Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

I suggest you ...

← (General Feedback)

RBAC Role Assignments 2000 limit Constraint

Hello Team,

Customer is having high distress in regard to the RBAC Role Assignments 2000 grant limitation. Customer is using Managed Identity and Storage access patterns relying on RBAC grants, it worried customer that it’s a trap and customer will hit that limit in a very short time. These RBAC roles are so useful for the customer but it’s only a matter of time before it hits the limit.

Thank you for your consideration.

192 votes
Vote

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Sherefedin Getahun (MINDTREE LIMITED) shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
started  ·  AdminAzure AD Team (Product Manager, Microsoft Azure) responded  · 

Apologies for the delay in updating this item. We are aware of the challenges around this limit and are actively working to be able to raise it; however, we don’t have an ETA yet.

We will update this item as we get more clarity on the timeline. Stay tuned and thank you for the understanding.

-Arturo Lucatero
@ArLucaID

15 comments

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • rahulmittal79 commented  ·   ·  Flag as inappropriate

    I read this article! I hope you will continue to have such articles to share with everyone! thank you!

  • Anonymous commented  ·   ·  Flag as inappropriate

    @ArLucaID Any updates to this after October 23?
    We are also running into issues and 2,000 is an extremely low number at a subscription level when Microsoft is driving AAD for RBAC

  • Keith Evans commented  ·   ·  Flag as inappropriate

    This is impacting our abilities. We are having to work around this 2000 limit on a regular basis.

  • CS commented  ·   ·  Flag as inappropriate

    Hi,

    Please do something about this. You are releasing more and more services leveraging RBAC, and imposing customers to change their model and create new subscriptions is a nightmare.

    For example, Azure Files requires SMB roles at RBAC level: each time we create a share, we need to burn two RBAC roles ("Storage File Data SMB Share Contributor" and "Storage File Data SMB Share Elevated Contributor") !! This plus the rest is clearly not sustainable.

  • Anonymous commented  ·   ·  Flag as inappropriate

    any updates about this requirements, as security becoming more highlighted concern, and more feature need to use Role assignment, eg. Keyvault RBAC ACL, this is becoming more and more painful to only have 2000 per subscription

  • AHMED ELHAROUNY commented  ·   ·  Flag as inappropriate

    I would like to add that this role assignments limit also applies on role assignments on sub resources like Azure Service Bus topics, queues and blob containers, app services etc. which to us is the only blocker to use Managed Identity for authentication in Azure in the way we would liked!

  • Tom Harren commented  ·   ·  Flag as inappropriate

    This limit seems artificial and low. If there are even 10 assignments per resource, that means we only get 200 resources per subscription!? I'm not what the reasoning is for this constraint, but will become a problem for us soon.

  • Brian Steiner commented  ·   ·  Flag as inappropriate

    The current hard limit of 2000 IAM role assignments at the subscription level will not be sufficient for a subscription that hosts multiple application teams. Group assignments for various roles both OOTB and custom will exceed this limit over time. This limit should be customizable per subscription usage.

  • Jean-Marc Brissette commented  ·   ·  Flag as inappropriate

    With the limit for RBAC Role assignment at 2000, the number of role per resource groups can be attained relatively quickly with larger deployments. I was thinking of 2 ways to bypass the issue, either allow us to increase the limit to Role Assignments in a subscriptions or allow us to do resource group nesting. That way we could apply the roles to the main resource group to use inheritance instead of using multiple role assignments for all the similar resources.

(General Feedback): Availability

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice