Azure AD 服务限制和局限性Azure AD service limits and restrictions

本文介绍 Azure Active Directory (Azure AD) 服务的使用限制和其他服务限制。This article contains the usage constraints and other service limits for the Azure Active Directory (Azure AD) service. 如果正在查找 Azure 服务限制全集,请参阅 Azure 订阅和服务限制、配额与约束If you’re looking for the full set of Azure service limits, see Azure Subscription and Service Limits, Quotas, and Constraints.

下面是 Azure Active Directory (Azure AD) 服务的使用限制和其他服务限制。Here are the usage constraints and other service limits for the Azure Active Directory (Azure AD) service.

类别Category 限制Limit
目录Directories 单个用户最多可以是 500 个 Azure AD 目录的成员或来宾。A single user can belong to a maximum of 500 Azure AD directories as a member or a guest.
单个用户最多可以创建 200 个目录。A single user can create a maximum of 200 directories.
Domains 可以添加不超过 900 个的托管域名。You can add no more than 900 managed domain names. 若要将所有域设置为与本地 Active Directory 联合,则可以在每个目录中添加不超过 450 个的域名。If you set up all of your domains for federation with on-premises Active Directory, you can add no more than 450 domain names in each directory.
  • 默认情况下,Azure Active Directory 免费版用户最多可以在单个目录中创建 50,000 个 Azure AD 资源。A maximum of 50,000 Azure AD resources can be created in a single directory by users of the Free edition of Azure Active Directory by default. 如果你有至少一个经过验证的域,则组织的默认默认 Azure AD 服务配额会扩展到 300000 个 Azure AD 资源。If you have at least one verified domain, the default Azure AD service quota for your organization is extended to 300,000 Azure AD resources. 此服务限制与 Azure AD 定价页上 500000 个资源的定价层限制无关。This service limit is unrelated to the pricing tier limit of 500,000 resources on the Azure AD pricing page. 若要超过默认配额,必须联系 Microsoft 支持部门。To go beyond the default quota, you must contact Microsoft Support.
  • 非管理员用户最多可以创建 250 个 Azure AD 资源。A non-admin user can create no more than 250 Azure AD resources. 活动资源和可还原的已删除资源都会计入此配额。Both active resources and deleted resources that are available to restore count toward this quota. 只能还原在不到 30 天前删除的 Azure AD 资源。Only deleted Azure AD resources that were deleted fewer than 30 days ago are available to restore. 不再可还原的已删除 Azure AD 资源在 30 天内按四分之一的值计入此配额。Deleted Azure AD resources that are no longer available to restore count toward this quota at a value of one-quarter for 30 days. 如果开发人员在其日常工作期间可能会反复超过此配额,你可以创建并分配一个自定义角色,并为此角色授予创建无限个应用注册的权限。If you have developers who are likely to repeatedly exceed this quota in the course of their regular duties, you can create and assign a custom role with permission to create a limitless number of app registrations.
架构扩展Schema extensions
  • String 类型扩展最多只能有 256 个字符。String-type extensions can have a maximum of 256 characters.
  • Binary 类型扩展限制在 256 字节以内。Binary-type extensions are limited to 256 bytes.
  • 只能将 100 个扩展值(包括所有类型和所有应用程序)写入任何单一 Azure AD 资源中。Only 100 extension values, across all types and all applications, can be written to any single Azure AD resource.
  • 仅“用户”、“组”、“TenantDetail”、“设备”、“应用程序”和“ServicePrincipal”实体可以用字符串类型或二进制文件类型单一值属性进行扩展。Only User, Group, TenantDetail, Device, Application, and ServicePrincipal entities can be extended with string-type or binary-type single-valued attributes.
  • 架构扩展仅在 Graph API 1.21 预览版中可用。Schema extensions are available only in the Graph API version 1.21 preview. 必须授予应用程序编写访问注册扩展的权限。The application must be granted write access to register an extension.
应用程序Applications 最多有 100 位用户可以是单一应用程序的所有者。A maximum of 100 users can be owners of a single application.
应用程序清单Application Manifest 最多可在应用程序清单中添加 1200 个条目。A maximum of 1200 entries can be added in the Application Manifest.
  • 一个用户最多可在 Azure AD 组织中创建 250 个组。A user can create a maximum of 250 groups in an Azure AD organization.
  • 最多有 100 位用户可以是单一组的所有者。A maximum of 100 users can be owners of a single group.
  • 任意数量的 Azure AD 资源都可以是单个组的成员。Any number of Azure AD resources can be members of a single group.
  • 一个用户可以是任意数量的组的成员。A user can be a member of any number of groups.
  • 默认情况下,使用 Azure AD Connect 时,一个组中可以从本地 Active Directory 同步到 Azure Active Directory 的成员数目限制为 50,000。By default, the number of members in a group that you can synchronize from your on-premises Active Directory to Azure Active Directory by using Azure AD Connect is limited to 50,000 members. 如果需要同步超出此成员数限制的组,则必须载入 Azure AD Connect 同步 V2 终结点 APIIf you need to synch a group membership that's over this limit, you must onboard the Azure AD Connect Sync V2 endpoint API.
  • 并非所有方案都支持 Azure AD 中的嵌套组Nested Groups in Azure AD are not supported within all scenarios

目前,以下是嵌套组支持的方案。At this time the following are the supported scenarios with nested groups.
  • 可以将一个组添加为另一个组的成员,并且可以实现组嵌套。One group can be added as a member of another group and you can achieve group nesting.
  • 组成员身份声明(将应用配置为接收令牌中的组成员身份声明时,会包括已登录用户所属的嵌套组)Group membership claims (when an app is configured to receive group membership claims in the token, nested groups the signed-in user is a member of are included)
  • 条件访问(将条件访问策略的作用域限定为组时)Conditional access (when scoping a conditional access policy to a group)
  • 限制访问自助式密码重置Restricting access to self-serve password reset

以下方案不支持嵌套组:The following scenarios DO NOT supported nested groups:
  • 应用角色分配(支持向应用分配组,但嵌套在直接分配的组中的组将没有访问权限),可用于访问和预配App role assignment (assigning groups to an app is supported, but groups nested within the directly assigned group will not have access), both for access and for provisioning
  • 基于组的许可(将许可证自动分配给组的所有成员)Group-based licensing (assigning a license automatically to all members of a group)
  • Office 365 组。Office 365 Groups.
访问面板Access Panel 无论分配的许可证如何,每个用户可以在访问面板中看到的应用程序数量都没有限制。There's no limit to the number of applications that can be seen in the Access Panel per user regardless of assigned licenses.
报告Reports 在报告中最多可查看或下载 1,000 行。A maximum of 1,000 rows can be viewed or downloaded in any report. 系统会截断其他任何数据。Any additional data is truncated.
管理单元Administrative units Azure AD 资源可以是不超出 30 个管理单位的成员。An Azure AD resource can be a member of no more than 30 administrative units.
管理员角色和权限Admin roles and permissions
  • 无法将组添加为所有者A group cannot be added as an owner.
  • 不能在 Azure AD 组织范围的交换机之外限制用户读取其他用户的目录信息的权限。如果那样做,则会禁止所有非管理员用户访问所有目录信息(不推荐)。Users' ability to read other users' directory information cannot be restricted outside of the Azure AD organization-wide switch to disable all non-admin users' access to all directory information (not recommended). 有关默认权限的详细信息,请参阅此处More information on default permissions here.
  • 在管理员角色成员身份添加和撤销生效之前,最多可能需要 15 分钟或注销/登录。It may take up to 15 minutes or signing out/signing in before admin role membership additions and revocations take effect.

后续步骤Next steps