I was going via this Link

where it says "A maximum of 500 role-assignable groups can be created in a single Azure AD organization (tenant)."

This looks like a big limitation in Azure. The question is, how are big organization ( having more than 500 groups - I'm sure they must have considering different departments/towers/groups/applicaions) manages this limitations?

What are the best practice or architecture decission must be followed while creating groups/access package? considering limitation.

Thanks.

CodePudding user response：

According to restriction for role assignable groups, and as you already mentioned that - A maximum of 500 role-assignable groups can be created in a single Azure AD organization (tenant).

First of all, The purpose of role assignable groups is to prevent potential breaches of misuse of assigned permission and it can be created only by Global administrator role or PIM role (privileged identity management). Since the purpose of role assignable security group is to assign role and underline permissions specific to the requirement regarding the deployment of azure resources or likewise scenarios, The role assignable security groups being of high value concern are mostly number few than the other group type.

1. That limit cannot be changed for particular subscription . Usually smaller institutions or organizations use single tenant and that limit suffices those cases.

2. Most of the larger institutions(say which have over 1 million users) use multi tenant architechture, to avoid such kind of tenant and quota limitations/ restrictions on services.

3. Multi-tenant architecture is approached for the regional cases to make easy for larger organisation.

4. This condition is made bigger institution to manage limitation easily.

Reference : github issue