Merge pull request #83005 from jirihofman/patch-3

ktoliver · web-flow · commit b575aebfb279 · 2021-11-02T10:10:51.000-07:00
Update active-directory-service-limits-include.md
diff --git a/includes/active-directory-service-limits-include.md b/includes/active-directory-service-limits-include.md
@@ -19,7 +19,7 @@ Here are the usage constraints and other service limits for the Azure Active Dir
 | Schema extensions |<ul><li>String-type extensions can have a maximum of 256 characters. </li><li>Binary-type extensions are limited to 256 bytes.</li><li>Only 100 extension values, across *all* types and *all* applications, can be written to any single Azure AD resource.</li><li>Only User, Group, TenantDetail, Device, Application, and ServicePrincipal entities can be extended with string-type or binary-type single-valued attributes.</li></ul> |
 | Applications | <ul><li>A maximum of 100 users can be owners of a single application.</li><li>A user, group, or service principal can have a maximum of 1,500 app role assignments. The limitation is on the service principal, user, or group across all app roles and not on a limit on the number of assignments on a single app role.</li><li>Password-based single sign-on (SSO) app has a limit of 48 users, which means that there is a limit of 48 keys for username/password pairs per app. If you want to add additional users, see the troubleshooting instructions in [Troubleshoot password-based single sign-on in Azure AD](../articles/active-directory/manage-apps/troubleshoot-password-based-sso.md#i-cant-add-another-user-to-my-password-based-sso-app).</li><li>A user can only have a maximum of 48 apps where they have username and password credentials configured.</li></ul> |
 |Application Manifest |A maximum of 1200 entries can be added in the Application Manifest. |
-| Groups |<ul><li>A non-admin user can create a maximum of 250 groups in an Azure AD organization. Any Azure AD admin who can manage groups in the organization can also create unlimited number of groups (up to the Azure AD object limit). If you assign a role to remove the limit for a user, assign them to a less privileged built-in role such as User Administrator or Groups Administrator.</li><li>An Azure AD organization can have a maximum of 5000 dynamic groups.</li><li>A maximum of 400 role-assignable groups can be created in a single Azure AD organization (tenant).</li><li>A maximum of 100 users can be owners of a single group.</li><li>Any number of Azure AD resources can be members of a single group.</li><li>A user can be a member of any number of groups. Note: when using security groups in combination with SharePoint Online, a user can be a part of 2049 security groups in total (which is transitive, e.g. not only direct group memberships but also indirect group membership). When going over this limit, authentication and search results become unpredictable.</li><li>By default, the number of members in a group that you can synchronize from your on-premises Active Directory to Azure Active Directory by using Azure AD Connect is limited to 50,000 members. If you need to synch a group membership that's over this limit, you must onboard the [Azure AD Connect Sync V2 endpoint API](../articles/active-directory/hybrid/how-to-connect-sync-endpoint-api-v2.md).</li><li>Nested Groups in Azure AD are not supported within all scenarios</li><li>Group expiration policy can be assigned to a maximum of 500 Microsoft 365 groups, when selecting a list of groups. There is no limit when the policy is applied to all Microsoft 365 groups.</li></ul><br/> At this time the following are the supported scenarios with nested groups.<ul><li> One group can be added as a member of another group and you can achieve group nesting.</li><li> Group membership claims (when an app is configured to receive group membership claims in the token, nested groups in which the signed-in user is a member are included)</li><li>Conditional access (when a conditional access policy has a group scope)</li><li>Restricting access to self-serve password reset</li><li>Restricting which users can do Azure AD Join and device registration</li></ul><br/>The following scenarios DO NOT supported nested groups:<ul><li> App role assignment (assigning groups to an app is supported, but groups nested within the directly assigned group will not have access), both for access and for provisioning</li><li>Group-based licensing (assigning a license automatically to all members of a group)</li><li>Microsoft 365 Groups.</li></ul> |
+| Groups |<ul><li>A non-admin user can create a maximum of 250 groups in an Azure AD organization. Any Azure AD admin who can manage groups in the organization can also create unlimited number of groups (up to the Azure AD object limit). If you assign a role to remove the limit for a user, assign them to a less privileged built-in role such as User Administrator or Groups Administrator.</li><li>An Azure AD organization can have a maximum of 5000 dynamic groups.</li><li>A maximum of 400 role-assignable groups can be created in a single Azure AD organization (tenant).</li><li>A maximum of 100 users can be owners of a single group.</li><li>Any number of Azure AD resources can be members of a single group.</li><li>A user can be a member of any number of groups. Note: when using security groups in combination with SharePoint Online, a user can be a part of 2049 security groups in total (which is transitive, e.g. not only direct group memberships but also indirect group membership). When going over this limit, authentication and search results become unpredictable.</li><li>By default, the number of members in a group that you can synchronize from your on-premises Active Directory to Azure Active Directory by using Azure AD Connect is limited to 50,000 members. If you need to synch a group membership that's over this limit, you must onboard the [Azure AD Connect Sync V2 endpoint API](../articles/active-directory/hybrid/how-to-connect-sync-endpoint-api-v2.md).</li><li>Nested Groups in Azure AD are not supported within all scenarios</li><li>Group expiration policy can be assigned to a maximum of 500 Microsoft 365 groups, when selecting a list of groups. There is no limit when the policy is applied to all Microsoft 365 groups.</li></ul><br/> At this time the following are the supported scenarios with nested groups.<ul><li> One group can be added as a member of another group and you can achieve group nesting.</li><li> Group membership claims (when an app is configured to receive group membership claims in the token, nested groups in which the signed-in user is a member are included)</li><li>Conditional access (when a conditional access policy has a group scope)</li><li>Restricting access to self-serve password reset</li><li>Restricting which users can do Azure AD Join and device registration</li></ul><br/>The following scenarios DO NOT support nested groups:<ul><li> App role assignment (assigning groups to an app is supported, but groups nested within the directly assigned group will not have access), both for access and for provisioning</li><li>Group-based licensing (assigning a license automatically to all members of a group)</li><li>Microsoft 365 Groups.</li></ul> |
 | Application Proxy | <ul><li>A maximum of 500 transactions per second per App Proxy application</li><li>A maximum of 750 transactions per second for the Azure AD organization</li></ul><br/>A transaction is defined as a single http request and response for a unique resource. When throttled, clients will receive a 429 response (too many requests). |
 | Access Panel |There's no limit to the number of applications that can be seen in the Access Panel per user regardless of assigned licenses.  |
 | Reports | A maximum of 1,000 rows can be viewed or downloaded in any report. Any additional data is truncated. |
