Is there a specific number of requests/minute (specific to a tenant) that an application can make to Microsoft Graph APIs before requests start getting throttled?
Asked
Active
Viewed 7,284 times
1 Answers
6
No, not specific to a tenant (at least not for the Outlook-related parts of the Graph). Throttling is done per user per app. The threshold is 10000 requests every 10 minutes.
For non-Outlook stuff, I'm not sure what the limits are. All Graph has to say about it is here:
https://developer.microsoft.com/en-us/graph/docs/concepts/throttling
The takeaway here is you should not depend on a specific threshold since we can always change it if we need to in order to protect the integrity of the service. Ensure that your app can gracefully handle being throttled by handling the 429 error response properly.
Jason Johnston
- 17,194
- 2
- 20
- 34
-
1Just adding a bit to Jason's answer, the "per use, per app" means each authenticated user can make 10k requests to Outlook APIs from a given App ID. So _10_ users can _each_ make 10k requests within a 10 minute window. **However**, if you're using `Client Credentials` you don't have a `user` which means you get _flat_ 10k requests within a 10m window. Thinking this topic would benefit from a flowchart that illustrates what is going on. :) – Marc LaFleur Dec 05 '17 at 15:40
-
Does the throttling threshold vary by any chance based on the number of times a user has been throttled. For example, if I get throttled once, when I make a second request after the stipulated time, will my threshold increase/decrease? – Vipin Chacko Dec 08 '17 at 07:06
-
@MarcLaFleur, I have noticed that I can make 10k requests per minute per user while using Client Credentials. – Vipin Chacko Dec 08 '17 at 15:47
-
1@VipinChacko - no, the threshold is not based on your past throttling history. I'm double-checking on Marc's note about client credentials. – Jason Johnston Dec 08 '17 at 21:43
-
@JasonJohnston - were you able to get any info on throttling limit for client credentials – Vipin Chacko Dec 11 '17 at 09:30
-
Seems good information, @MarcLaFleur. What do you mean by the 'Client Credentials' ? I use the App token and I assume you mention the same case. Actually I'd like to know exact logic to throttle the request. And what are the factors for that logic, like UserAgent, SourceIP, etc? – Locke May 21 '18 at 20:46
-
2Client Credentials is one of the OAuth Grant Flows supported by AAD. It doesn't require a User and leverages Application scopes. Its counterpart would be Authorization Code which does require a User and leverages Delegated scopes. As for throttling, it depends on the endpoint. Each underlying service defines its own throttling mechanism. – Marc LaFleur May 22 '18 at 14:31