Merge pull request #179612 from rolyon/rolyon-rbac-role-assignments-limit-update

[Azure RBAC] Role assignments limit update

Author: PRMerger16

articles/role-based-access-control/best-practices.md

@@ -41,7 +41,7 @@ For more information, see [What is Azure AD Privileged Identity Management?](../
 
 ## Assign roles to groups, not users
 
-To make role assignments more manageable, avoid assigning roles directly to users. Instead, assign roles to groups. Assigning roles to groups instead of users also helps minimize the number of role assignments, which has a [limit of 2,000 role assignments per subscription](troubleshooting.md#azure-role-assignments-limit). 
+To make role assignments more manageable, avoid assigning roles directly to users. Instead, assign roles to groups. Assigning roles to groups instead of users also helps minimize the number of role assignments, which has a [limit of role assignments per subscription](troubleshooting.md#azure-role-assignments-limit). 
 
 ## Next steps
 

articles/role-based-access-control/conditions-overview.md

@@ -34,7 +34,7 @@ Azure ABAC builds on Azure RBAC by adding role assignment conditions based on at
 There are three primary benefits for using role assignment conditions:
 
 - **Provide more fine-grained access control** - A role assignment uses a role definition with actions and data actions to grant a security principal permissions. You can write conditions to filter down those permissions for more fine-grained access control. You can also add conditions to specific actions. For example, you can grant John read access to blobs in your subscription only if the blobs are tagged as Project=Blue. 
-- **Help reduce the number of role assignments** - Each Azure subscription currently has a 2000 role assignment limit. There are scenarios that would require thousands of role assignments. All of those role assignments would have to be managed. In these scenarios, you could potentially add conditions to use significantly fewer role assignments. 
+- **Help reduce the number of role assignments** - Each Azure subscription currently has a role assignment limit. There are scenarios that would require thousands of role assignments. All of those role assignments would have to be managed. In these scenarios, you could potentially add conditions to use significantly fewer role assignments. 
 - **Use attributes that have specific business meaning** - Conditions allow you to use attributes that have specific business meaning to you in access control. Some examples of attributes are project name, software development stage, and classification levels. The values of these resource attributes are dynamic and change as users move across teams and projects.
 
 ## Example scenarios for conditions

articles/role-based-access-control/role-assignments-list-portal.md

@@ -7,7 +7,7 @@ manager: mtillman
 ms.service: role-based-access-control
 ms.topic: how-to
 ms.workload: identity
-ms.date: 12/09/2020
+ms.date: 11/12/2021
 ms.author: rolyon
 ---
 
@@ -132,6 +132,8 @@ You can list role assignments for system-assigned and user-assigned managed iden
 
 You can have up to **2000** role assignments in each subscription. This limit includes role assignments at the subscription, resource group, and resource scopes. To help you keep track of this limit, the **Role assignments** tab includes a chart that lists the number of role assignments for the current subscription.
 
+The role assignments limit for a subscription is currently being increased. For more information, see [Troubleshoot Azure RBAC](troubleshooting.md#azure-role-assignments-limit).
+
 ![Access control - Number of role assignments chart](./media/role-assignments-list-portal/access-control-role-assignments-chart.png)
 
 If you are getting close to the maximum number and you try to add more role assignments, you'll see a warning in the **Add role assignment** pane. For ways that you can reduce the number of role assignments, see [Troubleshoot Azure RBAC](troubleshooting.md#azure-role-assignments-limit).

articles/role-based-access-control/role-assignments-steps.md

@@ -7,7 +7,7 @@ manager: mtillman
 ms.service: role-based-access-control
 ms.topic: how-to
 ms.workload: identity
-ms.date: 04/14/2021
+ms.date: 11/12/2021
 ms.author: rolyon
 ---
 
@@ -78,7 +78,9 @@ If you are using a service principal to assign roles, you might get the error "I
 
 ## Step 5. Assign role
 
-Once you know the security principal, role, and scope, you can assign the role. You can assign roles using the Azure portal, Azure PowerShell, Azure CLI, Azure SDKs, or REST APIs. You can have up to **2000** role assignments in each subscription. This limit includes role assignments at the subscription, resource group, and resource scopes. You can have up to **500** role assignments in each management group.
+Once you know the security principal, role, and scope, you can assign the role. You can assign roles using the Azure portal, Azure PowerShell, Azure CLI, Azure SDKs, or REST APIs.
+
+You can have up to **2000** role assignments in each subscription. This limit includes role assignments at the subscription, resource group, and resource scopes. You can have up to **500** role assignments in each management group. The role assignments limit for a subscription is currently being increased. For more information, see [Troubleshoot Azure RBAC](troubleshooting.md#azure-role-assignments-limit).
 
 Check out the following articles for detailed steps for how to assign roles.
 

articles/role-based-access-control/troubleshooting.md

@@ -10,7 +10,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: troubleshooting
-ms.date: 10/01/2021
+ms.date: 11/12/2021
 ms.author: rolyon
 ms.custom: seohack1, devx-track-azurecli, devx-track-azurepowershell
 ---
@@ -23,7 +23,7 @@ This article answers some common questions about Azure role-based access control
 Azure supports up to **2000** role assignments per subscription. This limit includes role assignments at the subscription, resource group, and resource scopes, but not at the management group scope. If you get the error message "No more role assignments can be created (code: RoleAssignmentLimitExceeded)" when you try to assign a role, try to reduce the number of role assignments in the subscription.
 
 > [!NOTE]
-> The **2000** role assignments limit per subscription is fixed and cannot be increased.
+> Starting November 2021, the role assignments limit for a subscription is being increased from **2000** to **4000** over the next several months. Subscriptions that are near the limit will be prioritized first. The limit for the remaining subscriptions will be increased over time.
 
 If you are getting close to this limit, here are some ways that you can reduce the number of role assignments:
 

includes/role-based-access-control/limits.md

@@ -5,14 +5,14 @@
  author: rolyon
  ms.service: role-based-access-control
  ms.topic: include
- ms.date: 06/08/2021
+ ms.date: 11/12/2021
  ms.author: rolyon
  ms.custom: include file
 ---
 
 | Resource | Limit |
 | --- | --- |
-| [Azure role assignments per Azure subscription](../../articles/role-based-access-control/overview.md) | 2,000 |
+| [Azure role assignments per Azure subscription](../../articles/role-based-access-control/overview.md)<br/>The role assignments limit for a subscription is currently being increased. For more information, see [Troubleshoot Azure RBAC](../../articles/role-based-access-control/troubleshooting.md#azure-role-assignments-limit). | 2,000 |
 | [Azure role assignments per management group](../../articles/role-based-access-control/overview.md) | 500 |
 | [Size of description for Azure role assignments](../../articles/role-based-access-control/conditions-faq.md) | 2 KB |
 | [Size of condition for Azure role assignments](../../articles/role-based-access-control/conditions-overview.md) | 8 KB |