Azure AD service limits and restrictions

This article contains the usage constraints and other service limits for the Azure Active Directory (Azure AD) service. If you’re looking for the full set of Microsoft Azure service limits, see Azure Subscription and Service Limits, Quotas, and Constraints.

Here are the usage constraints and other service limits for the Azure Active Directory (Azure AD) service.

Category Limits
Directories A single user can belong to a maximum of 500 Azure AD directories as a member or a guest.
A single user can create a maximum of 20 directories.
Domains You can add no more than 900 managed domain names. If you set up all of your domains for federation with on-premises Active Directory, you can add no more than 450 domain names in each directory.
Resources
  • A maximum of 50,000 Azure AD resources can be created in a single directory by users of the Free edition of Azure Active Directory by default. If you have at least one verified domain, the default directory service quota in Azure AD is extended to 300,000 Azure AD resources.
  • A non-admin user can create no more than 250 Azure AD resources. Both active resources and deleted resources that are available to restore count toward this quota. Only deleted Azure AD resources that were deleted fewer than 30 days ago are available to restore. Deleted Azure AD resources that are no longer available to restore count toward this quota at a value of one-quarter for 30 days. If you have developers who are likely to repeatedly exceed this quota in the course of their regular duties, you can create and assign a custom role with permission to create a limitless number of app registrations.
Schema extensions
  • String-type extensions can have a maximum of 256 characters.
  • Binary-type extensions are limited to 256 bytes.
  • Only 100 extension values, across all types and all applications, can be written to any single Azure AD resource.
  • Only User, Group, TenantDetail, Device, Application, and ServicePrincipal entities can be extended with string-type or binary-type single-valued attributes.
  • Schema extensions are available only in the Graph API version 1.21 preview. The application must be granted write access to register an extension.
Applications A maximum of 100 users can be owners of a single application.
Application Manifest A maximum of 1200 entries can be added in the Application Manifest.
Groups
  • A maximum of 100 users can be owners of a single group.
  • Any number of Azure AD resources can be members of a single group.
  • A user can be a member of any number of groups.
  • The number of members in a group that you can synchronize from your on-premises Active Directory to Azure Active Directory by using Azure AD Connect is limited to 50,000 members.
Application Proxy
  • A maximum of 500 transactions per second per App Proxy application
  • A maximum of 750 transactions per second for the tenant

A transaction is defined as a single http request and response for a unique resource. When throttled, clients will receive a 429 response (too many requests).
Access Panel
  • There's no limit to the number of applications that can be seen in the Access Panel per user. This applies to users assigned licenses for Azure AD Premium or the Enterprise Mobility Suite.
  • A maximum of 10 app tiles can be seen in the Access Panel for each user. This limit applies to users who are assigned licenses for Azure AD Free license plan. Examples of app tiles include Box, Salesforce, or Dropbox. This limit doesn't apply to administrator accounts.
Reports A maximum of 1,000 rows can be viewed or downloaded in any report. Any additional data is truncated.
Administrative units An Azure AD resource can be a member of no more than 30 administrative units.
Admin roles and permissions
  • A group cannot be added as an owner.
  • A group cannot be assigned to a role.
  • Users’ ability to read other users’ directory information cannot be restricted outside of the tenant-wide switch to disable all non-admin users’ access to all directory information (not recommended). More information on default permissions here.
  • It may take up to 15 minutes or signing out/signing in before admin role membership additions and revocations take effect.

Next steps