions, license changes, group setting changes, and much more.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Download

Common Errors and Resolution Steps in Viewing Nested Groups in Microsoft 365

The following are the possible errors and troubleshooting hints while accessing all nested groups in Azure AD.

Error: Nesting is currently not supported for groups that can be assigned to a role.

This error occurs when attempting to nest a group that is assigned to a role in Microsoft Entra ID. Role-assignable groups do not support nesting, which leads to the error.

Troubleshooting hint :Use the below PowerShell cmdlet to identify role-assignable groups and ensure the group you're trying to nest is not one of them.

Get-MgGroup -Filter "isAssignableToRole eq true"

Error: Get-MgGroupMemberAsGroup : Insufficient privileges to complete the operation.

This error occurs when running the 'Get-MgGroupMemberAsGroup' cmdlet without necessary permissions to perform the requested operation.

Troubleshooting hint :Use the 'GroupMember.Read.All' permission to connect MS Graph PowerShell module before running the 'Get-MgGroupMemberAsGroup' cmdlet.

// # Run the below cmdlet to connect MS Graph PowerShell.
Connect-MgGraph -Scopes GroupMember.Read.All

Error: Get-MgGroupMemberAsGroup : One or more errors occurred.

This error typically occurs when you have multiple versions of the MS Graph PowerShell module installed. To identify the available versions of the Microsoft Graph PowerShell module, run the following cmdlet.

Get-Module -Name Microsoft.Graph -ListAvailable

Troubleshooting hint :To fix the problem, you need to uninstall all the older versions of the module which help resolve the issue.

Uninstall-Module -Name "Microsoft.Graph" -RequiredVersion $Version -Force

Error: Microsoft 365 groups are not allowed.

This error occurs when attempting to nest Microsoft 365 Groups in Entra ID, but since Microsoft 365 Groups nesting is not supported, the action fails.

Troubleshooting hint :Ensure that you are only nesting security groups or distribution lists, as Microsoft 365 Groups cannot be nested within other groups.

Error: ./M365NestedGroups.ps1 cannot be loaded because running scripts is disabled on this system.

If you have set the execution policy settings to 'RemoteSigned', the above error will occur when running the PowerShell script.

Troubleshooting hint :Change the execution policy by running the cmdlet below.

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted

Error: Failed to remove group membership.

This error occurs when trying to remove the group membership of a distribution list from another distribution list in Microsoft Entra ID.

Troubleshooting hint :Use the Exchange Online admin center, as Entra ID doesn't manage distribution list memberships. You can also use the Exchange Online PowerShell cmdlet to remove DL members.

Remove-DistributionGroupMember -Identity "DLName" -Member "MemberName"

Delivering Reports on Time

Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid’s Scheduling to your email anytime you need.

Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add intelligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.

Set It, Schedule It, See Results - Your Reports, Your Way, On Your Time!

Time Saving Automation Customization Intelligent Filtering

Give Just the Right Access to the Right People

Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.

Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.

Give Just the Right Access to the Right People

Align, Define, Simplify: AdminDroid's Granular Delegation

Smart Organizational Control Effortless M365 Management Simplified Access

Advanced Alerts at a Glance

Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.

Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.

AdminDroid Keeps You Always Vigilant, Never Vulnerable!

Proactive Protection Real-time Monitoring Security Intelligence Threat Detection

Merge the Required Data to One Place

Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.

This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.

Merge with Ease and Save as Views!

Custom Reporting Unique View Desired Columns Easy Data Interpretation

Insightful Charts and Exclusive Dashboards

Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.

With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.

Insightful Charts and Exclusive Dashboards

Explore Your Microsoft 365 Tenant in a Whole New Way!

Executive overviews Interactive insights Decision-making Data Visualization

Efficient Report Exporting for Microsoft 365

Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.

Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.

Efficient Report Exporting for Microsoft 365

Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!

Easy Export Seamless Downloading Data Control Manage Microsoft 365

How to Get Nested Groups Report in Microsoft 365