Azure AD 服务限制和局限性Azure AD service limits and restrictions

本文介绍 Azure Active Directory (Azure AD) 服务的使用限制和其他服务限制。This article contains the usage constraints and other service limits for the Azure Active Directory (Azure AD) service. 如果正在查找 Azure 服务限制全集,请参阅 Azure 订阅和服务限制、配额与约束If you’re looking for the full set of Azure service limits, see Azure Subscription and Service Limits, Quotas, and Constraints.

下面是 Azure Active Directory (Azure AD) 服务的使用限制和其他服务限制。Here are the usage constraints and other service limits for the Azure Active Directory (Azure AD) service.

类别Category 限制Limit
租户Tenants 单个用户最多可以是 500 个 Azure AD 租户的成员或来宾。A single user can belong to a maximum of 500 Azure AD tenants as a member or a guest.
单个用户最多可以创建 200 个目录。A single user can create a maximum of 200 directories.
Domains 可以添加不超过 900 个的托管域名。You can add no more than 900 managed domain names. 如果将所有域设置为与本地 Active Directory 联合,则可在每个租户中添加不超过 450 个域名。If you set up all of your domains for federation with on-premises Active Directory, you can add no more than 450 domain names in each tenant.
资源Resources
  • 默认情况下,Azure Active Directory 免费版用户最多可以在单个租户中创建 50,000 个 Azure AD 资源。A maximum of 50,000 Azure AD resources can be created in a single tenant by users of the Free edition of Azure Active Directory by default. 如果你有至少一个经过验证的域,则组织的默认默认 Azure AD 服务配额会扩展到 300000 个 Azure AD 资源。If you have at least one verified domain, the default Azure AD service quota for your organization is extended to 300,000 Azure AD resources. 即使在你执行了内部管理员接管,并且组织已转换为具有至少一个已验证的域的托管租户之后,自助服务注册为组织创建的 Azure AD 服务配额仍然为 50,000 个 Azure AD 资源。Azure AD service quota for organizations created by self-service sign-up remains 50,000 Azure AD resources even after you performed an internal admin takeover and the organization is converted to a managed tenant with at least one verified domain. 此服务限制与 Azure AD 定价页上 500000 个资源的定价层限制无关。This service limit is unrelated to the pricing tier limit of 500,000 resources on the Azure AD pricing page. 若要超过默认配额,必须联系 Microsoft 支持部门。To go beyond the default quota, you must contact Microsoft Support.
  • 非管理员用户最多可以创建 250 个 Azure AD 资源。A non-admin user can create no more than 250 Azure AD resources. 活动资源和可还原的已删除资源都会计入此配额。Both active resources and deleted resources that are available to restore count toward this quota. 只能还原在不到 30 天前删除的 Azure AD 资源。Only deleted Azure AD resources that were deleted fewer than 30 days ago are available to restore. 不再可还原的已删除 Azure AD 资源在 30 天内按四分之一的值计入此配额。Deleted Azure AD resources that are no longer available to restore count toward this quota at a value of one-quarter for 30 days. 如果开发人员在其日常工作期间可能会反复超过此配额,你可以创建并分配一个自定义角色,并为此角色授予创建无限个应用注册的权限。If you have developers who are likely to repeatedly exceed this quota in the course of their regular duties, you can create and assign a custom role with permission to create a limitless number of app registrations.
架构扩展Schema extensions
  • String 类型扩展最多只能有 256 个字符。String-type extensions can have a maximum of 256 characters.
  • Binary 类型扩展限制在 256 字节以内。Binary-type extensions are limited to 256 bytes.
  • 只能将 100 个扩展值(包括所有类型和所有应用程序)写入任何单一 Azure AD 资源中。Only 100 extension values, across all types and all applications, can be written to any single Azure AD resource.
  • 仅“用户”、“组”、“TenantDetail”、“设备”、“应用程序”和“ServicePrincipal”实体可以用字符串类型或二进制文件类型单一值属性进行扩展。Only User, Group, TenantDetail, Device, Application, and ServicePrincipal entities can be extended with string-type or binary-type single-valued attributes.
  • 架构扩展仅在 Graph API 1.21 预览版中可用。Schema extensions are available only in the Graph API version 1.21 preview. 必须授予应用程序编写访问注册扩展的权限。The application must be granted write access to register an extension.
应用程序Applications 最多有 100 位用户可以是单一应用程序的所有者。A maximum of 100 users can be owners of a single application.
应用程序清单Application Manifest 最多可在应用程序清单中添加 1200 个条目。A maximum of 1200 entries can be added in the Application Manifest.
Groups
  • 一个非管理员用户最多可在 Azure AD 组织中创建 250 个组。A non-admin user can create a maximum of 250 groups in an Azure AD organization. 任何可以管理组织中的组的 Azure AD 管理员可以创建无限数量的组(最多可达 Azure AD 对象限额)。Any Azure AD admin who can manage groups in the organization can also create unlimited number of groups (up to the Azure AD object limit). 如果指定了一个角色来删除用户的限制,请向其分配权限较低的内置角色,如“用户管理员”或“组管理员”。If you assign a role to remove the limit for a user, assign them to a less privileged built-in role such as User Administrator or Groups Administrator.
  • 最多有 100 位用户可以是单一组的所有者。A maximum of 100 users can be owners of a single group.
  • 任意数量的 Azure AD 资源都可以是单个组的成员。Any number of Azure AD resources can be members of a single group.
  • 一个用户可以是任意数量的组的成员。A user can be a member of any number of groups.
  • 默认情况下,使用 Azure AD Connect 时,一个组中可以从本地 Active Directory 同步到 Azure Active Directory 的成员数目限制为 50,000。By default, the number of members in a group that you can synchronize from your on-premises Active Directory to Azure Active Directory by using Azure AD Connect is limited to 50,000 members. 如果需要同步超出此成员数限制的组,则必须载入 Azure AD Connect 同步 V2 终结点 APIIf you need to synch a group membership that's over this limit, you must onboard the Azure AD Connect Sync V2 endpoint API.
  • 并非所有方案都支持 Azure AD 中的嵌套组Nested Groups in Azure AD are not supported within all scenarios

目前,以下是嵌套组支持的方案。At this time the following are the supported scenarios with nested groups.
  • 可以将一个组添加为另一个组的成员,并且可以实现组嵌套。One group can be added as a member of another group and you can achieve group nesting.
  • 组成员身份声明(当将应用程序配置为接收令牌中的组成员身份声明时,将包括登录用户所属的嵌套组)Group membership claims (when an app is configured to receive group membership claims in the token, nested groups in which the signed-in user is a member are included)
  • 条件访问(当条件访问策略具有组作用域时)Conditional access (when a conditional access policy has a group scope)
  • 限制访问自助式密码重置Restricting access to self-serve password reset
  • 限制哪些用户可以进行 Azure AD 联接和设备注册Restricting which users can do Azure AD Join and device registration

以下方案不支持嵌套组:The following scenarios DO NOT supported nested groups:
  • 应用角色分配(支持向应用分配组,但嵌套在直接分配的组中的组将没有访问权限),可用于访问和预配App role assignment (assigning groups to an app is supported, but groups nested within the directly assigned group will not have access), both for access and for provisioning
  • 基于组的许可(将许可证自动分配给组的所有成员)Group-based licensing (assigning a license automatically to all members of a group)
  • Microsoft 365 组。Microsoft 365 Groups.
访问面板Access Panel 无论分配的许可证如何,每个用户可以在访问面板中看到的应用程序数量都没有限制。There's no limit to the number of applications that can be seen in the Access Panel per user regardless of assigned licenses.
报告Reports 在报告中最多可查看或下载 1,000 行。A maximum of 1,000 rows can be viewed or downloaded in any report. 系统会截断其他任何数据。Any additional data is truncated.
管理单元Administrative units Azure AD 资源可以是不超出 30 个管理单位的成员。An Azure AD resource can be a member of no more than 30 administrative units.
Azure AD 角色和权限Azure AD roles and permissions
  • 最多可在 Azure AD 组织中创建 30 个 Azure AD 自定义角色A maximum of 30 Azure AD custom roles can be created in an Azure AD organization.
  • 无法将组添加为组所有者A group can't be added as a group owner.
  • 用户读取其他用户租户信息的能力只能通过以下方式限制:使用 Azure AD组织范围内的开关禁用所有非管理员用户对所有租户信息的访问(不推荐使用)。A user's ability to read other users' tenant information can be restricted only by the Azure AD organization-wide switch to disable all non-admin users' access to all tenant information (not recommended). 有关详细信息,请参阅限制成员用户的默认权限For more information, see To restrict the default permissions for member users.
  • 在管理员角色成员身份添加和撤销生效之前,最多可能需要 15 分钟或注销/登录。It may take up to 15 minutes or signing out/signing in before admin role membership additions and revocations take effect.

后续步骤Next steps