Question 105362 in Azure Question posted in
The official documentation to get you started can be found here.

Azure – Unable to access Key Vault resource due to error message: "Number of groups to be checked cannot be more than 20."

When trying to view Key Vault Secrets or Keys, the Azure portal UI makes the following calls:

Retrive the list of access policies:

POST https://management.azure.com/batch?api-version=2020-06-01

Pass the list of access policies to Graph API checkMemberGroups:

POST https://graph.windows.net/myorganization/users/..../checkMemberGroups?api-version=1.6

Which returns the error message: "Number of groups to be checked cannot be more than 20."

I do have more than 20, and the graph API call checkMemberGroups has a documented limitation.

You can check up to a maximum of 20 groups per request. This function supports all groups provisioned in Azure AD. Because Microsoft 365 groups cannot contain other groups, membership in a Microsoft 365 group is always direct.

Reference: https://learn.microsoft.com/en-us/graph/api/directoryobject-checkmembergroups?view=graph-rest-1.0&tabs=http

This seems to be an unusual restriction that you cannot be a member of 20 groups to view Key Vault Secrets or Keys with an access policy permission model set to ‘Vault Access Policy’.

I suspect this is probably a bug with the Azure Portal rather than a feature. Has anybody else come across this limitation?

It seems to me the Azure Portal should be iterating through the list of 20 groups at a time rather than sending a bulk list in one go.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    It seems this is a bug with Azure Key Vault. I can access Key Vault ok this morning.

    The bad request error "Number of groups to be checked cannot be more than 20." is still being thrown by the Azure Portal when accessing Key Vault but no longer blocks access to the resource.

    I'll close this question as I suspect something has been modified server side. Thanks everyone for the comments.


  2. 0

    I guess there is some understanding gap at your end. The document says you can send only 20 groups per request to check if the user belongs to how many of those groups.
    The document doesnt say that the user cannot be a member of more than 20 groups.

    The request body parameters link, clearly states that you need to pass groupIds in request body and groupIds parameter expects a collection that contains the object IDs of the groups in which to check membership. Up to 20 groups may be specified.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search