When an Azure Active Directory (AD) based Security Assertion Markup Language (SAML) user logs in to ArcGIS Online or ArcGIS Enterprise and is a member of more than 150 groups, the user's group claim is missing from the SAML assertion. As a result, that user is not added to any SAML-based enterprise groups in ArcGIS Online and/or ArcGIS Enterprise.
Azure AD limits the number of groups that can be sent in a SAML assertion response to 150. For more information, please see the Microsoft article titled "Configure group claims for applications with Azure Active Directory ".
Note: Due to an update to AzureAD in late 2020, this is no longer a viable workflow. The limit of 150 groups is now a hard maximum leading to renewed demands for ArcGIS Enterprise to support the Microsoft Graph API for organizations with expansive group structures. ENH-000142837: "Add support for retrieving SAML groups, when Azure AD is the SAML IDP and a user’s group membership exceeds 150." If you are affected by this limitation, please log a case with Esri Support Services and request to be added to this record.
Note: For performance and reliability, it is not recommended to send a large number of groups in the SAML assertion. A better alternative to using SAML-based enterprise groups is to use groups managed by ArcGIS Online or ArcGIS Enterprise.
With an Azure AD premium subscription, it is possible to increase the number of groups sent in a SAML assertion response from 150 to 500 by following these steps: