HOWTO: Determine your Azure AD tenant’s object limit and count

Azure Active Directory

Azure Active Directory is Microsoft’s Identity as a Service platform. It is a global service, used by millions of organizations worldwide. To make the service useable for all of these organizations, Microsoft works with limits. In Azure Active Directory, one such limit it the object limit.

All Azure AD’s limits are described on the Azure AD service limits and restrictions page on Microsoft Docs. For Azure AD’s object limit, the following is shared:

A maximum of 50,000 Azure AD resources can be created in a single directory by users of the Free edition of Azure Active Directory by default. If you have at least one verified domain, the default Azure AD service quota for your organization is extended to 300,000 Azure AD resources. This service limit is unrelated to the pricing tier limit of 500,000 resources on the Azure AD pricing page. To go beyond the default quota, you must contact Microsoft Support.


When troubleshooting Azure AD Connect synchronization problems, Azure AD scalability challenges and other vague cloud behavior, it might be beneficial to know your Azure AD tenant’s object limit. This can also be useful when you have a support request to extend the object limit.


How to determine the object limit and count

You can query your organization’s Azure AD object limit through the Microsoft Graph API. You can query the Graph API through PowerShell, but let’s use the Graph Explorer method, instead. Perform these steps:

  • Open a browser.
  • Navigate to the Graph Explorer at
  • In the left navigation pane, click the blue Sign in to Graph Explorer button or click the blue user button at the top of the Graph Explorer interface, depending on your devices resolution and browser window size.
  • Sign in with an account in the Azure AD tenant.

If this is the first time you use the Graph Explorer with this Azure AD tenant, sign in with a user that has privileges to consent to applications. By default, the Global Administrator role, Application Administrator role and Cloud Application Administrator role have these permissions, but when an admin for the organization has allowed people in the organization to consent to User.Read permissions, any user account in the Azure AD tenant can be used.

  • Perform multi-factor authentication, when prompted.
  • On the Permissions requested page, click Accept.
    The button in the Graph Explorer website should now be replaced with your account information.
  • At the top of the main pane, next to GET, change the Graph API version from v1.0 to beta. Then, change the end of the url from me/ to organization/.
  • Click the Run query button.

Graph Explorer - Organization - DirectorySizeQuota

  • In the main pane, you should now see the JSON-formatted response. Scroll down, until you come to directorySizeQuota. Underneath, you will find the used and total values, representing the number of objects in the Azure AD tenant, and the maximum allowed number of objects in the Azure AD tenant.
  • Click the little cog to the right of the account and select Sign out from the context menu.
  • Close the browser.



The number of accounts in the Azure AD tenant and the object limit might be useful one day. It’s a good thing Microsoft added it to the Microsoft Graph Beta in March 2020.

The above 'used' number is comparable to the use of Distinguished Name Tags (DNTs) and relative Identifiers (rIDs) in Active Directory. To expose these numbers, follow the steps in my blogposts New features in AD DS in Windows Server 2012, Part 14: RID improvements and New features in AD DS in Windows Server 2012, Part 18: DNTs Exposed. Similarly, you might want to know those numbers to see if your organization is reaching any limit and you might want to up the artificial RID ceiling.

5 Responses to HOWTO: Determine your Azure AD tenant’s object limit and count


    You guys are rocking… 🙂


    thanks for sharing, very helpful indeed.

    We do have User.Read granted, but it still won't log me in, so I think the permissions you wanted are required also. I tried on chrome/edge/explorer to rule out any browser issues, it takes my credentials then returns back to the same page which still shows I'm not logged in.


    Beautiful!! Thank You!


    Is there any way we can automate this.? It would be great if any email triggers to admin when quota reached to 90 %.?


    • Hi Sandeep,

      Yes. I feel there's even two ways to do this.
      Adam Bertram has a good write-up on how to query the Graph API using PowerShell. Using his information and the information above, you should be able to get both values.
      Alternatively, you can use Power Automate to query the Graph API. There's a HOWTO on the Microsoft Docs Wiki.
      Then, all you have to do is divide the two values to see if you reached 90% yet and do some alerting.


leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.