RBAC Role Assignments 2000 limit Constraint
Customer is having high distress in regard to the RBAC Role Assignments 2000 grant limitation. Customer is using Managed Identity and Storage access patterns relying on RBAC grants, it worried customer that it’s a trap and customer will hit that limit in a very short time. These RBAC roles are so useful for the customer but it’s only a matter of time before it hits the limit.
Thank you for your consideration.
Apologies for the delay in updating this item. We are aware of the challenges around this limit and are actively working to be able to raise it; however, we don’t have an ETA yet.
We will update this item as we get more clarity on the timeline. Stay tuned and thank you for the understanding.
Please include this limit extension feature ASAP
Daniel van der Vliet commented
Any update on the ETA? In many of our subscriptions this is getting problematic. As earlier said many application and services are dependent on RBAC roles. In larger environments this is a big problem. Obviously groups are already used
John Ross commented
Any update on the ETA to allow increase of this limit? Azure applications and services relies heavily on RBAC. Limiting RBAC to 2000 is absurd
I read this article! I hope you will continue to have such articles to share with everyone! thank you!
Sri Kotha commented
@ArLucaID Any updates on this after Oct 23,2020? This is a blocker issue for us
@ArLucaID Any updates to this after October 23?
We are also running into issues and 2,000 is an extremely low number at a subscription level when Microsoft is driving AAD for RBAC
Keith Evans commented
This is impacting our abilities. We are having to work around this 2000 limit on a regular basis.
Please do something about this. You are releasing more and more services leveraging RBAC, and imposing customers to change their model and create new subscriptions is a nightmare.
For example, Azure Files requires SMB roles at RBAC level: each time we create a share, we need to burn two RBAC roles ("Storage File Data SMB Share Contributor" and "Storage File Data SMB Share Elevated Contributor") !! This plus the rest is clearly not sustainable.
any updates about this requirements, as security becoming more highlighted concern, and more feature need to use Role assignment, eg. Keyvault RBAC ACL, this is becoming more and more painful to only have 2000 per subscription
AHMED ELHAROUNY commented
I would like to add that this role assignments limit also applies on role assignments on sub resources like Azure Service Bus topics, queues and blob containers, app services etc. which to us is the only blocker to use Managed Identity for authentication in Azure in the way we would liked!
Tom Harren commented
This limit seems artificial and low. If there are even 10 assignments per resource, that means we only get 200 resources per subscription!? I'm not what the reasoning is for this constraint, but will become a problem for us soon.
Brian Steiner commented
The current hard limit of 2000 IAM role assignments at the subscription level will not be sufficient for a subscription that hosts multiple application teams. Group assignments for various roles both OOTB and custom will exceed this limit over time. This limit should be customizable per subscription usage.
We already close to the limits, we can do about this ?
Jean-Marc Brissette commented
With the limit for RBAC Role assignment at 2000, the number of role per resource groups can be attained relatively quickly with larger deployments. I was thinking of 2 ways to bypass the issue, either allow us to increase the limit to Role Assignments in a subscriptions or allow us to do resource group nesting. That way we could apply the roles to the main resource group to use inheritance instead of using multiple role assignments for all the similar resources.