
Поділитися через

Azure Active Directory B2C service limits and restrictions

Before you begin, use the Choose a policy type selector at the top of this page to choose the type of policy you’re setting up. Azure Active Directory B2C offers two methods to define how users interact with your applications: through predefined user flows or through fully configurable custom policies. The steps required in this article are different for each method.

This article outlines the usage constraints and other service limits for the Azure Active Directory B2C (Azure AD B2C) service. These limits are in place to protect by effectively managing threats and ensuring a high level of service quality.


To increase any of the service limits mentioned in this article, contact Support.

The number of users able to authenticate through an Azure AD B2C tenant is gated through request limits. The following table illustrates the request limits for your Azure AD B2C tenant.

Category Limit
Maximum requests per IP per Azure AD B2C tenant 6,000/5min
Maximum requests per Azure AD B2C tenant 200/sec

Endpoint request usage

Azure AD B2C is compliant with OAuth 2.0, OpenID Connect (OIDC), and SAML protocols. It provides user authentication and single sign-on (SSO) functionality, with the endpoints listed in the following table.

The frequency of requests made to Azure AD B2C endpoints determines the overall token issuance capability. Azure AD B2C exposes endpoints, which consume a different number of requests. Review the Authentication Protocols article for more information on which endpoints are consumed by your application.

Endpoint Endpoint type Requests consumed
/oauth2/v2.0/authorize Dynamic Varies 1
/oauth2/v2.0/token Static 1
/openid/v2.0/userinfo Static 1
/.well-known/openid-config Static 1
/discovery/v2.0/keys Static 1
/oauth2/v2.0/logout Static 1
/samlp/sso/login Dynamic Varies 1
/samlp/sso/logout Static 1

1 The type of User Flow determines the total number of requests consumed when using these endpoints.

1 The configuration of your Custom Policy determines the total number of requests consumed when using these endpoints.

Token issuance rate

Each type of User Flow provides a unique user experience and will consume a different number of requests. The token issuance rate of a User Flow is dependent on the number of requests consumed by both the static and dynamic endpoints. The below table shows the number of requests consumed at a dynamic endpoint for each User Flow.

User Flow Requests consumed
Sign up 6
Sign in 4
Password reset 4
Profile edit 4
Phone Sign Up and Sign In 6

When you add more features to a User Flow, such as multifactor authentication, more requests are consumed. The below table shows how many additional requests are consumed when a user interacts with one of these features.

Feature Additional requests consumed
Microsoft Entra multifactor authentication 2
Email one-time password 2
Age gating 2
Federated identity provider 2

To obtain the token issuance rate per second for your User Flow:

  1. Use the tables above to add the total number of requests consumed at the dynamic endpoint.
  2. Add the number of requests expected at the static endpoints based on your application type.
  3. Use the formula below to calculate the token issuance rate per second.
Tokens/sec = 200/requests-consumed

The token issuance rate of a Custom Policy is dependent on the number of requests consumed by the static and dynamic endpoints. The below table shows the number of requests consumed at a dynamic endpoint for the Azure AD B2C starter packs.

Starter Pack Scenario User journey ID Requests consumed
LocalAccounts Sign-in SignUpOrSignIn 2
LocalAccounts SocialAndLocalAccounts Sign-up SignUpOrSignIn 6
LocalAccounts Profile edit ProfileEdit 2
LocalAccounts SocialAndLocalAccounts SocialAndLocalAccountsWithMfa Password reset PasswordReset 6
SocialAndLocalAccounts Federated account sign-in SignUpOrSignIn 4
SocialAndLocalAccounts Federated account sign-up SignUpOrSignIn 6
SocialAndLocalAccountsWithMfa Local account sign-in with MFA SignUpOrSignIn 6
SocialAndLocalAccountsWithMfa Local account sign-up with MFA SignUpOrSignIn 10
SocialAndLocalAccountsWithMfa Federated account sign-in with MFA SignUpOrSignIn 8
SocialAndLocalAccountsWithMfa Federated account sign-up with MFA SignUpOrSignIn 10

To obtain the token issuance rate per second for a particular user journey:

  1. Use the table above to find the number of requests consumed for your user journey.
  2. Add the number of requests expected at the static endpoints based on your application type.
  3. Use the formula below to calculate the token issuance rate per second.
Tokens/sec = 200/requests-consumed

Calculate the token issuance rate of your Custom Policy

You can create your own Custom Policy to provide a unique authentication experience for your application. The number of requests consumed at the dynamic endpoint depends on which features a user traverses through your Custom Policy. The below table shows how many requests are consumed for each feature in a Custom Policy.

Feature Requests consumed
Self-asserted technical profile 2
Phone factor technical profile 4
Email verification (Verified.Email) 2
Display Control 2
Federated identity provider 2

To obtain the token issuance rate per second for your Custom Policy:

  1. Use the table above to calculate the total number of requests consumed at the dynamic endpoint.
  2. Add the number of requests expected at the static endpoints based on your application type.
  3. Use the formula below to calculate the token issuance rate per second.
Tokens/sec = 200/requests-consumed

Best practices

You can optimize the token issuance rate by considering the following configuration options:

Azure AD B2C configuration limits

The following table lists the administrative configuration limits in the Azure AD B2C service.

Category Limit
Number of scopes per application  1000
Number of custom attributes per user 1 100
Number of redirect URLs per application 100
Number of sign-out URLs per application  1
String Limit per Attribute 250 Chars
Number of B2C tenants per subscription 20
Total number of objects (user accounts and applications) per tenant (default limit) 1.25 million
Total number of objects (user accounts and applications) per tenant (using a verified custom domain). If you want to increase this limit, please contact Microsoft Support. 5.25 million
Levels of inheritance in custom policies 10
Number of policies per Azure AD B2C tenant (user flows + custom policies) 200
Maximum policy file size 1024 KB
Number of API connectors per tenant 20

1 See also Microsoft Entra service limits and restrictions.

Region specific service limits

As a protection for our customers, Microsoft places some restrictions on telephony verification for certain region codes. The following table lists the region codes and their corresponding limits.

Region Code Region Name Limit per tenant per 60 minutes Limit per tenant per 24 hours
228 Togo 10 30
257 Uzbek 10 30
970 State of Plaestine 10 30
249 Sudan 10 30
226 Burina Faso 10 30
252 Somalia 10 30
501 Belize 10 30
855 Cambodia 50 200
84 Vietnam 150 500
94 Sri Lanka 100 500
63 Philippines 50 200
62 Indonesia 50 200
7 Russia 100 1000
258 Mozambique 50 200
92 Pakistan 100 1000
994 Azerbaijan 50 200
880 Bangladesh 50 200
20 Egypt 50 200
260 Zambia 50 200
502 Guatemala 10 50
255 Tanzania 10 50
261 Madagascar 10 30
998 Uzbekistan 10 30
223 Mali 20 100
52 Mexico 100 500
60 Malaysia 50 200
221 Senegal 10 30
216 Tunisia 20 100
503 El Salvador 10 30
234 Nigeria 20 100
386 Slovenia 10 50
591 Bolivia 10 30
263 Zimbabwe 10 30
261 Madagascar 10 30
995 Georgia 10 30
993 Turkmenistan 10 30
256 Uganda 20 100
212 Moroccoa 20 100
856 Laos 50 200
224 Guinea 20 100
992 Tajikistan 10 30
238 Cape Verde 10 30

Next steps