| title | description | ms.localizationpriority | ms.custom | ms.subservice | ms.date |
|---|---|---|---|---|---|
Microsoft Graph service-specific throttling limits |
Identify the throttling limits for each Microsoft Graph service to apply best practices to manage throttling in your application. |
high |
graphiamtop20 |
non-product-specific |
06/19/2024 |
Microsoft Graph allows you to access data in multiple services, such as Outlook or Microsoft Entra ID. These services impose their own throttling limits that affect applications that use Microsoft Graph to access them.
Any request can be evaluated against multiple limits, depending on the scope of the limit (per app across all tenants, per tenant for all apps, per app per tenant, and so on), the request type (GET, POST, PATCH, and so on), and other factors. The first limit to be reached triggers throttling behavior. In addition to the service specific-limits described in the section, the following global limits apply:
| Request type | Per app across all tenants |
|---|---|
| Any | 130,000 requests per 10 seconds |
Note
The specific limits described here are subject to change.
In this section, the term tenant refers to the Microsoft 365 organization where the application is installed. This tenant can be the same as the one where the application was created in the case of a single-tenant application, or it can be different in the case of a multi-tenant application.
The following limits apply to requests on the assignment service API:
| Request type | Limit per app per tenant | Limit per tenant for all apps |
|---|---|---|
| Any | 500 requests per 10 seconds | 1,000 requests per 10 seconds |
| Any | 15,000 requests per 3,600 seconds | 30,000 requests per 3,600 seconds |
| GET me/Assignment | 50 requests per 10 seconds | 150 requests per 10 seconds |
The preceding limits apply to the following resources:
The Bookings service applies limits to each app ID and mailbox combination, specifically when a particular app accesses a particular booking mailbox. Exceeding the limit for one mailbox doesn't affect the ability of the application to access another mailbox.
| Limit | Applies to |
|---|---|
| Four concurrent requests | v1.0 and beta endpoints |
The preceding limits apply to the following resources:
| Resource | Limits per app |
|---|---|
| Calls | 50,000 requests in a 15-second period, per application per tenant |
| Meeting information | 2,000 meetings/user each month |
| Presence | 1,500 requests in a 30-second period, per application per tenant |
| Virtual event | 10,000 requests/app each month |
The limits listed in the following table apply to the following resources:
| Limit type | Limit |
|---|---|
| Per application for all tenants | 15,000 requests per 20 seconds |
| Per tenant for all applications | 10,000 requests per 20 seconds |
| Per application per tenant | 1,500 requests per 20 seconds |
| Per call record | 10 requests per 20 seconds (first page) 50 requests per 5 minutes (subsequent pages) |
| List call records | 15 requests per 20 seconds (first page) 55 requests per 5 minutes (subsequent pages) |
The limits listed in the following table apply to the following resources:
| Limit type | Limit |
|---|---|
| Per tenant | 1,000 requests per 60 seconds |
| Per application per tenant | 200 requests per 60 seconds |
| Per collection | 50 requests per 60 seconds |
For explanations and best practices related to Excel service throttling, see Reduce throttling errors. In addition, following are some throttling limits.
[!INCLUDE Excel throttling documentation]
[!INCLUDE Education rostering APIS throttling documentation]
For service limits for OneDrive, OneDrive for Business, and SharePoint Online, see Avoid getting throttled or blocked in SharePoint Online.
The preceding information applies to the following resources:
[!INCLUDE Files and lists throttling documentation]
| Request type | Limit per app per tenant |
|---|---|
| Any | Five requests per 10 seconds |
The preceding limits apply to the following resources:
[!INCLUDE Azure AD identity and access reports throttling documentation]
Microsoft Entra reporting APIs are throttled when Microsoft Entra ID receives too many calls during a given timeframe from a tenant or app. Calls might also be throttled if the service takes too long to respond. If your requests still fail with a 429 Too Many Requests error code despite applying the best practices to handle throttling, try reducing the amount of data returned. Try these approaches first:
- Use filters to target your query to just the data you need. If you only need a certain type of event or a subset of users, for example, filter out other events using the
$filterand$selectquery parameters to reduce the size of your response object and the risk of throttling. - If you need a broad set of Microsoft Entra ID reporting data, use
$filteron the createdDateTime to limit the number of sign-in events you query in a single call. Then, iterate through the next timespan until you have all the records you need. For example, if you're being throttled, you can begin with a call that requests three days of data and iterate with shorter timespans until your requests are no longer throttled.
Throttling is based on a token bucket algorithm, which works by adding individual costs of requests. The sum of request costs is then compared against predetermined limits. Only the requests exceeding the limits are throttled. If any of the limits are exceeded, the response is 429 Too Many Requests. It's possible to receive 429 Too Many Requests responses even when the following limits aren't reached, in situations when the services are under an important load or based on data volume for a specific tenant. The following table lists existing limits.
| Limit type | Resource unit quota | Write quota |
|---|---|---|
| application+tenant pair | S: 3,500 ResourceUnits per 10 seconds M: 5,000 ResourceUnits per 10 seconds L: 8,000 ResourceUnits per 10 seconds |
3,000 requests per 2 minutes and 30 seconds |
| application | 150,000 ResourceUnits per 20 seconds | 35,000 requests per 5 minutes |
| tenant | Not Applicable | 18,000 requests per 5 minutes |
Note
The application + tenant pair limit varies based on the number of users in the tenant requests are run against. The tenant sizes are defined as follows: S - under 50 users, M - between 50 and 500 users, and L - above 500 users.
[!INCLUDE Identity and access throttling documentation]
The following table lists base request costs. Any requests not listed have a base cost of 1.
| Operation | Request Path | Base Resource Unit Cost | Write Cost |
|---|---|---|---|
| GET | applications |
2 | 0 |
| GET | applications/{id}/extensionProperties |
2 | 0 |
| GET | contracts |
3 | 0 |
| POST | directoryObjects/getByIds |
5 | 0 |
| GET | domains/{id}/domainNameReferences |
4 | 0 |
| POST | getObjectsById |
5 | 0 |
| GET | groups/{id}/members |
3 | 0 |
| GET | groups/{id}/transitiveMembers |
5 | 0 |
| POST | isMemberOf |
4 | 0 |
| POST | me/checkMemberGroups |
4 | 0 |
| POST | me/checkMemberObjects |
4 | 0 |
| POST | me/getMemberGroups |
2 | 0 |
| POST | me/getMemberObjects |
2 | 0 |
| GET | me/licenseDetails |
2 | 0 |
| GET | me/memberOf |
2 | 0 |
| GET | me/ownedObjects |
2 | 0 |
| GET | me/transitiveMemberOf |
2 | 0 |
| GET | oauth2PermissionGrants |
2 | 0 |
| GET | oauth2PermissionGrants/{id} |
2 | 0 |
| GET | servicePrincipals/{id}/appRoleAssignments |
2 | 0 |
| GET | subscribedSkus |
3 | 0 |
| GET | users |
2 | 0 |
| GET | Any identity path not listed in the table | 1 | 0 |
| POST | Any identity path not listed in the table | 1 | 1 |
| PATCH | Any identity path not listed in the table | 1 | 1 |
| PUT | Any identity path not listed in the table | 1 | 1 |
| DELETE | Any identity path not listed in the table | 1 | 1 |
Important
The cost of POST, PATCH, and DELETE operations on the applications request path depends on the signInAudience type. For apps where the signInAudience is AzureADMyOrg or AzureADMultipleOrgs, the cost is 70,000 requests per 5 minutes; while for apps where the signInAudience is AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount, the cost is 60 requests per minute.
Other factors that affect a request cost:
- Using
$selectdecreases cost by 1 - Using
$expandincreases cost by 1 - Using
$topwith a value of less than 20 decreases cost by 1 - Creating a user in a Microsoft Entra ID B2C tenant increases cost by 4
Note
- A request cost can never be lower than 1. Any request cost that applies to a request path starting with
me/also applies to equivalent requests starting withusers/{id | userPrincipalName}/. - Using
$selectfordirectoryObjects/getByIdsandgetObjectsByIdwill result in 2 ResourceUnits.
- x-ms-throttle-priority - If the header doesn't exist or is set to any other value, it indicates a normal request. We recommend setting priority to
highonly for the requests initiated by the user. This header can have one of the following values:- Low - Indicates the request is low priority. Throttling this request doesn't cause user-visible failures.
- Normal - Default if no value is provided. Indicates that the request is default priority.
- High - Indicates that the request is high priority. Throttling this request causes user-visible failures.
Note
Should requests be throttled, low priority requests will be throttled first, normal priority requests second, and high priority requests last. Using the priority request header does not change the limits.
- x-ms-resource-unit - Indicates the resource unit used for this request. Values are positive integers.
- x-ms-throttle-limit-percentage - Returned only when the application consumed more than 0.8 of its limit. The value ranges from 0.8 to 1.8 and is a percentage of the use of the limit. Callers can use this value to set up an alert and take action.
- x-ms-throttle-scope - for example,
Tenant_Application/ReadWrite/9a3d526c-b3c1-4479-ba74-197b5c5751ae/0785ef7c-2d7a-4542-b048-95bcab406e0b. Indicates the scope of throttling with the following format<Scope>/<Limit>/<ApplicationId>/<TenantId|UserId|ResourceId>:- Scope: (string, required)
- Tenant_Application - All requests for a particular tenant for the current application.
- Tenant - All requests for the current tenant, regardless of the application.
- Application - All requests for the current application.
- Limit: (string, required)
- Read: Read requests for the scope (GET)
- Write: Write requests for the scope (POST, PATCH, PUT, DELETE...)
- ReadWrite: All Requests for the scope (any)
- ApplicationId (Guid, required)
- TenantId|UserId|ResourceId: (Guid, required)
- Scope: (string, required)
- x-ms-throttle-information - Indicates the reason for throttling and can have any value (string). The value is provided for diagnostics and troubleshooting purposes, some examples include:
- CPULimitExceeded - Throttling is because the limit for cpu allocation is exceeded.
- WriteLimitExceeded - Throttling is because the write limit is exceeded.
- ResourceUnitLimitExceeded - Throttling is because the limit for the allocated resource unit is exceeded.
| Request type | Limit per tenant |
|---|---|
POST on exportPersonalData |
1,000 requests per day for any subject and 100 per subject per day |
| Any other request | 10,000 requests per hour |
The preceding limits apply to the following resources:
Note
The resources listed earlier do not return a Retry-After header on 429 Too Many Requests responses.
| Request type | Limit per tenant for all apps |
|---|---|
| Any | One request per second |
[!INCLUDE Information protection throttling documentation]
Note
The resources listed earlier do not return a Retry-After header on 429 Too Many Requests responses.
[!INCLUDE CPIM throttling documentation]
The following limits apply to any request on /informationProtection.
For email, the resource is a unique network message ID/recipient pair. For example, submitting an email with the same message ID sent to the same person multiple times in a 15-minute period triggers the limit per resource limits listed in the following table. However, you can submit up to 150 unique emails every 15 minutes (tenant limit).
| Operation | Limit per tenant | Limit per resource (email, URL, file) |
|---|---|---|
| POST | 150 requests per 15 minutes and 10,000 requests per 24 hours | One request per 15 minutes and 3 requests per 24 hours |
[!INCLUDE Information protection throttling documentation]
The following limits apply to any request on me/insights or users/{id}/insights.
| Limit | Applies to |
|---|---|
| 10,000 API requests in a 10-minute period | v1.0 and beta endpoints |
| Four concurrent requests | v1.0 and beta endpoints |
The preceding limits apply to the following resources:
[!INCLUDE Intune tunnel throttling documentation] [!INCLUDE Intune android for work throttling documentation] [!INCLUDE Intune applications throttling documentation] [!INCLUDE Intune auditing throttling documentation] [!INCLUDE Intune books throttling documentation] [!INCLUDE Intune bundles throttling documentation] [!INCLUDE Intune chromebook sync throttling documentation] [!INCLUDE Intune company terms throttling documentation] [!INCLUDE Intune device config v2 throttling documentation] [!INCLUDE Intune device configuration throttling documentation] [!INCLUDE Intune device enrollment throttling documentation] [!INCLUDE Intune device intent throttling documentation] [!INCLUDE Intune devices throttling documentation] [!INCLUDE Intune endpoint protection throttling documentation] [!INCLUDE Intune enrollment throttling documentation] [!INCLUDE Intune GPAnalytics throttling documentation] [!INCLUDE Intune managed applications throttling documentation] [!INCLUDE Intune notifications throttling documentation] [!INCLUDE Intune ODJ throttling documentation] [!INCLUDE Intune partner integration throttling documentation] [!INCLUDE Intune rbac throttling documentation] [!INCLUDE Intune remote assistance throttling documentation] [!INCLUDE Intune telephony throttling documentation] [!INCLUDE Intune TEM throttling documentation] [!INCLUDE Intune troubleshooting throttling documentation] [!INCLUDE Intune unlock throttling documentation] [!INCLUDE Intune updates throttling documentation] [!INCLUDE Intune wip throttling documentation]
The following limits apply to any request on /invitations.
| Operation | Limit per tenant for all apps |
|---|---|
| Any operation | 150 requests per 5 seconds |
The following limits apply to any request on /reports.
| Operation | Limit per app per tenant | Limit per tenant for all apps |
|---|---|---|
| Any request (CSV) | 14 requests per 10 minutes | 40 requests per 10 minutes |
| Any request (JSON, beta) | 100 requests per 10 minutes | n/a |
The preceding limits apply individually to each report API. For example, a request to the Microsoft Teams user activity report API and a request to the Outlook user activity report API within 10 minutes count as one request out of 14 for each API, not two requests out of 14 for both.
The preceding limits apply to all usage reports resources.
Limits are expressed as requests per second (rps).
| Teams request type | Limit per app per tenant | Limit per app across all tenants | Limit per app per tenant per resource(chat/channel)|
|------------------------------------------------------|---------------------------------|------------|
| GET team | 30 rps | 600 rps |
| GET channel | 30 rps | 600 rps | 1rps |
| GET tab for channel, chat| 30 rps | 600 rps | 1rps |
| GET installedApps for user, team | 30 rps | 600 rps |
| GET installedApps for chat | 30 rps | 600 rps | 1rps |
| GET appCatalogs | 30 rps | 600 rps |
| POST channel | 30 rps | 300 rps | 1rps |
| POST tab for channel or chat| 30 rps | 300 rps | 1rps |
| POST installedApps for chat, user, team | 30 rps | 300 rps |
| POST appCatalogs | 30 rps | 300 rps |
| PATCH team, tab| 30 rps | 300 rps |
| PATCH channel| 30 rps | 300 rps | 1rps |
| DELETE channel | 15 rps | 150 rps | 1rps |
| DELETE tab for chat, channel | 15 rps | 150 rps | 1rps |
| DELETE installedApps for chat, user, team | 15 rps | 150 rps |
| DELETE appCatalogs | 15 rps | 150 rps |
| GET /teams/{team-id}, joinedTeams | 30 rps | 300 rps |
| POST /teams | 10 rps | 100 rps |
| PUT /groups/{team-id}/team| Six rps | 150 rps |
| POST /{team-id}/ clone | Six rps | 150 rps |
| GET channel message | 20 rps | 200 rps | 1rps |
| GET 1:1/group chat message | 20 rps | 200 rps | 1rps |
| POST channel message | 50 rps | 500 rps | 1rps |
| POST chat member | 30 rps | 300 rps | 4rpm |
| Delete chat member | 30 rps | 300 rps | 4rpm |
| POST 1:1/group chat message | 20 rps | 200 rps | 1rps |
| GET /teams/{team-id}/schedule and all APIs under this path | 30 rps | 600 rps |
| POST /teams/{team-id}/schedule and all APIs under this path | 30 rps | 300 rps |
|PUT /teams/{team-id}/schedule and all APIs under this path | 30 rps | 300 rps |
| POST /teams/{team-id}/sendActivityNotification | Five rps | 50 rps |
| POST /chats/{chat-id}/sendActivityNotification | Five rps | 50 rps | 1rps |
| POST /users/{user-id}/teamwork/sendActivityNotification | Five rps | 50 rps |
| POST /teamwork/sendActivityNotificationToRecipients | Two rps | 20 rps |
| GET /teams/{team-id}/members | 60 rps | 1200 rps |
| POST /teams/{team-id}/members | 30 rps | 300 rps | 4rpm|
| GET /teams/{team-id}/channels | 60 rps | 1200 rps | 1rps |
| GET /teams/{team-id}/channels/{channel-id}/members | 60 rps | 1200 rps | 1rps |
| Get all channel messages for a team
GET teams/{team-id}/channels/getAllMessages
GET teams/{team-id}/channels/allMessages | 200rps | 1000rps |
| Get all chat messages for a user
GET users/{user-id}/chats/getAllMessages
GET users/{user-id}/chats/allMessages | 200rps | 1000rps |
| Other GET API calls for Microsoft Teams | 30 rps | 1500 rps | 1rps |
| Other API calls for Microsoft Teams | 30 rps | 300 rps | 1rps |
A maximum of four requests per second per app can be issued on a given team.
A maximum of one request per second per app per tenant can be issued on a given channel or chat.
A maximum of one request per second per user can be issued when doing POST message in a given chat or channel (This throttling limit doesn't apply to migration).
A maximum of five requests per second per user can be issued when doing List chats or Get chat or chat:removeAllAccessForUser
See also Microsoft Teams limits and polling requirements.
[!INCLUDE Teams throttling documentation]
[!INCLUDE Multi tenant platform throttling documentation]
| Limit type | Limit per app per user (delegated context) | Limit per app (app-only context) |
|---|---|---|
| Requests rate | 120 requests per 1 minute and 400 per 1 hour | 240 requests per 1 minute and 800 per 1 hour |
| Concurrent requests | Five concurrent requests | 20 concurrent requests |
The preceding limits apply to the following resources:
[!INCLUDE Onenote throttling documentation]
You can find additional information about best practices in OneNote API throttling and how to avoid it.
Note
The resources listed earlier do not return a Retry-After header on 429 Too Many Requests responses.
| Request type | Limit per app per tenant |
|---|---|
| Any | 455 requests per 10 seconds |
The preceding limits apply to the following resources: [!INCLUDE Open and schema extensions throttling documentation]
Outlook service limits apply to the public cloud and national cloud deployments.
The Outlook service applies limits to each mailbox individually, regardless of the application used - that is, any app accessing a specific user or group mailbox. Exceeding the limit for one mailbox does not impact the application's ability to access another mailbox.
| Limit | Applies to |
|---|---|
| 10,000 API requests in a 10 minute period | v1.0 and beta endpoints |
| Four concurrent requests | v1.0 and beta endpoints |
| 150 megabytes (MB) upload (PATCH, POST, PUT) in a 5-minute period | v1.0 and beta endpoints |
| API | Resources |
|---|---|
| Search API (preview) | |
| Profile API | |
| Calendar API | |
| Mail API | |
| Personal contacts API | |
| Social and workplace intelligence | |
| To-do tasks API (preview) |
When an app makes a JSON batch request that consists of multiple, unordered individual requests to the Outlook service, by default, Microsoft Graph sends the Outlook service up to four individual requests from the batch at a time, regardless of the target mailboxes of those requests. The Outlook service can execute these requests in parallel at any point, also irrespective of the target mailbox. Since Microsoft Graph sends only up to four requests to run in parallel, the execution of that batch stays within Outlook's concurrency limits for the same mailbox.
Alternatively, an app can use the dependsOn property to order requests within a batch. Microsoft Graph sends the Outlook service one request from the batch at a time following the specified order, and Outlook executes each individual request in the batch sequentially.
In other words, when targeting the same mailbox, apps that allow multiple batch requests to run in parallel can use either of the following approaches:
- If the individual requests don't have to be ordered, have individual requests from a single batch run concurrently.
- Use the
dependsOnproperty to order requests in a batch, and have up to four such batch requests run concurrently.
| Request type | Limit per user for all apps |
|---|---|
| GET | 400 requests per 5 minutes and 12,000 requests per one day |
| POST, PUT, PATCH, DELETE | 100 requests per 5 minutes and 8,000 requests per one day |
The preceding limits apply to the following resources:
The following limits apply to any request on /security.
| Operation | Limit per app per tenant |
|---|---|
Any operation on alert, securityActions, secureScore |
150 requests per minute |
Any operation on tiIndicator |
1,000 requests per minute |
Any operation on secureScore or secureScorecontrolProfile |
10,000 API requests in a 10-minute period |
Any operation on secureScore or secureScorecontrolProfile |
Four concurrent requests |
The following limits apply to any request on /security/eDiscoveryCases.
| Operation | Limit per app per tenant |
|---|---|
| Any | Five requests per minute |
The following limits apply to any type of requests for service communications under /admin/serviceAnnouncement/.
| Request type | Limit per app per tenant |
|---|---|
| Any | 240 requests per 60 seconds |
| Any | 800 requests per hour |
[!INCLUDE Subscription services throttling documentation]
Service limits for Planner aren't available.
The preceding information applies to the following resources: [!INCLUDE Tasks and plans throttling documentation]
Viva Engage API calls are subject to rate limiting, allowing 10 requests per user, per app, within a 30-second time period. When you exceed the rate limit, all subsequent requests return a 429 Too Many Requests response code.