Azure Active Directory is Microsoft’s Identity as a Service platform. It is a global service, used by millions of organizations worldwide. To make the service useable for all of these organizations, Microsoft works with limits. In Azure Active Directory, one such limit it the object limit.
A maximum of 50,000 Azure AD resources can be created in a single directory by users of the Free edition of Azure Active Directory by default. If you have at least one verified domain, the default Azure AD service quota for your organization is extended to 300,000 Azure AD resources. This service limit is unrelated to the pricing tier limit of 500,000 resources on the Azure AD pricing page. To go beyond the default quota, you must contact Microsoft Support.
When troubleshooting Azure AD Connect synchronization problems, Azure AD scalability challenges and other vague cloud behavior, it might be beneficial to know your Azure AD tenant’s object limit. This can also be useful when you have a support request to extend the object limit.
How to determine the object limit and count
You can query your organization’s Azure AD object limit through the Microsoft Graph API. You can query the Graph API through PowerShell, but let’s use the Graph Explorer method, instead. Perform these steps:
- Open a browser.
- Navigate to the Graph Explorer at aka.ms/ge.
- In the left navigation pane, click the blue Sign in to Graph Explorer button or click the blue user button at the top of the Graph Explorer interface, depending on your devices resolution and browser window size.
- Sign in with an account in the Azure AD tenant.
If this is the first time you use the Graph Explorer with this Azure AD tenant, sign in with a user that has privileges to consent to applications. By default, the Global Administrator role, Application Administrator role and Cloud Application Administrator role have these permissions, but when an admin for the organization has allowed people in the organization to consent to User.Read permissions, any user account in the Azure AD tenant can be used.
- Perform multi-factor authentication, when prompted.
- On the Permissions requested page, click Accept.
The button in the Graph Explorer website should now be replaced with your account information.
- At the top of the main pane, next to GET, change the Graph API version from v1.0 to beta. Then, change the end of the url from me/ to organization/.
- Click the Run query button.
- In the main pane, you should now see the JSON-formatted response. Scroll down, until you come to directorySizeQuota. Underneath, you will find the used and total values, representing the number of objects in the Azure AD tenant, and the maximum allowed number of objects in the Azure AD tenant.
- Click the little cog to the right of the account and select Sign out from the context menu.
- Close the browser.
The number of accounts in the Azure AD tenant and the object limit might be useful one day. It’s a good thing Microsoft added it to the Microsoft Graph Beta in March 2020.
The above 'used' number is comparable to the use of Distinguished Name Tags (DNTs) and relative Identifiers (rIDs) in Active Directory. To expose these numbers, follow the steps in my blogposts New features in AD DS in Windows Server 2012, Part 14: RID improvements and New features in AD DS in Windows Server 2012, Part 18: DNTs Exposed. Similarly, you might want to know those numbers to see if your organization is reaching any limit and you might want to up the artificial RID ceiling.