Azure Active Directory B2C service limits and restrictions
Before you begin, use the Choose a policy type selector at the top of this page to choose the type of policy you’re setting up. Azure Active Directory B2C offers two methods to define how users interact with your applications: through predefined user flows or through fully configurable custom policies. The steps required in this article are different for each method.
This article outlines the usage constraints and other service limits for the Azure Active Directory B2C (Azure AD B2C) service. These limits are in place to protect by effectively managing threats and ensuring a high level of service quality.
Note
To increase any of the service limits mentioned in this article, contact Support.
User/consumption related limits
The number of users able to authenticate through an Azure AD B2C tenant is gated through request limits. The following table illustrates the request limits for your Azure AD B2C tenant.
| Category | Limit |
|---|---|
| Maximum requests per IP per Azure AD B2C tenant | 6,000/5min |
| Maximum requests per Azure AD B2C tenant | 200/sec |
Endpoint request usage
Azure AD B2C is compliant with OAuth 2.0, OpenID Connect (OIDC), and SAML protocols. It provides user authentication and single sign-on (SSO) functionality, with the endpoints listed in the following table.
The frequency of requests made to Azure AD B2C endpoints determines the overall token issuance capability. Azure AD B2C exposes endpoints, which consume a different number of requests. Review the Authentication Protocols article for more information on which endpoints are consumed by your application.
| Endpoint | Endpoint type | Requests consumed |
|---|---|---|
| /oauth2/v2.0/authorize | Dynamic | Varies 1 |
| /oauth2/v2.0/token | Static | 1 |
| /openid/v2.0/userinfo | Static | 1 |
| /.well-known/openid-config | Static | 1 |
| /discovery/v2.0/keys | Static | 1 |
| /oauth2/v2.0/logout | Static | 1 |
| /samlp/sso/login | Dynamic | Varies 1 |
| /samlp/sso/logout | Static | 1 |
1 The type of User Flow determines the total number of requests consumed when using these endpoints.
1 The configuration of your Custom Policy determines the total number of requests consumed when using these endpoints.
Token issuance rate
Each type of User Flow provides a unique user experience and will consume a different number of requests. The token issuance rate of a User Flow is dependent on the number of requests consumed by both the static and dynamic endpoints. The below table shows the number of requests consumed at a dynamic endpoint for each User Flow.
| User Flow | Requests consumed |
|---|---|
| Sign up | 6 |
| Sign in | 4 |
| Password reset | 4 |
| Profile edit | 4 |
| Phone Sign Up and Sign In | 6 |
When you add more features to a User Flow, such as multifactor authentication, more requests are consumed. The below table shows how many additional requests are consumed when a user interacts with one of these features.
| Feature | Additional requests consumed |
|---|---|
| Microsoft Entra multifactor authentication | 2 |
| Email one-time password | 2 |
| Age gating | 2 |
| Federated identity provider | 2 |
To obtain the token issuance rate per second for your User Flow:
- Use the tables above to add the total number of requests consumed at the dynamic endpoint.
- Add the number of requests expected at the static endpoints based on your application type.
- Use the formula below to calculate the token issuance rate per second.
Tokens/sec = 200/requests-consumed
The token issuance rate of a Custom Policy is dependent on the number of requests consumed by the static and dynamic endpoints. The below table shows the number of requests consumed at a dynamic endpoint for the Azure AD B2C starter packs.
| Starter Pack | Scenario | User journey ID | Requests consumed |
|---|---|---|---|
| LocalAccounts | Sign-in | SignUpOrSignIn | 2 |
| LocalAccounts SocialAndLocalAccounts | Sign-up | SignUpOrSignIn | 6 |
| LocalAccounts | Profile edit | ProfileEdit | 2 |
| LocalAccounts SocialAndLocalAccounts SocialAndLocalAccountsWithMfa | Password reset | PasswordReset | 6 |
| SocialAndLocalAccounts | Federated account sign-in | SignUpOrSignIn | 4 |
| SocialAndLocalAccounts | Federated account sign-up | SignUpOrSignIn | 6 |
| SocialAndLocalAccountsWithMfa | Local account sign-in with MFA | SignUpOrSignIn | 6 |
| SocialAndLocalAccountsWithMfa | Local account sign-up with MFA | SignUpOrSignIn | 10 |
| SocialAndLocalAccountsWithMfa | Federated account sign-in with MFA | SignUpOrSignIn | 8 |
| SocialAndLocalAccountsWithMfa | Federated account sign-up with MFA | SignUpOrSignIn | 10 |
To obtain the token issuance rate per second for a particular user journey:
- Use the table above to find the number of requests consumed for your user journey.
- Add the number of requests expected at the static endpoints based on your application type.
- Use the formula below to calculate the token issuance rate per second.
Tokens/sec = 200/requests-consumed
Calculate the token issuance rate of your Custom Policy
You can create your own Custom Policy to provide a unique authentication experience for your application. The number of requests consumed at the dynamic endpoint depends on which features a user traverses through your Custom Policy. The below table shows how many requests are consumed for each feature in a Custom Policy.
| Feature | Requests consumed |
|---|---|
| Self-asserted technical profile | 2 |
| Phone factor technical profile | 4 |
| Email verification (Verified.Email) | 2 |
| Display Control | 2 |
| Federated identity provider | 2 |
To obtain the token issuance rate per second for your Custom Policy:
- Use the table above to calculate the total number of requests consumed at the dynamic endpoint.
- Add the number of requests expected at the static endpoints based on your application type.
- Use the formula below to calculate the token issuance rate per second.
Tokens/sec = 200/requests-consumed
Best practices
You can optimize the token issuance rate by considering the following configuration options:
- Increasing access and refresh token lifetimes.
- Increasing the Azure AD B2C web session lifetime.
- Enabling Keep Me Signed In.
- Caching the OpenId Connect metadata documents at your APIs.
- Enforcing conditional MFA using Conditional Access.
Azure AD B2C configuration limits
The following table lists the administrative configuration limits in the Azure AD B2C service.
| Category | Limit |
|---|---|
| Number of scopes per application | 1000 |
| Number of custom attributes per user 1 | 100 |
| Number of redirect URLs per application | 100 |
| Number of sign-out URLs per application | 1 |
| String Limit per Attribute | 250 Chars |
| Number of B2C tenants per subscription | 20 |
| Total number of objects (user accounts and applications) per tenant (default limit) | 1.25 million |
| Total number of objects (user accounts and applications) per tenant (using a verified custom domain). If you want to increase this limit, please contact Microsoft Support. | 5.25 million |
| Levels of inheritance in custom policies | 10 |
| Number of policies per Azure AD B2C tenant (user flows + custom policies) | 200 |
| Maximum policy file size | 1024 KB |
| Number of API connectors per tenant | 20 |
1 See also Microsoft Entra service limits and restrictions.
Next steps
- Learn about Microsoft Graph's throttling guidance
- Learn about the validation differences for Azure AD B2C applications
- Learn about Resilience through developer best practices