web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Apps / Nested Entra ID securi...
Power Apps
Unanswered

Nested Entra ID security groups

(0) ShareShare
ReportReport
Posted on by NnjTrtl 10

As the Environment security group can only be a single group, I think it is relevant to use a nested Entra ID security group as the Environment security group, in order to include multiple Entra ID security groups.

 

(By nested group I mean a group where the group members themselves are groups, and these child groups can themselves have child groups as members. So it is like a multi-level hierarchy of groups, and the idea is to use only the top group as the Environment security group. The actual users - people - are only direct members of the groups in the lowest level of the hierarchy.)

 

This way, any user which is not member of any group in this hierarchy ("pyramid") of groups, will not have access to this Dataverse environment. (Or is it Power Platform environment?)

 

So it's like a first barrier, and more fine-grained control can be added by using security roles.

 

When I apply this top group as environment security group, I get a warning message saying I am not member of the group and will not have access to the environment. But I am member of a child group in the hierarchy, so I don't know why I get this warning message. Anyway, after I applied the group, I still have access. So the warning message seems like a bug? Or am I missing something?

 

Can I share apps and security roles directly with users, and with other security groups (groups which are not member of the nested hierarchy)? As long as the users are member of both a group in the nested hierarchy (environment security group) and they are also member of another independent group which I grant access to a security role and an app, will it work?

 

This seems to be working based on some small testing I did, but I got confused from the warning message and the Microsoft docs describing the use of nested groups.

Categories:
Governance & administering
I have the same question (2)
  • AlbertoCastro Profile Picture
    AlbertoCastro 1,201 Most Valuable Professional on at

    Hi,

    this is a correct practice of use security groups of environments and child groups to share apps or assign security roles but there is a limitation:

    only it works with one level of child groups.

    If you have an user in group A that is child of other group B that is child of the security group of the environment, the user is not able on the environment.

    Maybe is this your case?

  • NnjTrtl Profile Picture
    NnjTrtl 10 on at

    Thank you @AlbertoCastro,

     

    I think actually it's working with more levels. I can check how many levels we have in the coming week.

     

    Is there any documentation which tells about how many levels of nested groups are supported?

     

    To me it seems like it's working fine, I'm just confused by the warning message I got when I selected the environment security group. The warning message said I won't have access to the environment because I am not member of the group. But I am member of a child or grandchild group. And I still have access to the environment after applying the environment security group, even if the warning said I won't have access if I select this environment security group.

  • NnjTrtl Profile Picture
    NnjTrtl 10 on at

    I tested with an environment security group containing 5 levels of nested groups, and it seems to be working, but I get the warning message telling me I won't have access to the environment. But I do get access so it seems to be working fine. I am in the bottom group (great-great-grandchild group).

    It seems to me the warning message is a "false positive" error.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Season of Giving Solutions is Here!
Explore Copilot Studio Forums, Blogs & Galleries!

Quick Links

Forum hierarchy changes are complete!

In our never-ending quest to improve we are simplifying the forum hierarchy…

Ajay Kumar Gannamaneni – Community Spotlight

We are honored to recognize Ajay Kumar Gannamaneni as our Community Spotlight for December…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Apps

#1
WarrenBelz Profile Picture

WarrenBelz 796 Most Valuable Professional

#2
Michael E. Gernaey Profile Picture

Michael E. Gernaey 327 Super User 2025 Season 2

#3
Power Platform 1919 Profile Picture

Power Platform 1919 268

Last 30 days Overall leaderboard

Featured topics

Auto-Populate field Power Pages
Gallery Tabs - Show or Hide Tabs based on Field Value
How to patch multiple records at once
Enable Copilot for end users in model-driven apps
Question for everyone : How are you using Create Text GPT in AI Builder?
Community content - sample components, blogs etc. - Link to this page (http://aka.ms/PCFdemos)
Welcome to the Power Apps forum!

Product updates

Microsoft Power Platform Community release plans