Wierd issue with AD sync on groups change

Question

Dear all,

We have a strange behavior with our AD on azure.

At some point we get a groupA nested to groupB then a sync as been made at a certain time. Then our AD admin at some time remove GroupA from GroupB , so no nested group anymore.

Then the issue we get is that when we made a clean sync, the change apply to group is not replicated to next.

Do you have any tips which could cause this issue ?

regards

Answer 1

Hey Wakefun, 

Can you clarify what you mean in regards to "a clean sync"?

Are you utilizing AAD Connect and would like for a group to not be nested in another group? 

If the groups are separate I don't see why it would nest one group under another group. Can you provide the steps you're following to do the sync and how you're removing groupa from groupb? 

Thanks,

- Frank Hu

Answer 2

Hello,

Thnaks for your reply.

In fact we are using ldapshare to connect to our AAD and verify the group membership and we find out from that list that we clearly see the only one Nested Group.

But when we are using the AAD we do not see the Nested group from the User Interface

Any idea?

Answer 3

Nested groups are not supported per the feedback here : https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/15718164-add-support-for-nested-groups-in-azure-ad-app-acc

To be clear, it sounds like the original setup you had was that when you synced from on-prem to AAD, it had a nested group. Then when you synced from AAD to a different server to replicate, the nested group still exists. Is that correct? 

If that is the case you'll need to restart your sync with the flat groups with no nested groups as it's most likely saving the original schema. Let us know if after doing a resync from the original Domain Controller if the issue is resolved. 

Thanks,

- Frank Hu