Cognite Data Fusion (CDF) appears to enforce a limit of approximately 200 Azure AD group memberships when resolving permissions for Service Principals. This limitation does not exist in Microsoft Graph, which supports retrieval of all group memberships associated with a user or Service Principal.

As organizations scale their authorization models using Azure AD groups, this restriction can prevent access inheritance from functioning as expected and requires manual workarounds that increase operational overhead and governance complexity.

Business Context

Many enterprise deployments use Azure AD groups to manage access to assets, plants, data products, and other resources within CDF.

A common architecture relies on:

• Azure AD groups representing access domains.

• Group Object IDs mapped to corresponding Source IDs in CDF.

• Service Principals inheriting permissions through group membership.

However, when the number of group memberships exceeds the current supported threshold, some memberships are not considered during authorization, resulting in incomplete permission resolution.

Current Workaround

The current workaround consists of adding Service Principals directly to individual access groups instead of relying on inherited permissions through the existing group structure.

While functional, this approach presents several challenges:

• It does not scale as the number of groups and data products grows.

• It increases administrative effort and maintenance activities.

• It complicates access governance and auditing processes.

• It introduces a higher risk of configuration errors and permission inconsistencies.

Problem Statement

The current behavior creates a gap between Microsoft Entra ID (Azure AD) authorization capabilities and CDF authorization behavior.

Since Microsoft Graph supports retrieval of all group memberships, the limitation appears to stem from the current implementation within CDF rather than from the underlying identity provider.

This can impact organizations that rely on group-based authorization models to manage access at scale.

Business Impact

Operational Impact

• Increased administrative effort for access management.

• Additional maintenance when new groups, assets, plants, or data products are introduced.

• Reduced efficiency of centralized identity management practices.

Governance Impact

• Increased complexity in maintaining access-control policies.

• Reduced effectiveness of group-based authorization strategies.

• Greater effort required for auditing and access reviews.

Security and Compliance Impact

• Increased reliance on manual permission assignments.

• Higher risk of access inconsistencies.

• Potential compliance concerns resulting from non-standard authorization processes.

Scalability Impact

• Reduced scalability of Azure AD group-based authorization models.

• Growing operational burden as enterprise environments expand.

• Limitations on adoption of best-practice identity and access management patterns.

Requested Enhancement

Enhance CDF authorization to support all Azure AD group memberships associated with a Service Principal, or significantly increase the current limit, ensuring alignment with Microsoft Graph capabilities.

Possible implementation options include:

• Removing the current membership limit.

• Supporting pagination when retrieving group memberships from Microsoft Graph.

• Supporting complete transitive group membership resolution.

• Providing configurable limits for enterprise deployments where required.

Expected Benefits

• Improved scalability of enterprise authorization models.

• Elimination of manual access-management workarounds.

• Better alignment with Microsoft Entra ID / Azure AD capabilities.

• Reduced operational, governance, and compliance risks.

• Simplified lifecycle management for users, groups, and Service Principals.