The Conditional Access policy feature in Microsoft Entra ID is one of the most essential ones to set up when it comes to securing your Microsoft tenant. While every organization is different, there are certain CA policies that every tenant must set. But what if you have many CA policies? How far can you go, and what is the actual limit? In this article, you will learn about the Conditional Access Policy maximum limit in Microsoft Entra ID.
Conditional Access Policy limits in Microsoft Entra ID
An organization has around 200 CA policies in its Microsoft tenant and wants to add more. While 200 CA policies are a bit too much, it’s possible. However, we must be precise to know how many CA policies can be added, so a good advice and plan can be made.
This is what Microsoft tells us about the maximum Access Policy limit:
Creating a policy for each app isn’t efficient and makes managing policies difficult. Conditional Access has a limit of 240 policies per tenant. This 240-policy limit includes Conditional Access policies in any state, including report-only mode, on, or off.
After creating the CA policies in a Microsoft tenant, it appears that the maximum number of policies is 244 rather than 240.
Note: In April 2026, Microsoft increased the maximum number of CA policies from 195 to 244. This is a welcome improvement for organizations that require a large number of Conditional Access policies.
Why Conditional Access Policy limits exist
It comes down to the scale of processing. Every login request in Microsoft Entra ID must be processed through Conditional Access, which means that every policy—enabled or report-only—must be evaluated with all its conditions, scoping, and targeting. If you add too many policies, the login request can take longer than a user is willing to wait. There are also some other system limitations.
Microsoft conducted an additional evaluation and identified that they still had some room to spare. That being said, they recommend using broad policies wherever possible, with more granular ones reserved for specific use cases, such as high-privileged apps requiring security keys for admin users.
The advice is to keep the CA policies as low as possible if you can.
Read more: How to Export Conditional Access policies »
Conclusion
You learned what the Conditional Access policy maximum limit is set to in Microsoft Entra ID. The answer is 244 policies can be created. This is in any state, including report-only mode, on, or off.
This doesn’t mean that now you know about this limit, you can start to create a separate policy for each setting. Instead, you must keep the policies as low as possible by analyzing your apps and grouping them by the same resource requirements for the same users.
Did you enjoy this article? You may also like Conditional Access MFA breaks Azure AD Connect synchronization. Don’t forget to follow us and share this article.