Azure Key Vault · Rate Limits
Microsoft Azure Key Vault Rate Limits
Azure Key Vault enforces per-vault and per-subscription/region request-rate limits separately for HSM and non-HSM operations. Limits are intentionally low compared to general data services because Key Vault is a control-plane-style service. Managed HSM has its own higher per-pool transaction limits.
7 Limits
Throttle: 429
Rate LimitingSecurityKey ManagementMicrosoft Azure
Limits
HSM keys - other transactions per vault per 10s vault
1000
HSM keys - cryptographic operations per vault per 10s vault
see Azure Key Vault service limits (varies by key type)
Software keys - cryptographic operations per vault per 10s vault
2000
Software keys - other operations per vault per 10s vault
4000
Secrets, managed storage, vault transactions per vault per 10s vault
4000
Subscription/region aggregate subscription/region
see Azure Key Vault service limits (per subscription per region)
Managed HSM transactions managed_hsm
see Managed HSM throughput targets
Policies
Honor Retry-After
Wait the duration specified in Retry-After before retrying. Throttling on Key Vault is by design tighter than data-plane services.
Cache and reuse access tokens
Acquire AAD access tokens once and reuse for the token lifetime; do not call AAD on every Key Vault operation.
Cache key material locally
For high-throughput crypto, use a Managed HSM with envelope encryption and cache the data encryption key (DEK) locally rather than calling Key Vault per operation.
Backoff with jitter
Apply exponential backoff with jitter on 429 responses to avoid retry storms across callers.