Microsoft Entra · Rate Limits

Microsoft Entra Rate Limits

Microsoft Entra (Azure AD) administration is performed primarily through Microsoft Graph. Throttling for the directory/identity service uses a ResourceUnit token-bucket model scoped per (application, tenant) pair, with separate write quotas. Limits scale with tenant size (Small <50 users, Medium 50-500, Large >500). Returns 429 Too Many Requests with a Retry-After header.

9 Limits Throttle: 429
Rate LimitingIdentityAccess ManagementMicrosoft GraphMicrosoft

Limits

Read ResourceUnits — small tenant (<50 users) per app app/tenant
resource_units_per_10_seconds · second
3500
10-second sliding window
Read ResourceUnits — medium tenant (50–500 users) per app app/tenant
resource_units_per_10_seconds · second
5000
10-second sliding window
Read ResourceUnits — large tenant (>500 users) per app app/tenant
resource_units_per_10_seconds · second
8000
10-second sliding window
Write requests per app/tenant app/tenant
requests_per_2m30s · second
3000
2-minute 30-second window
Read ResourceUnits per application across all tenants application
resource_units_per_20_seconds · second
150000
Write requests per application across all tenants application
requests_per_5_minutes · minute
35000
Write requests per tenant across all apps tenant
requests_per_5_minutes · minute
18000
Identity & Access Reports — any request app/tenant
requests_per_10_seconds · second
5
signInActivity GET app/tenant
requests_per_minute · minute
10

Policies

ResourceUnit cost model
Each Graph request to Entra is charged a base ResourceUnit cost (most are 1 RU; some paths cost 2–5 RU, e.g. group transitiveMembers = 5 RU). Plan capacity in ResourceUnits, not raw requests.
Backoff Strategy
Honour the Retry-After header on 429; otherwise apply exponential backoff with jitter.
Tenant-size scaling
Read budget grows with tenant user count (3500 / 5000 / 8000 RU per 10s for Small / Medium / Large).
Use change-tracking
Prefer delta queries and change notifications over polling for directory objects.

Sources