Skip to content

Commit b11c3a1

Browse files
isabelleatmsftisabelleatmsft
authored
Clearer language about nested groups expansion
1 parent ae245e4 commit b11c3a1

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

articles/active-directory/privileged-identity-management/pim-create-azure-ad-roles-and-resource-roles-review.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -135,7 +135,7 @@ To manage a series of access reviews, navigate to the access review, and you wil
135135
Based on your selections in **Upon completion settings**, auto-apply will be executed after the review's end date or when you manually stop the review. The status of the review will change from **Completed** through intermediate states such as **Applying** and finally to state **Applied**. You should expect to see denied users, if any, being removed from roles in a few minutes.
136136

137137
> [!IMPORTANT]
138-
> If a group is assigned to **Azure resource roles**, the reviewer of the Azure resource role will see the expanded list of the indirect users with access assigned through a nested group. Should a reviewer deny a member of a nested group, that deny result will not be applied successfully for the role because the user will not be removed from the nested group. For **Azure AD roles**, [role-assignable groups](../roles/groups-concept.md) will show up in the review instead of expanding the members of the group, and a reviewer will either approve or deny access to the entire group.
138+
> If a group is assigned to **Azure resource roles**, the reviewer of the Azure resource role will see the expanded list of the indirect users with access assigned through a nested group. The expansion of users only applies to one layer of nesting (if the group has multiple layers of nesting, we only expand the top layer group assigned directly to the role). Should a reviewer deny a member of a nested group, that deny result will not be applied successfully for the role because the user will not be removed from the nested group. For **Azure AD roles**, [role-assignable groups](../roles/groups-concept.md) will show up in the review instead of expanding the members of the group, and a reviewer will either approve or deny access to the entire group.
139139
140140
## Update the access review
141141

0 commit comments

Comments
 (0)