| Schema extensions |<ul><li>String-type extensions can have a maximum of 256 characters. </li><li>Binary-type extensions are limited to 256 bytes.</li><li>Only 100 extension values, across *all* types and *all* applications, can be written to any single Microsoft Entra resource.</li><li>Only User, Group, TenantDetail, Device, Application, and ServicePrincipal entities can be extended with string-type or binary-type single-valued attributes.</li><li> Only the "equals" operator is supported for DateTime-type extensions. Range operators like "greater than" or "less than" are not supported.</li></ul> |
| Applications | <ul><li>A maximum of 100 users and service principals can be owners of a single application.</li><li>A user, group, or service principal can have a maximum of 1,500 app role assignments. The limitation is on the assigned service principal, user, or group across all app roles and not on the number of assignments of a single app role. This limit includes app role assignments where the resource service principal has been soft-deleted.</li><li>A user can have credentials configured for a maximum of 48 apps using password-based single sign-on. This limit only applies for credentials configured when the user is directly assigned the app, not when the user is a member of a group that is assigned.</li><li>A group can have credentials configured for a maximum of 48 apps using password-based single sign-on.</li><li>See additional limits in [Validation differences by supported account types](~/identity-platform/supported-accounts-validation.md).</li></ul> |
|Application manifest |A maximum of 1,200 entries can be added to the application manifest.<br/>See additional limits in [Validation differences by supported account types](~/identity-platform/supported-accounts-validation.md). |
| Groups |<ul><li>A non-admin user can create a maximum of 250 groups in a Microsoft Entra organization. Any Microsoft Entra admin who can manage groups in the organization can also create an unlimited number of groups (up to the Microsoft Entra object limit). If you assign a role to a user to remove the limit for that user, assign a less privileged, built-in role such as User Administrator or Groups Administrator.</li><li>A Microsoft Entra organization can have a maximum of 15,000 dynamic groups (including those originating from Microsoft Entra entitlement management automatic assignment policies) and dynamic administrative units combined.</li><li>A maximum of 500 [role-assignable groups](~/identity/role-based-access-control/groups-concept.md) can be created in a single Microsoft Entra organization (tenant).</li><li>A maximum of 100 users can be owners of a single group.</li><li>There is a limit of 1010 groups per token allowed for [Entra Kerberos](/troubleshoot/windows-server/windows-security/logging-on-user-account-fails).</li><li>Any number of Microsoft Entra resources can be members of a single group.</li><li>If a user (or group) is a member of more than 2,048 groups (direct and nested), their access might be blocked. This limit applies to both direct and nested group memberships. See [Users, groups, and workload identities assignments in Conditional Access](~/identity/conditional-access/concept-conditional-access-users-groups.md).</li><li>A user can be a member of any number of groups. The following service-specific limits apply when group memberships are used in authentication or authorization (including direct and indirect memberships):<ul><li><b>SharePoint Online:</b> When security groups are used with SharePoint Online, a user can be a part of up to 2,047 security groups in total, including direct and indirect membership. When this limit is exceeded, authentication and search results can become unpredictable. See [SharePoint limits](/office365/servicedescriptions/sharepoint-online-service-description/sharepoint-online-limits).</li><li><b>SAML tokens:</b> If optional groups claims are enabled, up to 150 group memberships (including nested groups) are included in SAML assertions. If a user is in more than 150 groups, the groups claim is omitted and an overage claim is sent instead. Microsoft Entra ID supports group filtering only if a user belongs to 1,000 or fewer groups (including direct and transitive memberships). If this limit is exceeded, filtering won’t apply and an overage claim is sent instead. See [Configure optional claims](~/identity-platform/optional-claims.md) and the [SAML token claims reference](~/identity-platform/reference-saml-tokens.md#claims-in-saml-tokens) for implementation guidance.</li><li><b>JWT/OIDC tokens:</b> If optional groups claims are enabled, up to 200 group memberships (including nested groups) are included in JWT tokens. If a user is in more than 200 groups, the groups claim is omitted and an overage claim is sent instead. See [Configure optional claims](~/identity-platform/optional-claims.md) and the [Access token claims reference](~/identity-platform/access-token-claims-reference.md#payload-claims) for implementation guidance.</li><li><b>Conditional Access policies:</b> Policy evaluation supports up to 4,096 group memberships per user (direct and indirect). When this limit is exceeded, policy enforcement might fail. See [Users, groups, and workload identities assignments in Conditional Access](~/identity/conditional-access/concept-conditional-access-users-groups.md).</li></ul></li><li>Starting with Microsoft Entra Connect v2.0, the V2 endpoint is the default API. The number of members in a group that you can synchronize from your on-premises Active Directory to Microsoft Entra ID by using Microsoft Entra Connect is limited to 250,000 members. For more information, see [Microsoft Entra Connect Sync V2](../identity/hybrid/connect/how-to-connect-sync-endpoint-api-v2.md).</li><li>When you select a list of groups, you can assign a group expiration policy to a maximum of 500 Microsoft 365 groups. There's no limit when the policy is applied to all Microsoft 365 groups.</li></ul><br/>At this time, the following scenarios are supported with nested groups:<ul><li>One group can be added as a member of another group, and you can achieve group nesting.</li><li>Group membership claims. When an app is configured to receive group membership claims in the token, nested groups in which the signed-in user is a member are included.</li><li>Conditional Access (when a Conditional Access policy has a group scope).</li><li>Restricting access to self-serve password reset.</li><li>Restricting which users can do Microsoft Entra join and device registration.</li></ul><br/>The following scenarios are <i>not</i> supported with nested groups:<ul><li>App role assignment, for both access and provisioning. Assigning groups to an app is supported, but any groups nested within the directly assigned group won't have access.</li><li>Group-based licensing (assigning a license automatically to all members of a group).</li><li>Microsoft 365 Groups.</li></ul> |
| Application Proxy | <ul><li>A maximum of 500 transactions* per second per Application Proxy application.</li><li>A maximum of 750 transactions per second for the Microsoft Entra organization.</li></ul><br/>*A transaction is defined as a single HTTP request and response for a unique resource. When clients are throttled, they receive a 429 response (too many requests). Transaction metrics are collected on each connector and can be monitored using performance counters under the object name `Microsoft Entra private network connector`. |
| Access Panel |There's no limit to the number of applications per user that can be displayed in the Access Panel, regardless of the number of assigned licenses. |
| Reports | A maximum of 1,000 rows can be viewed or downloaded in any report. Any additional data is truncated. |
|Conditional Access Policies|A maximum of 240 policies can be created in a single Microsoft Entra organization (tenant).|
|Terms of use|You can add no more than 40 terms to a single Microsoft Entra organization (tenant).|
| Multitenant organizations | <ul><li>A maximum of 100 active tenants, including the owner tenant. The owner tenant can add more than 100 pending tenants, but they won't be able to join the multitenant organization if the limit is exceeded. This limit is applied at the time a pending tenant joins a multitenant organization.</li>This limit is specific to the number of tenants in a multitenant organization. It doesn't apply to cross-tenant synchronization by itself.</ul> |
|Agent Identity Blueprints |<ul><li>Non-admin users are restricted to creating a maximum of 250 Agent Identity Blueprints. Both active and deleted Blueprints contribute to this quota.</li><li>Blueprints can take up no more than 95% of the tenant's overall resource quota (see "Resources" above).</li></ul> |
|Agent Identities |<ul><li>Non-Microsoft management platforms using app-only permissions are limited to 250 Agent Identities per Blueprint. Delegated calls and Microsoft-owned platforms (Foundry, Copilot Studio) aren't subject to this cap.</li><li>Non-admin users are subject to the preexisting 250-owned-objects limit, which applies across all Microsoft Entra resource types.</li><li>Agent Identities can take up no more than 95% of the tenant's overall resource quota (see "Resources" above).</li></ul> |
| B2B Invitations | <ul><li><b>Workforce tenants with paid licenses</b><ul><li>Tenants less than or equal to 30 days old: 200 invitations per day</li><li>Tenants more than 30 days old: Capped by the Microsoft Entra service quotas</li></ul></li><li><b>Workforce tenants without paid licenses</b><ul><li>Tenants less than or equal to 30 days old: 10 invitations per day</li><li>Tenants more than 30 days old: 100 invitations per day</li></ul></li></ul> |
| Cross-tenant access policies | <ul><li>The [crossTenantAccessPolicyConfigurationPartner](/graph/api/resources/crosstenantaccesspolicyconfigurationpartner) object that corresponds to each cross-tenant access policy partner tenant relationship is limited to 4 KB.<br>Each [crossTenantAccessPolicyConfigurationPartner](/graph/api/resources/crosstenantaccesspolicyconfigurationpartner) object, including both overhead and the content of the JSON blob data, must not exceed this limit. To optimize your partner policies, consider using groups instead of explicit user IDs for scoping.</li></ul> |
| Schema extensions |<ul><li>String-type extensions can have a maximum of 256 characters. </li><li>Binary-type extensions are limited to 256 bytes.</li><li>Only 100 extension values, across *all* types and *all* applications, can be written to any single Microsoft Entra resource.</li><li>Only User, Group, TenantDetail, Device, Application, and ServicePrincipal entities can be extended with string-type or binary-type single-valued attributes.</li><li> Only the "equals" operator is supported for DateTime-type extensions. Range operators like "greater than" or "less than" are not supported.</li></ul> |
| Applications | <ul><li>A maximum of 100 users and service principals can be owners of a single application.</li><li>A user, group, or service principal can have a maximum of 1,500 app role assignments. The limitation is on the assigned service principal, user, or group across all app roles and not on the number of assignments of a single app role. This limit includes app role assignments where the resource service principal has been soft-deleted.</li><li>A user can have credentials configured for a maximum of 48 apps using password-based single sign-on. This limit only applies for credentials configured when the user is directly assigned the app, not when the user is a member of a group that is assigned.</li><li>A group can have credentials configured for a maximum of 48 apps using password-based single sign-on.</li><li>See additional limits in [Validation differences by supported account types](~/identity-platform/supported-accounts-validation.md).</li></ul> |
|Application manifest |A maximum of 1,200 entries can be added to the application manifest.<br/>See additional limits in [Validation differences by supported account types](~/identity-platform/supported-accounts-validation.md). |
| Groups |<ul><li>A non-admin user can create a maximum of 250 groups in a Microsoft Entra organization. This quota is shared with other Entra resources. Any Microsoft Entra admin who can manage groups in the organization can also create an unlimited number of groups (up to the Microsoft Entra object limit). If you assign a role to a user to remove the limit for that user, assign a less privileged, built-in role such as User Administrator or Groups Administrator.</li><li>A Microsoft Entra organization can have a maximum of 15,000 dynamic groups (including those originating from Microsoft Entra entitlement management automatic assignment policies) and dynamic administrative units combined.</li><li>A maximum of 500 [role-assignable groups](~/identity/role-based-access-control/groups-concept.md) can be created in a single Microsoft Entra organization (tenant).</li><li>A maximum of 100 users can be owners of a single group.</li><li>There is a limit of 1010 groups per token allowed for [Entra Kerberos](/troubleshoot/windows-server/windows-security/logging-on-user-account-fails).</li><li>Any number of Microsoft Entra resources can be members of a single group.</li><li>If a user (or group) is a member of more than 2,048 groups (direct and nested), their access might be blocked. This limit applies to both direct and nested group memberships. See [Users, groups, and workload identities assignments in Conditional Access](~/identity/conditional-access/concept-conditional-access-users-groups.md).</li><li>A user can be a member of any number of groups. The following service-specific limits apply when group memberships are used in authentication or authorization (including direct and indirect memberships):<ul><li><b>SharePoint Online:</b> When security groups are used with SharePoint Online, a user can be a part of up to 2,047 security groups in total, including direct and indirect membership. When this limit is exceeded, authentication and search results can become unpredictable. See [SharePoint limits](/office365/servicedescriptions/sharepoint-online-service-description/sharepoint-online-limits).</li><li><b>SAML tokens:</b> If optional groups claims are enabled, up to 150 group memberships (including nested groups) are included in SAML assertions. If a user is in more than 150 groups, the groups claim is omitted and an overage claim is sent instead. Microsoft Entra ID supports group filtering only if a user belongs to 1,000 or fewer groups (including direct and transitive memberships). If this limit is exceeded, filtering won’t apply and an overage claim is sent instead. See [Configure optional claims](~/identity-platform/optional-claims.md) and the [SAML token claims reference](~/identity-platform/reference-saml-tokens.md#claims-in-saml-tokens) for implementation guidance.</li><li><b>JWT/OIDC tokens:</b> If optional groups claims are enabled, up to 200 group memberships (including nested groups) are included in JWT tokens. If a user is in more than 200 groups, the groups claim is omitted and an overage claim is sent instead. See [Configure optional claims](~/identity-platform/optional-claims.md) and the [Access token claims reference](~/identity-platform/access-token-claims-reference.md#payload-claims) for implementation guidance.</li><li><b>Conditional Access policies:</b> Policy evaluation supports up to 4,096 group memberships per user (direct and indirect). When this limit is exceeded, policy enforcement might fail. See [Users, groups, and workload identities assignments in Conditional Access](~/identity/conditional-access/concept-conditional-access-users-groups.md).</li></ul></li><li>Starting with Microsoft Entra Connect v2.0, the V2 endpoint is the default API. The number of members in a group that you can synchronize from your on-premises Active Directory to Microsoft Entra ID by using Microsoft Entra Connect is limited to 250,000 members. For more information, see [Microsoft Entra Connect Sync V2](../identity/hybrid/connect/how-to-connect-sync-endpoint-api-v2.md).</li><li>When you select a list of groups, you can assign a group expiration policy to a maximum of 500 Microsoft 365 groups. There's no limit when the policy is applied to all Microsoft 365 groups.</li></ul><br/>At this time, the following scenarios are supported with nested groups:<ul><li>One group can be added as a member of another group, and you can achieve group nesting.</li><li>Group membership claims. When an app is configured to receive group membership claims in the token, nested groups in which the signed-in user is a member are included.</li><li>Conditional Access (when a Conditional Access policy has a group scope).</li><li>Restricting access to self-serve password reset.</li><li>Restricting which users can do Microsoft Entra join and device registration.</li></ul><br/>The following scenarios are <i>not</i> supported with nested groups:<ul><li>App role assignment, for both access and provisioning. Assigning groups to an app is supported, but any groups nested within the directly assigned group won't have access.</li><li>Group-based licensing (assigning a license automatically to all members of a group).</li><li>Microsoft 365 Groups.</li></ul> |
| Application Proxy | <ul><li>A maximum of 500 transactions* per second per Application Proxy application.</li><li>A maximum of 750 transactions per second for the Microsoft Entra organization.</li></ul><br/>*A transaction is defined as a single HTTP request and response for a unique resource. When clients are throttled, they receive a 429 response (too many requests). Transaction metrics are collected on each connector and can be monitored using performance counters under the object name `Microsoft Entra private network connector`. |
| Access Panel |There's no limit to the number of applications per user that can be displayed in the Access Panel, regardless of the number of assigned licenses. |
| Reports | A maximum of 1,000 rows can be viewed or downloaded in any report. Any additional data is truncated. |
|Conditional Access Policies|A maximum of 240 policies can be created in a single Microsoft Entra organization (tenant).|
|Terms of use|You can add no more than 40 terms to a single Microsoft Entra organization (tenant).|
| Multitenant organizations | <ul><li>A maximum of 100 active tenants, including the owner tenant. The owner tenant can add more than 100 pending tenants, but they won't be able to join the multitenant organization if the limit is exceeded. This limit is applied at the time a pending tenant joins a multitenant organization.</li>This limit is specific to the number of tenants in a multitenant organization. It doesn't apply to cross-tenant synchronization by itself.</ul> |
|Agent Identity Blueprints |<ul><li>Non-admin users are restricted to creating a maximum of 250 Agent Identity Blueprints. Both active and soft-deleted Blueprints contribute to this quota. This quota is shared with other Microsoft Entra resources.</li><li>Blueprints can take up no more than 95% of the tenant's overall resource quota (see "Resources" above).</li></ul> |
|Agent Identities |<ul><li>In a tenant, each Agent Blueprint managed by a platform not owned by Microsoft is limited to a maximum of 250 Agent Identities per Blueprint. This restriction does not apply to Blueprints managed by Microsoft-owned platforms, such as Foundry and Copilot Studio.</li><li>For non-admin users, the creation of Agent Identities is also capped at 250 per Agent Blueprint. Both active and deleted Agent Identities are counted toward this limit. This quota is shared with other Entra resources.</li><li>Agent Identities can take up no more than 95% of the tenant's overall resource quota (see **Resources**).</li></ul> |
| B2B Invitations | <ul><li><b>Workforce tenants with paid licenses</b><ul><li>Tenants less than or equal to 30 days old: 200 invitations per day</li><li>Tenants more than 30 days old: Capped by the Microsoft Entra service quotas</li></ul></li><li><b>Workforce tenants without paid licenses</b><ul><li>Tenants less than or equal to 30 days old: 10 invitations per day</li><li>Tenants more than 30 days old: 100 invitations per day</li></ul></li></ul> |
| Cross-tenant access policies | <ul><li>The [crossTenantAccessPolicyConfigurationPartner](/graph/api/resources/crosstenantaccesspolicyconfigurationpartner) object that corresponds to each cross-tenant access policy partner tenant relationship is limited to 4 KB.<br>Each [crossTenantAccessPolicyConfigurationPartner](/graph/api/resources/crosstenantaccesspolicyconfigurationpartner) object, including both overhead and the content of the JSON blob data, must not exceed this limit. To optimize your partner policies, consider using groups instead of explicit user IDs for scoping.</li></ul> |