Auth Tip: Azure AD SAML group limit

A small note for anyone using Azure AD for SAML based auth to #knowledge-articles:kb-zpa (or #knowledge-articles:kb-zia for that matter).

Azure AD has a set of limits as out lined in this Microsoft Article, but the one that will impact any SAMLSP; which Zscaler happens to be, is that:

  • If your user is a member of over 150 groups
  • Azure AD will stop talking SAML and ask to talk Graph API

If you are hitting this issue, our recommendations are:

  • reduce groups that the user is part of (or what is being shared as a claim)
  • use a different SAML attribute for policy, e.g. departments
  • consider alternative IDPs that support your 150 groups in SAML
is the 150 Groups limitation based on actual Groups of the user in Azure AD or is it based on the amount of groups that are synchronized with Zscaler via SAML token?
My customer has users with more than 200 Groups in Azure AD and SAML works fine for them.
However we currently do not sync those groups with Zscaler.
So it is more towards the second note, more than 150 groups that are sent via SAML attribute from Azure AD, under the Groups definition. So if the customer is sharing only a smaller number via their claim, then this shouldn’t be a problem. Please see the linked article for the details that sate:

"Notes :
If the number of groups the user is in goes over a limit (150 for SAML, 200 for JWT) then an overage claim will be added the claim sources pointing at the Graph endpoint containing the list of groups for the user."

On a related note, MS has an Azure AD enhancement in preview that addresses the limitation of 150 SAML groups. With the enhancement, it should be possible to receive 150+ groups in SAML response. Customers who are interested in testing the preview functionality, should reach out to ZPA PM team for assistance.

thank you, this is good to know.

