Added warnings about Group Membership

Author: yelevin

articles/sentinel/sentinel-service-limits.md

@@ -1,8 +1,8 @@
 ---
 title: Microsoft Sentinel service limits
-description: This article provides a list of service limits for Microsoft Sentinel.
+description: This article provides a list of service limits for Microsoft Sentinel, divided into the different service areas.
 author: yelevin
-ms.topic: conceptual
+ms.topic: reference
 ms.date: 03/19/2025
 ms.author: yelevin
 ms.service: microsoft-sentinel
@@ -20,8 +20,8 @@ This article lists the most common service limits you might encounter as you use
 
 The following limit applies to analytics rules in Microsoft Sentinel.
 
-| Description | Limit  | Dependency |
-| --------- | --------- | --------- |
+| Description | Limit | Dependency |
+| ----------- | ----- | ---------- |
 | Number of [scheduled rules](scheduled-rules-overview.md) | 512 *enabled* rules | Counted separately from NRT rules |
 | Number of [near-real-time (NRT) rules](near-real-time-rules.md) | 50 *enabled* rules | Counted separately from scheduled rules |
 | [Entity mappings](map-data-fields-to-entities.md) | 10 mappings per rule | None |
@@ -37,15 +37,15 @@ The following limit applies to analytics rules in Microsoft Sentinel.
 The following limits apply to Hunts in Microsoft Sentinel.
 
 | Description | Limit | Dependency |
-| --------- | --------- | ------- |
+| ----------- | ----- | ---------- |
 |Number of Hunts | 100 | None |
 
 ## Incident limits
 
 The following limits apply to incidents in Microsoft Sentinel.
 
 | Description | Limit | Dependency |
-| --------- | --------- | ------- |
+| ----------- | ----- | ---------- |
 | Investigation experience availability | 90 days from the incident last update time | None |
 | Retention period for incident entities | 180 days | Entities database retention |
 | Number of alerts | 150 alerts  | None |
@@ -69,18 +69,17 @@ However, a SOC that experiences the creation of more than *around* 3,000 new inc
 
 The following limits apply to machine learning-based features in Microsoft Sentinel like customizable anomalies and Fusion.
 
-| Description                                                         | Limit                                           |Dependency|
-|---------------------------------------------------------------|-------------------------------------------------|-------|
-| Number of anomalies published per anomaly type                | Top 3000 ranked by anomaly score                |None|
-| Number of alerts and/or anomalies in a single Fusion incident | 100 alerts and/or anomalies |None|
-
+| Description                                                   | Limit                            | Dependency |
+| ------------------------------------------------------------- | -------------------------------- | ---------- |
+| Number of anomalies published per anomaly type                | Top 3000 ranked by anomaly score | None       |
+| Number of alerts and/or anomalies in a single Fusion incident | 100 alerts and/or anomalies      | None       |
 
 ## Multi workspace limits
 
 The following limit applies to multiple workspaces in Microsoft Sentinel. Limits here are applied when working with Sentinel features across more than workspace at a time.
 
-|Description                   | Limit        |Dependency|
--------------------------|--------------------|--------------------|
+| Description | Limit | Dependency |
+| ----------- | ----- | ---------- |
 | Incident view | 100 concurrently displayed workspaces | |
 | Log query | 100 Sentinel workspaces | [Log Analytics](/azure/azure-monitor/logs/cross-workspace-query#limitations) |
 | Analytics rules | 20 Sentinel workspaces per query | |
@@ -89,66 +88,67 @@ The following limit applies to multiple workspaces in Microsoft Sentinel. Limits
 
 The following limits apply to notebooks in Microsoft Sentinel. The limits are related to the dependencies on other services used by notebooks.
 
-|Description|Limit |Dependency|
-|-------|-------|-------|
-| Total count of these assets per machine learning workspace: datasets, runs, models, and artifacts |10 million assets |Azure Machine Learning|
-| Default limit for total compute clusters per region. Limit is shared between a training cluster and a compute instance. A compute instance is considered a single-node cluster for quota purposes. | 200 compute clusters per region|Azure Machine Learning|
-|Storage accounts per region per subscription|250 storage accounts|Azure Storage|
-|Maximum size of a file share by default|5 TB|Azure Storage|
-|Maximum size of a file share with large file share feature enabled|100 TB|Azure Storage|
-|Maximum throughput (ingress + egress) for a single file share by default|60 MB/sec|Azure Storage|
-|Maximum throughput (ingress + egress) for a single file share  with large file share feature enabled|300 MB/sec|Azure Storage|
+| Description | Limit | Dependency |
+| ----------- | ----- | ---------- |
+| Total count of these assets per machine learning workspace: datasets, runs, models, and artifacts |10 million assets | Azure Machine Learning |
+| Default limit for total compute clusters per region. Limit is shared between a training cluster and a compute instance. A compute instance is considered a single-node cluster for quota purposes. | 200 compute clusters per region | Azure Machine Learning |
+| Storage accounts per region per subscription | 250 storage accounts | Azure Storage |
+| Maximum size of a file share by default | 5 TB | Azure Storage |
+| Maximum size of a file share with large file share feature enabled | 100 TB | Azure Storage |
+| Maximum throughput (ingress + egress) for a single file share by default | 60 MB/sec | Azure Storage |
+| Maximum throughput (ingress + egress) for a single file share  with large file share feature enabled | 300 MB/sec | Azure Storage |
 
 ## Repositories limits
 
 The following limits apply to repositories in Microsoft Sentinel.
 
-|Description |Limit  |Dependency|
-|---------|---------|---------|
-|Number of repositories | 5 | Sentinel Workspace|
-|Deployment history | 800 | Azure Resource Group |
+| Description | Limit | Dependency |
+| ----------- | ----- | ---------- |
+| Number of repositories | 5 | Sentinel Workspace |
+| Deployment history | 800 | Azure Resource Group |
 
 ## Threat intelligence limits
 
 The following limit applies to threat intelligence in Microsoft Sentinel. The limit is related to the dependency on an API used by threat intelligence.
 
-|Description                   | Limit        |Dependency|
--------------------------|--------------------|--------------------|
-| Indicators per call that use Graph security API | 100 indicators |Microsoft Graph security API|
-| CSV TI object file import size | 50MB | none|
-| JSON TI object file import size | 250MB | none|
+| Description | Limit | Dependency |
+| ----------- | ----- | ---------- |
+| Indicators per call that use Graph security API | 100 indicators | Microsoft Graph security API |
+| CSV TI object file import size | 50MB | none |
+| JSON TI object file import size | 250MB | none |
 
 ## TI upload API limits
 
 The following limit applies to the threat intelligence upload API in Microsoft Sentinel.
 
-|Description                   | Limit        |Dependency|
--------------------------|--------------------|--------------------|
+| Description | Limit | Dependency |
+| ----------- | ----- | ---------- |
 | STIX objects per request | 100 objects | |
 | Requests per minute | 100 | |
 
 ## User and Entity Behavior Analytics (UEBA) limits
 
 The following limit applies to UEBA in Microsoft Sentinel. The limit for UEBA in Microsoft Sentinel is related to dependencies on another service.
 
-|Description   |Limit |Dependency|
-|---------|---------|---------|
-|Lowest retention configuration in days for the [IdentityInfo](/azure/azure-monitor/reference/tables/identityinfo) table. All data stored on the IdentityInfo table in Log Analytics is refreshed every 14 days. | 14 days  |Log Analytics|
+| Description | Limit | Dependency |
+| ----------- | ----- | ---------- |
+| Lowest retention configuration in days for the [IdentityInfo](/azure/azure-monitor/reference/tables/identityinfo) table. All data stored on the IdentityInfo table in Log Analytics is refreshed every 14 days. | 14 days  | Log Analytics |
+| Groups listed in the *GroupMembership* field in the [IdentityInfo](ueba-reference.md#identityinfo-table) table | 500 | |
 
 ## Watchlist limits
 
 The following limits apply to watchlists in Microsoft Sentinel. The limits are related to the dependencies on other services used by watchlists.
 
-|Description                   | Limit        |Dependency|
-|--|-------------------------|--------------------|
-|Upload size limit for local file</br>files over this limit are considered `large`| 3.8 MB per file |Azure Resource Manager
-|Line entry in the CSV file |10,240 characters per line|Azure Resource Manager|
-|Total size of a single row | 10 Kb | Log Analytics|
-|Upload size for large watchlist files in Azure Storage |500 MB per file|Azure Storage|
-|Total number of active watchlist items per workspace</br>When the max count is reached, delete some existing items to add a new watchlist.|10 million active watchlist items|Log Analytics|
-|Total rate of change of all watchlist items per workspace</br>(create, update, and delete operations) | 100,000 changes per month</br>(1% of max active watchlist items)|Log Analytics|
-|Number of `large` watchlist uploads per workspace at a time</br>See upload size limit for what makes a watchlist `large` |One `large` watchlist | Azure Cosmos DB|
-|Number of large watchlist deletions per workspace at a time</br>See upload size limit for what makes a watchlist `large` | One `large` watchlist |  Azure Cosmos DB|
+| Description | Limit | Dependency |
+| ----------- | ----- | ---------- |
+| Upload size limit for local file</br>files over this limit are considered `large`| 3.8 MB per file | Azure Resource Manager |
+| Line entry in the CSV file | 10,240 characters per line | Azure Resource Manager |
+| Total size of a single row | 10 Kb | Log Analytics |
+| Upload size for large watchlist files in Azure Storage | 500 MB per file | Azure Storage |
+| Total number of active watchlist items per workspace</br>When the max count is reached, delete some existing items to add a new watchlist. | 10 million active watchlist items | Log Analytics |
+| Total rate of change of all watchlist items per workspace</br>(create, update, and delete operations) | 100,000 changes per month</br>(1% of max active watchlist items) | Log Analytics |
+| Number of `large` watchlist uploads per workspace at a time</br>See upload size limit for what makes a watchlist `large` | One `large` watchlist | Azure Cosmos DB |
+| Number of large watchlist deletions per workspace at a time</br>See upload size limit for what makes a watchlist `large` | One `large` watchlist | Azure Cosmos DB |
 
 ## Workbook limits
 

articles/sentinel/ueba-reference.md

@@ -215,14 +215,18 @@ While the initial synchronization may take a few days, once the data is fully sy
 
 - Changes made to your user profiles, groups, and roles in Microsoft Entra ID are updated in the **IdentityInfo** table within 15-30 minutes.
 
-- Every 14 days, Microsoft Sentinel re-synchronizes with your entire Microsoft Entra ID to ensure that stale records are fully updated.
+- Every 14 days, Microsoft Sentinel re-synchronizes with your entire Microsoft Entra ID to ensure that stale records are fully updated. See note in the next section about changes to groups.
 
 - Default retention time in the **IdentityInfo** table is 30 days.
 
 #### Limitations
 
 - Currently, only built-in roles are supported.
 
+- Support for groups (as listed in the *GroupMembership* field) is limited to 500 groups. These groups are transitive, not direct.
+
+- Changes made to groups in your [Active Directory or (?)] Microsoft Entra ID result in updates to the *IdentityInfo* table for any users who are members of the changed groups. **These updates carry a synchronization charge.**
+
 - Data about deleted groups, where a user was removed from a group, is not currently supported.
 
 #### Versions of the IdentityInfo table