Let us manage or remove the limit of AD groups creation for a non-admin user or service principal (250)
We define from our side which user accounts and service principals can create Azure AD groups. The configuration that allows us to manage this:
- “EnableGroupCreation” set to “False” so that by default non-admin accounts cannot create groups
- and added a specific access group to “GroupCreationAllowedGroupID” to allow specific user accounts and service principals to create groups
According to https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/directory-service-limits-restrictions - a non-admin user can create a maximum of 250 groups in an Azure AD organization.
This limit blocks us to move forward with business-critical tasks.
Purpose to remove the limit of AD groups created by non-admin user accounts/service:
- we need to allow specific user accounts or service principals to create an unlimited amount of Azure AD groups and manage only the groups that those accounts create, for automation purposes. At the same time, we cannot provide those accounts or service principals with either "admin access" or "Group.ReadWrite.All" as in both cases it will be a huge security risk, since it will allow the account or service principal (with one of the listed access assigned) to manage either all groups or all the objects within our AD.
Please allow us to manage the limit of the groups that a non-admin account can create, and if this is not possible please allow us to remove the limit for our tenant.
Thank you for reaching out to feedback suggestion forum. This feature is in progress.