Azure-docs: non-admin clarification
For Objects category it is mentioned "A non-admin user can create no more than 250 objects." can we clarify what type of admin can do this thinking about the minimum requirements to create more than 250 objects?
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 42a0b4cb-1981-1cbc-ce2c-dbfd8af1527c
- Version Independent ID: d49c873c-9843-8428-a6d1-a1995067d13b
- Content: Azure Active Directory service limits and restrictions
- Content Source: articles/active-directory/users-groups-roles/directory-service-limits-restrictions.md
- Service: active-directory
- GitHub Login: @curtand
- Microsoft Alias: curtand
gonzalre
All 5 comments
@gonzalre
Thanks for your feedback! We will investigate and update as appropriate.
MarileeTurscak-MSFT
on 25 Oct 2018
Hi @gonzalre
I'll dig into this and find out if there are admin roles that can do more. Thanks for your contribution!
curtand
on 27 Oct 2018
+1 on this issue. Would like a way to authorize higher limits for AD App Principals to create more than 250 objects in particular. Applications which automate things like AD App creation will run into this limit pretty quickly.
pgazmuri
on 19 Feb 2019
Hi @gonzalre , @pgazmuri
There isn’t a good way today. It’s definitely we'll be addressing in the future. The admin roles that can create more than 250 objects are all pretty highly privileged. I may have missed one.
Application Administrator
Cloud Application Administrator
Global Administrator
Conditional Access Administrator
Exchange Administrator
Intune Administrator
Security Administrator
SharePoint Administrator
Teams administrator
User administrator
I'm shouldn't roll out documentation for this if I just have to rescind it. I think a solution will come sooner rather than later.
@MarileeTurscak-MSFT
please-close
curtand
on 12 Mar 2019
@curtand , that certainly IS NOT a good practice. In fact, I am astonished Microsoft would even consider recommending this "workaround" - it is a highly insecure and extremely hack job of attempting to circumvent the object quota restrictions.
In my opinion, you should either create a specific role, which includes NO OTHER PERMISSIONS, that permits users with said role to create more than 250 objects ... or simply raise the limit and have it the same for everyone. Of course, I would favor the former, as it would provide more fine-grained control over resources and minimize abuse of the privilege. However, to recommend that any user needing to create more than the limit be granted an administrative role blows my mind and makes me think twice about the real security of Azure AD as it currently exists. (e.g. If such recommendations are made publicly, what types of hacks are going on internally which may adversly affect our organizations?)
Please push this to the higher ups for a quick resolution with minimal or zero security impact. There is no reason I can think of that a new role wouldn't be able to be created to do one thing - permit bypassing this restriction.
Thanks.
sietec
on 13 Mar 2019
Related issues
Favna
·
3Comments
ianpowell2017
·
3Comments
monteledwards
·
3Comments
spottedmahn
·
3Comments
behnam89
·
3Comments
Most helpful comment
@curtand , that certainly IS NOT a good practice. In fact, I am astonished Microsoft would even consider recommending this "workaround" - it is a highly insecure and extremely hack job of attempting to circumvent the object quota restrictions.
In my opinion, you should either create a specific role, which includes NO OTHER PERMISSIONS, that permits users with said role to create more than 250 objects ... or simply raise the limit and have it the same for everyone. Of course, I would favor the former, as it would provide more fine-grained control over resources and minimize abuse of the privilege. However, to recommend that any user needing to create more than the limit be granted an administrative role blows my mind and makes me think twice about the real security of Azure AD as it currently exists. (e.g. If such recommendations are made publicly, what types of hacks are going on internally which may adversly affect our organizations?)
Please push this to the higher ups for a quick resolution with minimal or zero security impact. There is no reason I can think of that a new role wouldn't be able to be created to do one thing - permit bypassing this restriction.
Thanks.