diff --git a/package.json b/package.json
index 37d13541..0da837f2 100644
--- a/package.json
+++ b/package.json
@@ -114,6 +114,7 @@
     "@azure/identity": "^1.0.0-preview.3",
     "@azure/keyvault-secrets": "^4.0.0-preview.5",
     "dotenv": "^8.1.0",
+    "p-limit": "^2.2.1",
     "sync-rpc": "^1.3.6"
   }
 }
diff --git a/src/dotenv-azure.ts b/src/dotenv-azure.ts
index d9f6cb1d..22d522d8 100644
--- a/src/dotenv-azure.ts
+++ b/src/dotenv-azure.ts
@@ -1,4 +1,5 @@
 import * as fs from 'fs'
+import pLimit from 'p-limit'
 import dotenv, { DotenvParseOptions } from 'dotenv'
 import { ManagedIdentityCredential, ClientSecretCredential } from '@azure/identity'
 import { SecretsClient } from '@azure/keyvault-secrets'
@@ -107,7 +108,7 @@ export default class DotenvAzure {
           {} as VariablesObject
         )
     }
-
+    console.log('appconfig', vars)
     return vars
   }
 
@@ -116,22 +117,25 @@ export default class DotenvAzure {
     vars: VariablesObject
   ): Promise<VariablesObject> {
     const secrets: VariablesObject = {}
+    // limit requests to avoid Azure AD rate limiting
+    const limit = pLimit(2)
+
+    const getSecret = async (key: string, value: string): Promise<void> => {
+      const keyVaultUrl = testIfValueIsVaultSecret(value)
+      if (!keyVaultUrl) return
+
+      const [, , secretName, secretVersion] = keyVaultUrl.pathname.split('/')
+      if (!secretName || !secretVersion) {
+        throw new InvalidKeyVaultUrlError(key.replace('kv:', ''))
+      }
+
+      const keyVaultClient = this.getKeyVaultClient(credentials, keyVaultUrl.origin)
+      const response = await keyVaultClient.getSecret(secretName, { version: secretVersion })
+      secrets[key] = response.value || ''
+      console.log('kv', secretName, response.value)
+    }
 
-    await Promise.all(
-      Object.entries(vars).map(async ([key, value]) => {
-        const keyVaultUrl = testIfValueIsVaultSecret(value)
-        if (!keyVaultUrl) return
-
-        const [, , secretName, secretVersion] = keyVaultUrl.pathname.split('/')
-        if (!secretName || !secretVersion) {
-          throw new InvalidKeyVaultUrlError(key.replace('kv:', ''))
-        }
-
-        const keyVaultClient = this.getKeyVaultClient(credentials, keyVaultUrl.origin)
-        const response = await keyVaultClient.getSecret(secretName, { version: secretVersion })
-        secrets[key] = response.value || ''
-      })
-    )
+    await Promise.all(Object.entries(vars).map(([key, val]) => limit(() => getSecret(key, val))))
 
     return secrets
   }
diff --git a/yarn.lock b/yarn.lock
index 2e0cdfe9..dbad0dd0 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -6089,7 +6089,7 @@ p-limit@^1.1.0:
   dependencies:
     p-try "^1.0.0"
 
-p-limit@^2.0.0, p-limit@^2.2.0:
+p-limit@^2.0.0, p-limit@^2.2.0, p-limit@^2.2.1:
   version "2.2.1"
   resolved "https://registry.yarnpkg.com/p-limit/-/p-limit-2.2.1.tgz#aa07a788cc3151c939b5131f63570f0dd2009537"
   integrity sha512-85Tk+90UCVWvbDavCLKPOLC9vvY8OwEX/RtKF+/1OADJMVlFfEHOiMTPVyxg7mk/dKa+ipdHm0OUkTvCpMTuwg==