External ID & MAU limits
VinTekh offers customer self-service signup via Microsoft Entra External ID (the consumer-facing identity product, formerly Azure AD B2C). The free tier covers 50,000 monthly active users (MAU). To stay within that limit and avoid surprise billing, the application enforces a configurable MAU cap.
What is a Monthly Active User?
An MAU is a unique user who authenticates at least once during a calendar month. Important nuances:
- Authentication, not registration. A user signed up six months ago who has not signed in this month is not an MAU.
- Per calendar month, not rolling 30-day. The counter resets on the 1st (UTC).
- One user = one MAU per month regardless of sign-in count. A customer signing in 100 times in a month still counts as 1.
Why we cap below 50,000
We default the effective cap to 45,000 — a 10% safety margin under Microsoft's free 50,000. Reasons:
- Race conditions: two simultaneous signups in the same minute can both slip past a counter check.
- Drift between our count and Microsoft's billing: federated and social sign-ins may count for billing slightly differently.
- Admin reaction time: if the threshold trips, we want ~3 days to react before month-end billing fires.
Admins can change the effective cap on MAU config. If multiple VinTekh deployments share the same Microsoft billing subscription, lower the cap proportionally.
What happens when the cap is reached
- New signups (via Entra External ID) are blocked. The customer sees a friendly "we're at capacity" page — preview here.
- Existing customers can still sign in. They're already on the MAU billing count for the month; no change.
- Workforce sign-ins are never blocked. Staff authenticate via the workforce Entra tenant (separate from External ID) and don't consume MAU billing.
- The block lifts automatically on the 1st of the next calendar month.
What admins can do
- Raise the cap — if you've confirmed extra budget, edit the effective cap on MAU config.
- Add a one-month override — lift the cap temporarily for the current month only. Audited; auto-expires at month-end.
- Pause enforcement — disable the guardrail entirely. Use only during incidents or planned migrations. Re-enable as soon as possible. While paused, MAU is informational only and signups are allowed regardless.
Where the numbers come from
The MAU count shown in the admin dashboard is app-local — we count every authenticated sign-in in our own database. This is accurate enough for guardrail purposes and updates in real time.
Microsoft billing is the authoritative source. We expect the two to agree within ~5%; the 10% safety margin absorbs any drift. When the nightly Entra reconciliation job is enabled (roadmap), the admin dashboard will surface the Microsoft-billing number alongside the app-local one.
Differences between metrics
| Metric | Definition |
|---|---|
| Registered users | Total user rows in our database, all time. |
| MAU this month | Distinct users with ≥1 sign-in in current calendar month. |
| New signups this month | Successful first-time signups in current month. |
| Microsoft billing | What Microsoft invoices — measured on their side; our count approximates it. |
Workforce vs External ID
VinTekh signs in two distinct populations through two distinct identity products:
- Workforce Entra ID — your internal staff/admins. Same tenant as your other corporate apps. No MAU billing impact for the VinTekh free tier.
- Entra External ID — your customers. Separate tenant (CIAM-style). MAU billing applies; this page's guardrail covers it.
Both flow through one NextAuth setup; only External-ID signups run through the MAU guardrail.
- Help home
- Getting started
- How VinTekh works
- Read-only model
- Connect a source
- Azure Reader SP
- AWS cross-account role
- GCP Workload Identity
- External ID & MAU
- SCIM 2.0 provisioning
- Investigate a finding
- Recommendations
- Service coverage
- Platform capabilities
- Troubleshooting
- Glossary
- REST API
- Admin guide
- Release notes
- Support