|
| 1 | +--- |
| 2 | +title: Troubleshooting the configured permissions limits |
| 3 | +description: Learn why some apps may exceed the limits on configured permissions and how to address this issue. |
| 4 | +author: Jackson-Woods |
| 5 | +ms.author: jawoods |
| 6 | +manager: CelesteDG |
| 7 | +ms.date: 12/08/2022 |
| 8 | +ms.topic: reference |
| 9 | +ms.subservice: develop |
| 10 | +ms.custom: aaddev |
| 11 | +ms.service: active-directory |
| 12 | +ms.reviewer: phsignor |
| 13 | +--- |
| 14 | + |
| 15 | +# Troubleshooting the configured permissions limits |
| 16 | + |
| 17 | +The `RequiredResourceAccess` collection (RRA) on an application object contains all the configured API permissions that an app requires for its default consent request. This collection has various limits depending on which types of identities the app supports, For more information on the limits for supported account types, see [Validation differences by supported account types](supported-accounts-validation.md). |
| 18 | + |
| 19 | +The limits on maximum permissions were updated in May 2022, so some apps may have more permissions in their RRA than are now allowed. In addition, apps that change their supported account types after configuring permissions may exceed the limits of the new setting. When apps exceed the configured permissions limit, no new permissions may be added until the number of permissions in the `RequiredResourceAccess` collection is brought back under the limits. |
| 20 | + |
| 21 | +This document offers additional information and troubleshooting steps to resolve this issue. |
| 22 | + |
| 23 | +## Identifying when an app has exceeded the `RequiredResourceAccess` limits |
| 24 | + |
| 25 | +In general, all applications with more than 400 permissions have exceeded the configuration limits. Apps may also be subject to lower limits if they support sign-in for personal Microsoft accounts (MSA). An app that has exceeded the permission limits will receive the following error when trying to add more permissions in the Azure portal: |
| 26 | + |
| 27 | +> `Failed to save permissions for <AppName>. This configuration exceeds the global application object limit. Remove some items and retry your request.` |
| 28 | +
|
| 29 | +## Resolution steps |
| 30 | + |
| 31 | +If the application isn't needed anymore, the first option you should consider is to delete the app registration entirely. (You can restore recently deleted applications, in case you discover soon afterwards that it was still needed.) |
| 32 | + |
| 33 | +If you still need the application or are unsure, the following steps will help you resolve this issue: |
| 34 | + |
| 35 | +1. **Remove duplicate permissions.** In some cases, the same permission is listed multiple times. Review the required permissions and remove permissions that are listed two or more times. See the related PowerShell script on the [additional resources](#additional-resources) section of this article. |
| 36 | +2. **Remove unused permissions.** Review the permissions required by the application and compare them to what the application or service does. Remove permissions that are configured in the app registration, but which the application or service doesn’t require. For more information on how to review permissions, see [Review application permissions](../manage-apps/manage-application-permissions.md) |
| 37 | +3. **Remove redundant permissions.** In many APIs, including Microsoft Graph, some permissions aren't necessary when other more privileged permissions are included. For example, the Microsoft Graph permission User.Read.All (read all users) isn't needed when an application also has User.ReadWrite.All (read, create and update all users). To learn more about Microsoft Graph permissions, see [Microsoft Graph permissions reference](/graph/permissions-reference). |
| 38 | +4. **Use multiple app registrations.** If a single app or service requires more than 400 permissions in the required permissions list, the app will need to be configured to use two (or more) different app registrations, each one with 400 or fewer permissions configured on the app registration. |
| 39 | + |
| 40 | +## Frequently asked questions (FAQ) |
| 41 | + |
| 42 | +### *Why has Microsoft revised the limit on total permissions?* |
| 43 | + |
| 44 | +This limit is important for two reasons: |
| 45 | + |
| 46 | +- To help prevent an app from being configured to require more permissions than can be granted during consent. |
| 47 | +- To keep the total size of the app registration within the limits required for stability and performance of the underlying storage platform. |
| 48 | + |
| 49 | +### *What will happen if I don’t do anything?* |
| 50 | + |
| 51 | +If your app exceeds the total permissions limit, you'll no longer be able to increase the total number of required permissions for your application. |
| 52 | + |
| 53 | +### *Does the limit change how many permissions my application can be granted?* |
| 54 | + |
| 55 | +No. This limit affects only the list of requested API permissions configured on the app registration. This is different from the list of permissions that have been granted to your application. |
| 56 | + |
| 57 | +Even if it isn't listed in the required API permissions list, a delegated permission can still be requested dynamically by an application. Both delegated permissions and app roles (application permissions) can also be granted directly, using Microsoft Graph API or Microsoft Graph PowerShell. |
| 58 | + |
| 59 | +### *Can the limit be raised for my application?* |
| 60 | + |
| 61 | +No, the limit can't be raised for individual applications or organizations. |
| 62 | + |
| 63 | +### *Are there other limits on the list of required API permissions?* |
| 64 | + |
| 65 | +Yes. The limits can vary depending on the supported account types for the app. Apps that support personal Microsoft Accounts for sign-in (for example, Outlook.com, Hotmail.com, Xbox Live) generally have lower limits. See [Validation differences by supported account types](supported-accounts-validation.md) to learn more. |
| 66 | + |
| 67 | +## Additional resources |
| 68 | + |
| 69 | +Use the following PowerShell script to remove any duplicate permissions from your app registrations. |
| 70 | + |
| 71 | +```PowerShell |
| 72 | +<# |
| 73 | +.SYNOPSIS |
| 74 | + Remove duplicate required API permissions from an app registration's required API permission list. |
| 75 | +.DESCRIPTION |
| 76 | + This script ensures all API permissions listed in a Microsoft identity platform's app registration are only listed once, |
| 77 | + removing any duplicates it finds. This script requires the Microsoft.Graph.Applications PowerShell module. |
| 78 | +.EXAMPLE |
| 79 | + Get-MgApplication -Filter "appId eq '46c22aca-bcdd-467d-a837-bd544c09b8b4'" | .\Deduplicate_RequiredResourceAccess.ps1" |
| 80 | +.EXAMPLE |
| 81 | + $apps = Get-MgApplication -Filter "startswith(displayName,'Test_app')" |
| 82 | + $apps | .\Deduplicate_RequiredResourceAccess.ps1 |
| 83 | +#> |
| 84 | +
|
| 85 | +#Requires -Modules Microsoft.Graph.Applications |
| 86 | +
|
| 87 | +[CmdletBinding()] |
| 88 | +param( |
| 89 | + [Parameter(ValueFromPipeline = $true)] |
| 90 | + $App |
| 91 | +) |
| 92 | +
|
| 93 | +begin { |
| 94 | + $context = Get-MgContext |
| 95 | + if (-not $context) { |
| 96 | + throw ("You must connect to Microsoft Graph PowerShell first, with sufficient permissions " + |
| 97 | + "to manage Application objects. For example: Connect-MgGraph -Scopes ""Application.ReadWrite.All""") |
| 98 | + } |
| 99 | +} |
| 100 | +
|
| 101 | +process { |
| 102 | + |
| 103 | + # Build the unique list of required API permissions for each required API |
| 104 | + $originalCount = 0 |
| 105 | + $tempRras = @{} |
| 106 | + foreach ($rra in $App.RequiredResourceAccess) { |
| 107 | + if (-not $tempRras.ContainsKey($rra.ResourceAppId)) { |
| 108 | + $tempRras[$rra.ResourceAppId] = @{"Scope" = @{}; "Role" = @{}}; |
| 109 | + } |
| 110 | + foreach ($ra in $rra.ResourceAccess) { |
| 111 | + if ($tempRras[$rra.ResourceAppId][$ra.Type].ContainsKey($ra.Id)) { |
| 112 | + # Skip duplicate required API permission |
| 113 | + } else { |
| 114 | + $tempRras[$rra.ResourceAppId][$ra.Type][$ra.Id] = $true |
| 115 | + } |
| 116 | + $originalCount++ |
| 117 | + } |
| 118 | + } |
| 119 | + |
| 120 | + # Now that we have the unique set of required API permissions, iterate over all the keys to build the final requiredResourceAccess structure |
| 121 | + $deduplicatedCount = 0 |
| 122 | + $finalRras = @($tempRras.Keys) | ForEach-Object { |
| 123 | + $resourceAppId = $_ |
| 124 | + @{ |
| 125 | + "resourceAppId" = $resourceAppId |
| 126 | + "resourceAccess" = @(@("Scope", "Role") | ForEach-Object { |
| 127 | + $type = $_ |
| 128 | + $tempRras[$resourceAppId][$type].Keys | ForEach-Object { |
| 129 | + $deduplicatedCount++; |
| 130 | + @{"type" = $type; "id" = $_} |
| 131 | + } |
| 132 | + }) |
| 133 | + } |
| 134 | + } |
| 135 | + |
| 136 | + $countDifference = $originalCount - $deduplicatedCount |
| 137 | + if ($countDifference) { |
| 138 | + Write-Host "Removing $($countDifference) duplicate entries in RequiredResourceAccess for '$($App.DisplayName)' (AppId: $($App.AppId))" |
| 139 | + Update-MgApplication -ApplicationId $App.Id -RequiredResourceAccess $finalRras |
| 140 | + } else { |
| 141 | + Write-Host "No updates necessary for '$($App.DisplayName)' (AppId: $($App.AppId))" |
| 142 | + } |
| 143 | +} |
| 144 | +``` |
| 145 | + |
| 146 | +## Learn more |
| 147 | + |
| 148 | +- Learn about API permissions and the Microsoft identity platform: [Overview of permissions and consent in the Microsoft identity platform](permissions-consent-overview.md) |
| 149 | +- Understand the permissions available for Microsoft Graph: [Microsoft Graph permissions reference](/graph/permissions-reference) |
| 150 | +- Review the limitations to application configurations: [Validation differences by supported account types](supported-accounts-validation.md) |
0 commit comments