Cuir in eagar

Comhroinn trí


Microsoft Entra service limits and restrictions

This article contains the usage constraints and other service limits for the Microsoft Entra ID, part of Microsoft Entra, service. If you’re looking for the full set of Microsoft Azure service limits, see Azure Subscription and Service Limits, Quotas, and Constraints.

Here are the usage constraints and other service limits for the Microsoft Entra service.

Category Limit
Tenants
  • A single user can belong to a maximum of 500 Microsoft Entra tenants as a member or a guest.
  • Create a maximum of 200 tenants.
  • Limit of 300 license-based subscriptions (such as Microsoft 365 subscriptions) per tenant
  • Domains
  • You can add no more than 5,000 managed domain names.
  • If you set up all of your domains for federation with on-premises Active Directory, you can add no more than 2,500 domain names in each tenant.
  • Resources
    • By default, a maximum of 50,000 Microsoft Entra resources can be created in a single tenant by users of the Microsoft Entra ID Free edition. If you have at least one verified domain, the default Microsoft Entra service quota for your organization is extended to 300,000 Microsoft Entra resources.
      The Microsoft Entra service quota for organizations created by self-service sign-up remains 50,000 Microsoft Entra resources, even after you perform an internal admin takeover and the organization is converted to a managed tenant with at least one verified domain. This service limit is unrelated to the pricing tier limit of 500,000 resources on the Microsoft Entra pricing page.
      To go beyond the default quota, you must contact Microsoft Support.
    • A non-admin user can create no more than 250 Microsoft Entra resources. Both active resources and deleted resources that are available to restore count toward this quota. Only deleted Microsoft Entra resources that were deleted fewer than 30 days ago are available to restore. Deleted Microsoft Entra resources that are no longer available to restore count toward this quota at a value of one-quarter for 30 days.
      If you have developers who are likely to repeatedly exceed this quota in the course of their regular duties, you can create and assign a custom role with permission to create a limitless number of app registrations.
    • Resource limitations apply to all directory objects in a given Microsoft Entra tenant, including users, groups, applications, and service principals.
    Schema extensions
    • String-type extensions can have a maximum of 256 characters.
    • Binary-type extensions are limited to 256 bytes.
    • Only 100 extension values, across all types and all applications, can be written to any single Microsoft Entra resource.
    • Only User, Group, TenantDetail, Device, Application, and ServicePrincipal entities can be extended with string-type or binary-type single-valued attributes.
    Applications
    • A maximum of 100 users and service principals can be owners of a single application.
    • A user, group, or service principal can have a maximum of 1,500 app role assignments. The limitation is on the assigned service principal, user, or group across all app roles and not on the number of assignments of a single app role. This limit includes app role assignments where the resource service principal has been soft-deleted.
    • A user can have credentials configured for a maximum of 48 apps using password-based single sign-on. This limit only applies for credentials configured when the user is directly assigned the app, not when the user is a member of a group that is assigned.
    • A group can have credentials configured for a maximum of 48 apps using password-based single sign-on.
    • See additional limits in Validation differences by supported account types.
    Application manifest A maximum of 1,200 entries can be added to the application manifest.
    See additional limits in Validation differences by supported account types.
    Groups
    • A non-admin user can create a maximum of 250 groups in a Microsoft Entra organization. Any Microsoft Entra admin who can manage groups in the organization can also create an unlimited number of groups (up to the Microsoft Entra object limit). If you assign a role to a user to remove the limit for that user, assign a less privileged, built-in role such as User Administrator or Groups Administrator.
    • A Microsoft Entra organization can have a maximum of 15,000 dynamic groups and dynamic administrative units combined.
    • A maximum of 500 role-assignable groups can be created in a single Microsoft Entra organization (tenant).
    • A maximum of 100 users can be owners of a single group.
    • Any number of Microsoft Entra resources can be members of a single group.
    • A user can be a member of any number of groups. When security groups are being used in combination with SharePoint Online, a user can be a part of 2,049 security groups in total. This includes both direct and indirect group memberships. When this limit is exceeded, authentication and search results become unpredictable.
    • Starting with Microsoft Entra Connect v2.0, the V2 endpoint is the default API. The number of members in a group that you can synchronize from your on-premises Active Directory to Microsoft Entra ID by using Microsoft Entra Connect is limited to 250,000 members. For more information, see Microsoft Entra Connect Sync V2.
    • When you select a list of groups, you can assign a group expiration policy to a maximum of 500 Microsoft 365 groups. There's no limit when the policy is applied to all Microsoft 365 groups.

    At this time, the following scenarios are supported with nested groups:
    • One group can be added as a member of another group, and you can achieve group nesting.
    • Group membership claims. When an app is configured to receive group membership claims in the token, nested groups in which the signed-in user is a member are included.
    • Conditional Access (when a Conditional Access policy has a group scope).
    • Restricting access to self-serve password reset.
    • Restricting which users can do Microsoft Entra join and device registration.

    The following scenarios are not supported with nested groups:
    • App role assignment, for both access and provisioning. Assigning groups to an app is supported, but any groups nested within the directly assigned group won't have access.
    • Group-based licensing (assigning a license automatically to all members of a group).
    • Microsoft 365 Groups.
    Application Proxy
    • A maximum of 500 transactions* per second per Application Proxy application.
    • A maximum of 750 transactions per second for the Microsoft Entra organization.

      *A transaction is defined as a single HTTP request and response for a unique resource. When clients are throttled, they receive a 429 response (too many requests). Transaction metrics are collected on each connector and can be monitored using performance counters under the object name Microsoft Entra private network connector.
    Access Panel There's no limit to the number of applications per user that can be displayed in the Access Panel, regardless of the number of assigned licenses.
    Reports A maximum of 1,000 rows can be viewed or downloaded in any report. Any additional data is truncated.
    Administrative units
    • A Microsoft Entra resource can be a member of no more than 30 administrative units.
    • A maximum of 100 restricted management administrative units in a tenant.
    • A Microsoft Entra organization can have a maximum of 15,000 dynamic membership groups and dynamic administrative units combined.
    Microsoft Entra roles and permissions
    • A maximum of 100 Microsoft Entra custom roles can be created in a Microsoft Entra organization.
    • A maximum of 150 Microsoft Entra custom role assignments for a single principal at any scope.
    • A maximum of 100 Microsoft Entra built-in role assignments for a single principal at non-tenant scope (such as an administrative unit or Microsoft Entra object). There's no limit to Microsoft Entra built-in role assignments at tenant scope. For more information, see Assign Microsoft Entra roles at different scopes.
    • A group can't be added as a group owner.
    • A user's ability to read other users' tenant information can be restricted only by the Microsoft Entra organization-wide switch to disable all non-admin users' access to all tenant information (not recommended). For more information, see To restrict the default permissions for member users.
    • It might take up to 15 minutes or you might have to sign out and sign back in before admin role membership additions and revocations take effect.
    Conditional Access Policies A maximum of 195 policies can be created in a single Microsoft Entra organization (tenant).
    Terms of use You can add no more than 40 terms to a single Microsoft Entra organization (tenant).
    Multitenant organizations
    • A maximum of 100 active tenants, including the owner tenant. The owner tenant can add more than 100 pending tenants, but they won't be able to join the multitenant organization if the limit is exceeded. This limit is applied at the time a pending tenant joins a multitenant organization.
    • This limit is specific to the number of tenants in a multitenant organization. It doesn't apply to cross-tenant synchronization by itself.