Hi @zeross I appreciate that this is not answering your question but, if it was me, I would challenge the use case. Ie go back to the Entra admins and say that in hybrid identity mode it would be best practice to use on prem synced groups if they want to use SailPoint as the request tool. You could nest where applicable, but I appreciate that doesn’t work for all Entra use cases.