Merge pull request #210759 from rolyon/rolyon-rbac-role-assignments-limit-update-v2

[Azure RBAC] Role assignments limit update v2

Author: prmerger-automator[bot]

articles/role-based-access-control/best-practices.md

@@ -41,7 +41,7 @@ For more information, see [What is Azure AD Privileged Identity Management?](../
 
 ## Assign roles to groups, not users
 
-To make role assignments more manageable, avoid assigning roles directly to users. Instead, assign roles to groups. Assigning roles to groups instead of users also helps minimize the number of role assignments, which has a [limit of role assignments per subscription](troubleshooting.md#limits).
+To make role assignments more manageable, avoid assigning roles directly to users. Instead, assign roles to groups. Assigning roles to groups instead of users also helps minimize the number of role assignments, which has a [limit of role assignments per subscription](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-rbac-limits).
 
 ## Assign roles using the unique role ID instead of the role name
 

articles/role-based-access-control/conditions-custom-security-attributes-example.md

@@ -8,7 +8,7 @@ ms.service: role-based-access-control
 ms.subservice: conditions
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 11/16/2021
+ms.date: 09/13/2022
 ms.author: rolyon
 
 #Customer intent: As a dev, devops, or it admin, I want to 
@@ -20,7 +20,7 @@ ms.author: rolyon
 > Custom security attributes are currently in PREVIEW.
 > See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 
-Azure role-based access control (Azure RBAC) currently supports 2,000 role assignments in a subscription. If you need to create hundreds or even thousands of Azure role assignments, you might encounter this limit. Managing hundreds or thousands of role assignments can be difficult. Depending on your scenario, you might be able to reduce the number of role assignments and make it easier to manage access.
+Azure role-based access control (Azure RBAC) has a [limit of role assignments per subscription](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-rbac-limits). If you need to create hundreds or even thousands of Azure role assignments, you might encounter this limit. Managing hundreds or thousands of role assignments can be difficult. Depending on your scenario, you might be able to reduce the number of role assignments and make it easier to manage access.
 
 This article describes a solution to scale the management of role assignments by using [Azure attribute-based access control (Azure ABAC)](conditions-overview.md) conditions and [Azure AD custom security attributes](../active-directory/fundamentals/custom-security-attributes-overview.md) for principals.
 
@@ -33,7 +33,7 @@ Consider a company named Contoso with thousands of customers that wants to set u
 - Represent each customer by a unique Azure AD service principal.
 - Allow each customer to access objects in their container, but not other containers.​
 
-This configuration could potentially require 256,000 [Storage Blob Data Owner](built-in-roles.md#storage-blob-data-owner) role assignments in a subscription, which is well beyond the 2,000 role assignments limit. Having this many role assignments would be difficult, if not impossible, to maintain.
+This configuration could potentially require 256,000 [Storage Blob Data Owner](built-in-roles.md#storage-blob-data-owner) role assignments in a subscription, which is well beyond the role assignments limit. Having this many role assignments would be difficult, if not impossible, to maintain.
 
 ![Diagram showing thousands for role assignments.](./media/conditions-custom-security-attributes-example/role-assignments-multiple.png)
 

articles/role-based-access-control/custom-roles.md

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: role-based-access-control
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 08/19/2022
+ms.date: 09/13/2022
 ms.author: rolyon
 ---
 
@@ -20,7 +20,7 @@ ms.author: rolyon
 
 If the [Azure built-in roles](built-in-roles.md) don't meet the specific needs of your organization, you can create your own custom roles. Just like built-in roles, you can assign custom roles to users, groups, and service principals at management group (in preview only), subscription, and resource group scopes.
 
-Custom roles can be shared between subscriptions that trust the same Azure AD tenant. There is a limit of **5,000** custom roles per tenant. (For Azure Germany and Azure China 21Vianet, the limit is 2,000 custom roles.) Custom roles can be created using the Azure portal, Azure PowerShell, Azure CLI, or the REST API.
+Custom roles can be shared between subscriptions that trust the same Azure AD tenant. There is a limit of **5,000** custom roles per tenant. (For Azure China 21Vianet, the limit is 2,000 custom roles.) Custom roles can be created using the Azure portal, Azure PowerShell, Azure CLI, or the REST API.
 
 ## Steps to create a custom role
 
@@ -207,7 +207,7 @@ Here are steps to help find the role assignments before deleting a custom role:
 The following list describes the limits for custom roles.
 
 - Each tenant can have up to **5000** custom roles.
-- Azure Germany and Azure China 21Vianet can have up to 2000 custom roles for each tenant.
+- Azure China 21Vianet can have up to 2000 custom roles for each tenant.
 - You cannot set `AssignableScopes` to the root scope (`"/"`).
 - You cannot use wildcards (`*`) in `AssignableScopes`. This wildcard restriction helps ensure a user can't potentially obtain access to a scope by updating the role definition.
 - You can only define one management group in `AssignableScopes` of a custom role. Adding a management group to `AssignableScopes` is currently in preview.

articles/role-based-access-control/role-assignments-list-portal.md

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: role-based-access-control
 ms.topic: how-to
 ms.workload: identity
-ms.date: 08/26/2022
+ms.date: 09/13/2022
 ms.author: rolyon
 ---
 
@@ -130,7 +130,7 @@ You can list role assignments for system-assigned and user-assigned managed iden
 
 ## List number of role assignments
 
-You can have up to **2000** role assignments in each subscription. This limit includes role assignments at the subscription, resource group, and resource scopes. To help you keep track of this limit, the **Role assignments** tab includes a chart that lists the number of role assignments for the current subscription.
+You can have up to **4000** role assignments in each subscription. This limit includes role assignments at the subscription, resource group, and resource scopes. To help you keep track of this limit, the **Role assignments** tab includes a chart that lists the number of role assignments for the current subscription.
 
 The role assignments limit for a subscription is currently being increased. For more information, see [Troubleshoot Azure RBAC](troubleshooting.md#limits).
 

articles/role-based-access-control/role-assignments-steps.md

@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: role-based-access-control
 ms.topic: how-to
 ms.workload: identity
-ms.date: 11/12/2021
+ms.date: 09/13/2022
 ms.author: rolyon
 ---
 
@@ -80,7 +80,7 @@ If you are using a service principal to assign roles, you might get the error "I
 
 Once you know the security principal, role, and scope, you can assign the role. You can assign roles using the Azure portal, Azure PowerShell, Azure CLI, Azure SDKs, or REST APIs.
 
-You can have up to **2000** role assignments in each subscription. This limit includes role assignments at the subscription, resource group, and resource scopes. You can have up to **500** role assignments in each management group. The role assignments limit for a subscription is currently being increased. For more information, see [Troubleshoot Azure RBAC](troubleshooting.md#limits).
+You can have up to **4000** role assignments in each subscription. This limit includes role assignments at the subscription, resource group, and resource scopes. You can have up to **500** role assignments in each management group. For more information, see [Troubleshoot Azure RBAC](troubleshooting.md#limits).
 
 Check out the following articles for detailed steps for how to assign roles.
 

articles/role-based-access-control/troubleshooting.md

@@ -9,7 +9,7 @@ ms.service: role-based-access-control
 ms.workload: identity
 ms.tgt_pltfrm: na
 ms.topic: troubleshooting
-ms.date: 07/28/2022
+ms.date: 09/13/2022
 ms.author: rolyon
 ms.custom: seohack1, devx-track-azurecli, devx-track-azurepowershell
 ---
@@ -27,10 +27,10 @@ When you try to assign a role, you get the following error message:
 
 **Cause**
 
-Azure supports up to **2000** role assignments per subscription. This limit includes role assignments at the subscription, resource group, and resource scopes, but not at the management group scope.
+Azure supports up to **4000** role assignments per subscription. This limit includes role assignments at the subscription, resource group, and resource scopes, but not at the management group scope.
 
 > [!NOTE]
-> Starting November 2021, the role assignments limit for all Azure subscriptions is being automatically increased from **2000** to **4000**. There is no action that you need to take for your subscription. The limit increase will take several months.
+> For specialized clouds, such as Azure Government and Azure China 21Vianet, the limit is **2000** role assignments per subscription.
 
 **Solution**
 
@@ -338,7 +338,7 @@ When you try to create a new custom role, you get the following message:
 
 **Cause**
 
-Azure supports up to **5000** custom roles in a directory. (For Azure Germany and Azure China 21Vianet, the limit is 2000 custom roles.)
+Azure supports up to **5000** custom roles in a directory. (For Azure China 21Vianet, the limit is 2000 custom roles.)
 
 **Solution**
 

includes/role-based-access-control/limits.md

@@ -13,13 +13,14 @@
 | Area | Resource | Limit |
 | --- | --- | --- |
 | [Azure role assignments](../../articles/role-based-access-control/overview.md) |  |  |
-|  | Azure role assignments per Azure subscription<br/>The role assignments limit for a subscription is currently being increased. For more information, see [Troubleshoot Azure RBAC](../../articles/role-based-access-control/troubleshooting.md#limits). | 2,000 |
+|  | Azure role assignments per Azure subscription | 4,000 |
+|  | Azure role assignments per Azure subscription<br/>(for Azure Government and Azure China 21Vianet) | 2,000 |
 |  | Azure role assignments per management group | 500 |
 |  | Size of description for Azure role assignments | 2 KB |
 |  | Size of [condition](../../articles/role-based-access-control/conditions-overview.md) for Azure role assignments | 8 KB |
 | [Azure custom roles](../../articles/role-based-access-control/custom-roles.md) |  |  |
 |  | Azure custom roles per tenant | 5,000 |
-|  | Azure custom roles per tenant<br/>(for Azure Germany and Azure China 21Vianet) | 2,000 |
+|  | Azure custom roles per tenant<br/>(for Azure China 21Vianet) | 2,000 |
 |  | Size of role name for Azure custom roles | 512 chars |
 |  | Size of description for Azure custom roles | 2 KB |
 |  | Number of assignable scopes for Azure custom roles | 2,000 |