Azure Active Directory B2C service limits and restrictions

Before you begin, use the Choose a policy type selector at the top of this page to choose the type of policy you’re setting up. Azure Active Directory B2C offers two methods to define how users interact with your applications: through predefined user flows or through fully configurable custom policies. The steps required in this article are different for each method.

This article outlines the usage constraints and other service limits for the Azure Active Directory B2C (Azure AD B2C) service. These limits are in place to protect by effectively managing threats and ensuring a high level of service quality.

Note

To increase any of the service limits mentioned in this article, contact Support.

The number of users able to authenticate through an Azure AD B2C tenant is gated through request limits. The following table illustrates the request limits for your Azure AD B2C tenant.

Category Limit
Maximum requests per IP per Azure AD B2C tenant 6,000/5min
Maximum requests per Azure AD B2C tenant 200/sec

Endpoint request usage

Azure AD B2C is compliant with OAuth 2.0, OpenID Connect (OIDC), and SAML protocols. It provides user authentication and single sign-on (SSO) functionality, with the endpoints listed in the following table.

The frequency of requests made to Azure AD B2C endpoints determines the overall token issuance capability. Azure AD B2C exposes endpoints, which consume a different number of requests. Review the Authentication Protocols article for more information on which endpoints are consumed by your application.

Endpoint Endpoint type Requests consumed
/oauth2/v2.0/authorize Dynamic Varies 1
/oauth2/v2.0/token Static 1
/openid/v2.0/userinfo Static 1
/.well-known/openid-config Static 1
/discovery/v2.0/keys Static 1
/oauth2/v2.0/logout Static 1
/samlp/sso/login Dynamic Varies 1
/samlp/sso/logout Static 1

1 The type of User Flow determines the total number of requests consumed when using these endpoints.

1 The configuration of your Custom Policy determines the total number of requests consumed when using these endpoints.

Token issuance rate

Each type of User Flow provides a unique user experience and will consume a different number of requests. The token issuance rate of a User Flow is dependent on the number of requests consumed by both the static and dynamic endpoints. The below table shows the number of requests consumed at a dynamic endpoint for each User Flow.

User Flow Requests consumed
Sign up 6
Sign in 4
Password reset 4
Profile edit 4
Phone Sign Up and Sign In 6

When you add more features to a User Flow, such as multifactor authentication, more requests are consumed. The below table shows how many additional requests are consumed when a user interacts with one of these features.

Feature Additional requests consumed
Microsoft Entra multifactor authentication 2
Email one-time password 2
Age gating 2
Federated identity provider 2

To obtain the token issuance rate per second for your User Flow:

  1. Use the tables above to add the total number of requests consumed at the dynamic endpoint.
  2. Add the number of requests expected at the static endpoints based on your application type.
  3. Use the formula below to calculate the token issuance rate per second.
Tokens/sec = 200/requests-consumed

The token issuance rate of a Custom Policy is dependent on the number of requests consumed by the static and dynamic endpoints. The below table shows the number of requests consumed at a dynamic endpoint for the Azure AD B2C starter packs.

Starter Pack Scenario User journey ID Requests consumed
LocalAccounts Sign-in SignUpOrSignIn 2
LocalAccounts SocialAndLocalAccounts Sign-up SignUpOrSignIn 6
LocalAccounts Profile edit ProfileEdit 2
LocalAccounts SocialAndLocalAccounts SocialAndLocalAccountsWithMfa Password reset PasswordReset 6
SocialAndLocalAccounts Federated account sign-in SignUpOrSignIn 4
SocialAndLocalAccounts Federated account sign-up SignUpOrSignIn 6
SocialAndLocalAccountsWithMfa Local account sign-in with MFA SignUpOrSignIn 6
SocialAndLocalAccountsWithMfa Local account sign-up with MFA SignUpOrSignIn 10
SocialAndLocalAccountsWithMfa Federated account sign-in with MFA SignUpOrSignIn 8
SocialAndLocalAccountsWithMfa Federated account sign-up with MFA SignUpOrSignIn 10

To obtain the token issuance rate per second for a particular user journey:

  1. Use the table above to find the number of requests consumed for your user journey.
  2. Add the number of requests expected at the static endpoints based on your application type.
  3. Use the formula below to calculate the token issuance rate per second.
Tokens/sec = 200/requests-consumed

Calculate the token issuance rate of your Custom Policy

You can create your own Custom Policy to provide a unique authentication experience for your application. The number of requests consumed at the dynamic endpoint depends on which features a user traverses through your Custom Policy. The below table shows how many requests are consumed for each feature in a Custom Policy.

Feature Requests consumed
Self-asserted technical profile 2
Phone factor technical profile 4
Email verification (Verified.Email) 2
Display Control 2
Federated identity provider 2

To obtain the token issuance rate per second for your Custom Policy:

  1. Use the table above to calculate the total number of requests consumed at the dynamic endpoint.
  2. Add the number of requests expected at the static endpoints based on your application type.
  3. Use the formula below to calculate the token issuance rate per second.
Tokens/sec = 200/requests-consumed

Best practices

You can optimize the token issuance rate by considering the following configuration options:

Azure AD B2C configuration limits

The following table lists the administrative configuration limits in the Azure AD B2C service.

Category Limit
Number of scopes per application  1000
Number of custom attributes per user 1 100
Number of redirect URLs per application 100
Number of sign-out URLs per application  1
String Limit per Attribute 250 Chars
Number of B2C tenants per subscription 20
Total number of objects (user accounts and applications) per tenant (default limit) 1.25 million
Total number of objects (user accounts and applications) per tenant (using a verified custom domain). If you want to increase this limit, please contact Microsoft Support. 5.25 million
Levels of inheritance in custom policies 10
Number of policies per Azure AD B2C tenant (user flows + custom policies) 200
Maximum policy file size 1024 KB
Number of API connectors per tenant 20

1 See also Microsoft Entra service limits and restrictions.

Next steps