VM Deployment

Question

VM Deployment

Jeffrey Cummings 0

Unable to create any VM resources

All deployment attempts fail with:

HTTP Error 400

Bad Request - Request Too Long

The size of the request headers is too long.

Occurs in:

Azure Portal
Azure Cloud Shell (CLI)

Tested with:

Ubuntu 24.04

Standard_D2s_v3

Region: East US 2

Also attempted in Central US.

Deployment fails before resource provisioning begins.

Suspected ARM request header / token size issue or tenant authentication problem.

Please investigate why ARM requests from this tenant are returning "Request Too Long".

Jilakara Hemalatha 11,865 Reputation points Microsoft External Staff Moderator

2026-03-12T23:16:35.7+00:00
Hello

Thank you for reaching out. To better understand the issue, could you please provide the following details:

How many Azure AD / Entra ID groups is your account currently a member of? You can check this by going to Entra ID → Users → Your Name → Groups and counting the total.

Are you using a personal user account, a service principal, or a managed identity to perform these deployments? Has this deployment worked successfully before, or is this your first attempt?

Is this issue affecting only your account, or are other users in the same tenant also unable to deploy VM resources?

Have there been any recent changes to your account, such as being added to new AD groups, new RBAC role assignments, or any tenant-level policy changes around the time this issue started?

Can you run the following command in Cloud Shell and share the character count or full output of your current token so we can confirm if token size is the root cause? az account get-access-token --query accessToken -o tsv | wc -c

Have there been any recent changes to your tenant’s security settings, group memberships, or role assignments?
Jilakara Hemalatha 11,865 Reputation points Microsoft External Staff Moderator

2026-03-13T21:27:56.35+00:00

Hi Jeffrey,

Could you please review the information shared above and let us know if it helps address the issue?

2 answers

Your answer

Jilakara Hemalatha 11,865 Reputation points Microsoft External Staff Moderator

2026-03-12T23:16:35.7+00:00

Hello

Thank you for reaching out. To better understand the issue, could you please provide the following details:

How many Azure AD / Entra ID groups is your account currently a member of? You can check this by going to Entra ID → Users → Your Name → Groups and counting the total.

Are you using a personal user account, a service principal, or a managed identity to perform these deployments? Has this deployment worked successfully before, or is this your first attempt?

Is this issue affecting only your account, or are other users in the same tenant also unable to deploy VM resources?

Have there been any recent changes to your account, such as being added to new AD groups, new RBAC role assignments, or any tenant-level policy changes around the time this issue started?

Can you run the following command in Cloud Shell and share the character count or full output of your current token so we can confirm if token size is the root cause? az account get-access-token --query accessToken -o tsv | wc -c

Have there been any recent changes to your tenant’s security settings, group memberships, or role assignments?
Jilakara Hemalatha 11,865 Reputation points Microsoft External Staff Moderator

2026-03-13T21:27:56.35+00:00

Hi Jeffrey,

Could you please review the information shared above and let us know if it helps address the issue?

Answer 1

Hello @Jeffrey Cummings ,

Has the issue been resolved? In addition to the comments above, I would like to share a few insights that may help:

The HTTP 400 “Request Too Long” error typically occurs due to oversized request headers generated by the browser session (such as cookies, cached tokens, or browser extensions).

In many cases, this is caused by an excessively large bearer token, which can result from the user account being assigned to a large number of roles, security groups, or additional claims.

To validate this, you can create a new Microsoft Entra ID account with minimal assignments specifically, the Global Administrator role in Entra ID and the Owner role on the Azure subscription. After creating the account, sign in using these credentials and attempt to create the VNet again to see if the issue persists.

Answer 2

Based on the error message “Bad Request: Request Too Long”, this behavior typically occurs when the authentication request is rejected before the deployment reaches the Azure Resource Manager (ARM) provisioning stage.

When a deployment request is sent to Azure Resource Manager, the request includes an authentication token in the HTTP header. In certain scenarios, this token can become excessively large due to factors such as:

Membership in a large number of Microsoft Entra ID groups

A high number of RBAC role assignments

Accumulated authentication cookies or additional claims

If the Authorization header exceeds the allowed size limit, Azure Resource Manager rejects the request and returns the HTTP 400 – Request Too Long error before any resource provisioning begins. This explains why the deployment fails immediately even though the VM configuration itself is valid.

To further validate and mitigate this behavior, we recommend the following steps:

1.Test deployment with a new user account

Create a new Microsoft Entra ID user with minimal group memberships and assign Owner or Contributor permissions to the subscription. If the deployment succeeds with this account, it would confirm that the issue is related to authentication token size.

Review and reduce group memberships

If the affected user belongs to a large number of Entra ID groups, removing unnecessary or redundant group memberships can help reduce the authentication token size.

Restrict group claims in the token

Work with your Entra ID administrator to configure the groups claim to emit only “Groups assigned to the application” instead of all groups. This limits the number of group claims included in the authentication token.

Consider using application roles instead of groups

Where possible, replace group-based access control with application roles, which produce smaller and more efficient claims in the authentication token.

Use a dedicated service principal for deployments

If deployments are being performed by a user account with extensive group memberships, consider creating a dedicated service principal with only the required RBAC permissions and minimal group associations.

Also, could you please try the deployment from InPrivate window.

These approaches can help reduce the authentication token size and prevent the “Request Too Long” error when sending requests to Azure Resource Manager.

Reference:

Azure Portal: Bad Request - Request Too Long

Hope this helps! Please let me know if you have any queries.

Share via

VM Deployment

2 answers

Your answer