Merge pull request #180403 from dereklegenzoff/rbac-updates

Updating preview limitations for RBAC

Author: PRMerger5

articles/search/search-howto-aad.md

@@ -13,7 +13,7 @@ ms.date: 10/04/2021
 # Authorize search requests using Azure AD (preview)
 
 > [!IMPORTANT]
-> Role-based access control for data plane operations, such as creating an index or querying an index, is currently in public preview and available under [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). This functionality is only available in public cloud regions and may impact the latency of your operations while the functionality is in preview.
+> Role-based access control for data plane operations, such as creating an index or querying an index, is currently in public preview and available under [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). This functionality is only available in public cloud regions and may impact the latency of your operations while the functionality is in preview. For more information on preview limitations, see [RBAC preview limitations](./search-security-rbac.md?tabs=config-svc-rest%2croles-powershell%2ctest-rest#preview-limitations).
 
 With Azure Active Directory (Azure AD), you can use role-based access control (RBAC) to grant access to your Azure Cognitive Search services. A key advantage of using Azure AD is that your credentials no longer need to be stored in your code. Azure AD authenticates the security principal (a user, group, or service principal) running the application. If authentication succeeds, Azure AD returns the access token to the application, and the application can then use the access token to authorize requests to Azure Cognitive Search. To learn more about the advantages of using Azure AD in your applications, see [Integrating with Azure Active Directory](../active-directory/develop/active-directory-how-to-integrate.md#benefits-of-integration).
 

articles/search/search-security-rbac.md

@@ -9,6 +9,7 @@ ms.author: heidist
 ms.service: cognitive-search
 ms.topic: conceptual
 ms.date: 10/04/2021
+ms.custom: references_regions 
 ---
 
 # Use role-based authorization in Azure Cognitive Search
@@ -71,6 +72,17 @@ You can also sign up for the preview using Azure Feature Exposure Control (AFEC)
 > [!NOTE]
 > Once you add the preview to your subscription, all services in the subscription will be permanently enrolled in the preview. If you don't want RBAC on a given service, you can disable RBAC for data plane operations as shown in the next step.
 
+### Preview limitations
+
+Role-based access control for data plane operations, such as creating an index or querying an index, is currently in public preview and available under [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+There are also a few other limitations to be aware of:
+
+*  Using RBAC may increase the latency of some requests. Each unique combination of service resource (index, indexer, etc.) and service principal that's used in a request will require an authorization check to be done. These authorization checks can add up to 200 milliseconds of latency to a request. 
+*  In extreme cases where there are requests coming from a high number of different service principals and targeting different service resources (indexes, indexers, etc.), it's possible that there could be throttling caused by the authorization checks required. Throttling would only happen if hundreds of unique combinations of search service resource and service principal were used within a second.
+* The RBAC preview is currently only available in public cloud regions and isn't available in Azure Government, Azure Germany, or Azure China 21Vianet.
+* If a subscription is migrated to a new tenant, the RBAC preview will need to be re-enabled. 
+
 ## Step 2: Preview configuration
 
 **Applies to:** Search Index Data Contributor, Search Index Data Reader, Search Service Contributor