Azure does not sync member users from nested ad groups if source is not cloud

[vincentd-of]

We have a Entra ID setup where we have nested groups. For example:

aggregated = group1 + group2

Where group1 and group2 have member users, while aggregated doesn't.

The expectation is that the resulted sync towards OpenShift has all three groups available and that the aggregated group would have the members of both group1 and group2 assigned.

However, we observe that for the aggregated group this only works when its source is 'Cloud'. If the aggregated group source is 'Windows Server AD', it will have no memberships at all.

[sabre1041]

@of-vincentvandam is this an issue related to Group Sync Operator or a does it affect how users are allocated to groups within Entra ID?

[vincentd-of]

The problem is with the syncing. The groups work fine with other integrations (that do not rely on retrieving the groups). My guess (since Entra ID itself is a black box), is that the member requests for these groups are federated and therefor they don't end up when doing a ItemTransitiveMembersRequest.

[sabre1041]

@of-vincentvandam i do not know offhand