Azure AD SCIM Provisioning | Rate Limiting for multitenant SaaS application

Ruchi 386 Reputation points

We are exploring the option to enable automatic Azure AD user provisioning using SCIM for our multi tenant SAAS application. Want to understand how the rate limiting works for multitenant SCIM user provisioning. Is the rate limiting applied per service provider scim application across all tenants or is it applied per application per tenant. And we understand the guideline for SCIM application is to support 25 requests/second. Would we expect to receive 25 req/sec per tenant or across all tenants using the same SCIM url. Also , if there are a lot of tenants using the same SCIM url, would the delta sync for all the customers still finish in 40 mins or can it go beyond that. If it would still finish in 40 mins, would the SCIm endpoint be receiving much more requests than 25 per sec? if yes, how much could that be.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,898 questions
{count} votes

Accepted answer
  1. Danny Zollner 9,531 Reputation points Microsoft Employee

    The rate limiting is tracked per provisioning job. One configured instance of provisioning on an AAD Enterprise App/custom non-gallery app equals one provisioning job. If you have ten customers each with one provisioning job configured, then that would be 10 provisioning jobs. Rate limiting only exists at this time for apps in the gallery that have been developed and onboarded by Microsoft. Custom non-gallery apps do not have any rate limiting available. Each provisioning job operates independently with no vision to others - the interval between cycles will be every 40 minutes, although for extremely large sets of users/groups it is possible for the cycle to take much longer. Assuming that the number of changes take less than 40 minutes to process, however, the expectation will be that each configured and enabled provisioning job runs every 40 minutes. To add all of that up - 25 requests per second per configured provisioning job, which usually is a 1:1 link to a customer. If you have 100 customers and a gallery app set to 25/second as the upper limit for # of requests, you can expect up to 2500 requests per second as the peak, although in reality that may not ever happen.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful