Service limits and restrictions
Applies to: Workforce tenants External tenants (learn more)
This article outlines the service limits and usage constraints of Microsoft Entra External ID for external tenants, which is Microsoft’s latest customer identity and access management (CIAM) solution. If you’re looking for the full set of Microsoft Entra ID service limits, see Microsoft Entra service limits and restrictions.
The number of users able to authenticate through an external tenant is gated through request limits. The following table illustrates the request limits for your tenant.
Category | Limit |
---|---|
Maximum requests per IP per external tenant | 20 per second |
Maximum requests per external tenant | 200 per second |
Maximum requests per external trial tenant | 20 per second |
Microsoft Entra External ID is compliant with OAuth 2.0, OpenID Connect (OIDC) protocols. The following table lists the endpoints and the number of requests consumed by each endpoint.
Endpoint | Endpoint type | Requests consumed |
---|---|---|
/oauth2/v2.0/authorize | Dynamic | Varies |
/oauth2/v2.0/token | Static | 1 |
/.well-known/openid-config | Static | 1 |
/discovery/v2.0/keys | Static | 1 |
/oauth2/v2.0/logout | Static | 1 |
Each type of user flow provides a unique user experience and consumes a different number of requests. The token issuance rate of a user flow is dependent on the number of requests consumed by both the static and dynamic endpoints. The following table shows the number of requests consumed at a dynamic endpoint for each user flow.
User flow | Requests consumed |
---|---|
Sign up | 6 |
Sign in | 4 |
Password reset | 4 |
When you add more features to a user flow, such as multifactor authentication, more requests are consumed. The following table shows how many additional requests are consumed when a user interacts with one of these features.
Feature | Additional requests consumed |
---|---|
Email one-time password | 2 |
To obtain the token issuance rate per second for your user flow:
- Use the previous tables to add the total number of requests consumed at the dynamic endpoint.
- Add the number of requests expected at the static endpoints based on your application type.
- Use the following formula to calculate the token issuance rate per second.
Tokens/sec = 200/requests-consumed
The following table lists the administrative configuration limits in the Microsoft Entra External ID service.
Category | Limit |
---|---|
Number of scopes per application | 1000 |
Number of custom attributes per user | 100 |
Number of redirect URLs per application | 100 |
Number of sign-out URLs per application | 1 |
String limit per attribute | 250 Chars |
Number of external tenants per subscription | 20 |
Total number of objects (user accounts and applications) per trial tenant (can't be extended) | 10000 |
Total number of objects (user accounts and applications) per tenant. If you want to increase this limit, contact Microsoft Support. | 300,000 |
Number of custom authentication extensions | 100 |
Number of event listener policies | 249 |
The following table lists the service limits we implement to prevent outages and slowdowns. Learn more
Limit | Texts every 15 minutes | Texts every 60 minutes | Texts every 24 hours | Texts every 7 days |
---|---|---|---|---|
Limits based on IP address | 20 texts | 60 texts | 100 texts without a proxy 200 texts with a proxy |
No limit |
Limits based on phone number | 15 texts | 20 texts | 30 texts | 50 texts |
Limits based on tenant | 100 texts | 300 texts | 1,000 texts | No limit |