Merge pull request #41970 from rolyon/rolyon-rbac-limits

[Azure RBAC] Limits

Author: GitHubber17

articles/azure-subscription-service-limits.md

@@ -79,6 +79,7 @@ In the limits below, a new table has been added to reflect any differences in li
 * [Network Watcher](#network-watcher-limits)
 * [Notification Hub Service](#notification-hub-service-limits)
 * [Resource Group](#resource-group-limits)
+* [Role-based access control](#role-based-access-control-limits)
 * [Scheduler](#scheduler-limits)
 * [Search](#search-limits)
 * [Service Bus](#service-bus-limits)
@@ -312,6 +313,9 @@ To learn more about limits on a more granular level, such as document size, quer
 ### Automation limits
 [!INCLUDE [automation-limits](../includes/azure-automation-service-limits.md)]
 
+### Role-based access control limits
+[!INCLUDE [role-based-access-control-limits](../includes/role-based-access-control-limits.md)]
+
 ### SQL Database limits
 For SQL Database limits, see [SQL Database Resource Limits](sql-database/sql-database-resource-limits.md).
 

articles/role-based-access-control/built-in-roles.md

@@ -19,7 +19,7 @@ ms.reviewer: rqureshi
 ms.custom: it-pro
 ---
 # Built-in roles for Azure role-based access control
-[Role-based access control (RBAC)](overview.md) has several built-in role definitions that you can assign to users, groups, and service principals. Role assignments are the way you control access to resources in Azure. You can’t modify the built-in roles, but you can create your own [custom roles](custom-roles.md) to fit the specific needs of your organization.
+[Role-based access control (RBAC)](overview.md) has several built-in role definitions that you can assign to users, groups, and service principals. Role assignments are the way you control access to resources in Azure. If the built-in roles don't meet the specific needs of your organization, you can create your own [custom roles](custom-roles.md).
 
 The built-in roles are always evolving. To get the latest role definitions, use [Get-AzureRmRoleDefinition](/powershell/module/azurerm.resources/get-azurermroledefinition) or [az role definition list](/cli/azure/role/definition#az-role-definition-list).
 

articles/role-based-access-control/custom-roles.md

@@ -20,7 +20,9 @@ ms.custom: H1Hack27Feb2017
 
 # Create custom roles in Azure
 
-If the [built-in roles](built-in-roles.md) don't meet your specific access needs, you can create your own custom roles. Just like built-in roles, you can assign custom roles to users, groups, and service principals at subscription, resource group, and resource scopes. Custom roles are stored in an Azure Active Directory (Azure AD) tenant and can be shared across subscriptions. Custom roles can be created using Azure PowerShell, Azure CLI, or the REST API. This article describes an example of how to get started creating custom roles using PowerShell and Azure CLI.
+If the [built-in roles](built-in-roles.md) don't meet your specific access needs, you can create your own custom roles. Just like built-in roles, you can assign custom roles to users, groups, and service principals at subscription, resource group, and resource scopes. Custom roles are stored in an Azure Active Directory (Azure AD) tenant and can be shared across subscriptions. Each tenant can have up to 2000 custom roles. Custom roles can be created using Azure PowerShell, Azure CLI, or the REST API.
+
+This article describes an example of how to get started creating custom roles using PowerShell and Azure CLI.
 
 ## Create a custom role to open support requests using PowerShell
 

articles/role-based-access-control/overview.md

@@ -61,7 +61,7 @@ Azure includes several [built-in roles](built-in-roles.md) that you can use. The
 - [Reader](built-in-roles.md#reader) - Can view existing Azure resources.
 - [User Access Administrator](built-in-roles.md#user-access-administrator) - Lets you manage user access to Azure resources.
 
-The rest of the built-in roles allow management of specific Azure resources. For example, the [Virtual Machine Contributor](built-in-roles.md#virtual-machine-contributor) role allows a user to create and manage virtual machines. The built-in roles cannot be modified. If the built-in roles don't meet your specific access needs, you can create your own [custom roles](custom-roles.md).
+The rest of the built-in roles allow management of specific Azure resources. For example, the [Virtual Machine Contributor](built-in-roles.md#virtual-machine-contributor) role allows a user to create and manage virtual machines. If the built-in roles don't meet the specific needs of your organization, you can create your own [custom roles](custom-roles.md).
 
 Azure has introduced data operations (currently in preview) that enable you to grant access to data within an object. For example, if a user has read data access to a storage account, then they can read the blobs or messages within that storage account. For more information, see [Understand role definitions](role-definitions.md).
 

includes/role-based-access-control-limits.md

@@ -0,0 +1,16 @@
+---
+ title: include file
+ description: include file
+ services: active-directory
+ author: rolyon
+ ms.service: role-based-access-control
+ ms.topic: include
+ ms.date: 05/22/2018
+ ms.author: rolyon
+ ms.custom: include file
+---
+
+| Resource | Limit |
+| --- | --- |
+| Role assignments per Azure subscription | 2000 |
+| Custom roles per tenant | 2000 |