Microsoft Defender · Rate Limits
Microsoft Defender Rate Limits
Microsoft Defender rate limits depend on the API surface. The Microsoft Defender for Endpoint REST API (api.securitycenter.microsoft.com / api.security.microsoft.com) caps most endpoints at 100 calls per minute and 1,500 calls per hour per tenant per app, with some endpoints (advanced hunting, indicators) at lower limits. Defender for Cloud configuration goes through Azure Resource Manager (ARM) and uses the standard ARM token-bucket throttling. Microsoft Graph Security API calls are governed by Microsoft Graph throttling. All surfaces use HTTP 429 with Retry-After.
6 Limits
Throttle: 429
SecurityEndpointXDRCloud SecurityMicrosoftRate Limiting
Limits
Defender for Endpoint API — general tenant/app
100
100 calls per minute and 1,500 calls per hour per tenant per app for most endpoints.
Defender for Endpoint API — hourly cap tenant/app
1500
1,500 calls per hour per tenant per app.
Advanced Hunting API tenant
45
45 advanced-hunting queries per minute per tenant; 1,500 per hour. Each query has a 10-second runtime cap and 10,000-row result cap.
Indicators API tenant
15000
Maximum 15,000 file/IP/URL indicators per tenant.
Microsoft Graph Security app/tenant
see vendor docs
Standard Microsoft Graph throttling; many endpoints share the per-app per-tenant 130k/10s envelope.
Defender for Cloud configuration (ARM) subscription/region
25
Standard ARM read bucket; writes share ARM write bucket of 10/sec.
Policies
Honor Retry-After
429 responses include Retry-After. Implement exponential backoff with jitter.
Use $batch for Microsoft Graph
Batch up to 20 Graph requests with a single HTTP call to reduce the per-app throttling pressure.
Page advanced hunting
Advanced Hunting caps result rows at 10,000 — paginate via timestamps for large time ranges.
App registration scope
Each app registration has its own per-tenant quota; spread automation across multiple apps if you need more headroom.
No support raise
Per-app quotas are typically not raised by support. Use Microsoft Graph Security streaming API (event hubs / log analytics) for high-volume telemetry.