Skip to content

Commit 9b45f80

Browse files
authored
Merge pull request #92832 from rolyon/rolyon-rbac-assignments-limit
[Azure RBAC] Assignments limit
2 parents f761eea + c466157 commit 9b45f80

File tree

3 files changed

+37
-3
lines changed

3 files changed

+37
-3
lines changed

articles/role-based-access-control/custom-roles.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ ms.custom: H1Hack27Feb2017
2222

2323
If the [built-in roles for Azure resources](built-in-roles.md) don't meet the specific needs of your organization, you can create your own custom roles. Just like built-in roles, you can assign custom roles to users, groups, and service principals at subscription, resource group, and resource scopes.
2424

25-
Custom roles are stored in an Azure Active Directory (Azure AD) directory and can be shared across subscriptions. Each directory can have up to **5000** custom roles. (For specialized clouds, such as Azure Government, Azure Germany, and Azure China 21Vianet, the limit is 2000 custom roles.) Custom roles can be created using Azure PowerShell, Azure CLI, or the REST API.
25+
Custom roles can be shared between subscriptions that trust the same Azure AD directory. There is a limit of **5,000** custom roles per directory. (For specialized clouds, such as Azure Government, Azure Germany, and Azure China 21Vianet, the limit is 2,000 custom roles.) Custom roles can be created using Azure PowerShell, Azure CLI, or the REST API.
2626

2727
## Custom role example
2828

articles/role-based-access-control/role-assignments-powershell.md

Lines changed: 35 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ ms.devlang: na
1212
ms.topic: conceptual
1313
ms.tgt_pltfrm: na
1414
ms.workload: identity
15-
ms.date: 09/11/2019
15+
ms.date: 10/22/2019
1616
ms.author: rolyon
1717
ms.reviewer: bagovind
1818
---
@@ -152,6 +152,40 @@ Microsoft.Network/loadBalancers/backendAddressPools/join/action
152152

153153
In RBAC, to list access, you list the role assignments.
154154

155+
### List all role assignments in a subscription
156+
157+
The easiest way to get a list of all the role assignments in the current subscription (including inherited role assignments from root and management groups) is to use [Get-AzRoleAssignment](/powershell/module/az.resources/get-azroleassignment) without any parameters.
158+
159+
```azurepowershell
160+
Get-AzRoleAssignment
161+
```
162+
163+
```Example
164+
PS C:\> Get-AzRoleAssignment
165+
166+
RoleAssignmentId : /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/11111111-1111-1111-1111-111111111111
167+
Scope : /subscriptions/00000000-0000-0000-0000-000000000000
168+
DisplayName : Alain
169+
SignInName : [email protected]
170+
RoleDefinitionName : Storage Blob Data Reader
171+
RoleDefinitionId : 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1
172+
ObjectId : 44444444-4444-4444-4444-444444444444
173+
ObjectType : User
174+
CanDelegate : False
175+
176+
RoleAssignmentId : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales/providers/Microsoft.Authorization/roleAssignments/33333333-3333-3333-3333-333333333333
177+
Scope : /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/pharma-sales
178+
DisplayName : Marketing
179+
SignInName :
180+
RoleDefinitionName : Contributor
181+
RoleDefinitionId : b24988ac-6180-42a0-ab88-20f7382dd24c
182+
ObjectId : 22222222-2222-2222-2222-222222222222
183+
ObjectType : Group
184+
CanDelegate : False
185+
186+
...
187+
```
188+
155189
### List role assignments for a user
156190

157191
To list all the roles that are assigned to a specified user, use [Get-AzRoleAssignment](/powershell/module/az.resources/get-azroleassignment).

articles/role-based-access-control/troubleshooting.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ This article answers common questions about role-based access control (RBAC) for
2424
## Problems with RBAC role assignments
2525

2626
- If you are unable to add a role assignment in the Azure portal on **Access control (IAM)** because the **Add** > **Add role assignment** option is disabled or because you get the permissions error "The client with object id does not have authorization to perform action", check that you are currently signed in with a user that is assigned a role that has the `Microsoft.Authorization/roleAssignments/write` permission such as [Owner](built-in-roles.md#owner) or [User Access Administrator](built-in-roles.md#user-access-administrator) at the scope you are trying to assign the role.
27-
- If you get the error message "No more role assignments can be created (code: RoleAssignmentLimitExceeded)" when you try to assign a role, try to reduce the number of role assignments by assigning roles to groups instead. Azure supports up to **2000** role assignments per subscription.
27+
- If you get the error message "No more role assignments can be created (code: RoleAssignmentLimitExceeded)" when you try to assign a role, try to reduce the number of role assignments by assigning roles to groups instead. Azure supports up to **2000** role assignments per subscription. This role assignments limit is fixed and cannot be increased.
2828

2929
## Problems with custom roles
3030

0 commit comments

Comments
 (0)