Microsoft Azure Active Directory · Rate Limits
Microsoft Azure Active Directory Rate Limits
Microsoft Entra ID is consumed primarily through Microsoft Graph. Throttling is applied per app, per tenant, and per service using a token-bucket algorithm. Limits are not plan-scoped; they are global to the Graph service. From September 30, 2025 the per-app/per-tenant cap is half of the total per-tenant limit so a single app cannot consume the full tenant quota.
6 Limits
Throttle: 429
Rate LimitingIdentityMicrosoft Entra
Limits
Global per-app limit app
130000
Universal cap of 130,000 requests per 10 seconds per app across all tenants.
Per-tenant general operations tenant
2000
2,000 requests per 20 seconds tenant-wide; ~50 RPS sustained.
Per-app per-tenant general operations app/tenant
1000
1,000 requests per 20 seconds for a single app per tenant.
Intune device management per-tenant tenant
4000
Intune device management per-app per-tenant app/tenant
2000
Service-specific limits app/tenant/service
see Microsoft Graph service-specific throttling limits
Policies
Token-bucket algorithm
Throttling sums weighted request costs against per-tenant and per-app buckets; only requests above the limit are throttled (HTTP 429).
Honor Retry-After
When a 429 or 503 is returned, wait the duration in the Retry-After header before retrying.
Backoff with jitter
Use exponential backoff with jitter on transient errors to avoid synchronized retry storms across distributed callers.
Use batching and delta queries
Reduce request count using $batch, delta queries, change notifications, and selecting only required properties.
Bulk extracts via Data Connect
Microsoft Graph Data Connect supports bulk extraction of Microsoft 365 data without Graph throttling limits.