Microsoft Graph service-specific throttling limits

Microsoft Graph allows you to access data in multiple services, such as Outlook or Microsoft Entra ID. These services impose their own throttling limits that affect applications that use Microsoft Graph to access them.

Any request can be evaluated against multiple limits, depending on the scope of the limit (per app across all tenants, per tenant for all apps, per app per tenant, and so on), the request type (GET, POST, PATCH, and so on), and other factors. The first limit to be reached triggers throttling behavior. In addition to the service specific-limits described in the section, the following global limits apply:

Request type	Per app across all tenants
Any	130,000 requests per 10 seconds

Note

The specific limits described here are subject to change.

In this section, the term tenant refers to the Microsoft 365 organization where the application is installed. This tenant can be the same as the one where the application was created in the case of a single-tenant application, or it can be different in the case of a multi-tenant application.

Assignment service limits

The following limits apply to requests on the assignment service API:

Request type	Limit per app per tenant	Limit per tenant for all apps
Any	500 requests per 10 seconds	1,000 requests per 10 seconds
Any	15,000 requests per 3,600 seconds	30,000 requests per 3,600 seconds
GET me/Assignment	50 requests per 10 seconds	150 requests per 10 seconds

The preceding limits apply to the following resources:

• educationAssignment
• educationSubmission
• trending
• educationResource

Bookings service limits

The Bookings service applies limits to each app ID and mailbox combination, specifically when a particular app accesses a particular booking mailbox. Exceeding the limit for one mailbox doesn't affect the ability of the application to access another mailbox.

Limit	Applies to
Four concurrent requests	v1.0 and beta endpoints

The preceding limits apply to the following resources:

• business
• appointment
• customQuestion
• customer
• service
• staffMember

Cloud communication service limits

Resource	Limits per app
Calls	50,000 requests in a 15-second period, per application per tenant
Meeting information	2,000 meetings/user each month
Presence	1,500 requests in a 30-second period, per application per tenant
Virtual event	10,000 requests/app each month

Call records limits

The limits listed in the following table apply to the following resource:

• callRecord

Limit type	Limit
Per application for all tenants	15,000 requests per 20 seconds
Per tenant for all applications	10,000 requests per 20 seconds
Per application per tenant	1,500 requests per 20 seconds
Per call record	10 requests per 20 seconds (first page) 50 requests per 5 minutes (subsequent pages)

Excel service limits

For explanations and best practices related to Excel service throttling, see Reduce throttling errors. In addition, following are some throttling limits.

Request type	Limit per app for all tenants	Limit per app per tenant
Any	5000 requests per 10 seconds	1500 requests per 10 seconds

The preceding limits apply to the following resources:

workbook workbookApplication workbookChart workbookChartAreaFormat workbookChartAxes workbookChartAxis workbookChartAxisFormat workbookChartAxisTitle workbookChartAxisTitleFormat workbookChartDataLabelFormat workbookChartDataLabels workbookChartFill workbookChartFont workbookChartGridlines workbookChartGridlinesFormat workbookChartLegend workbookChartLegendFormat workbookChartLineFormat workbookChartPoint workbookChartPointFormat workbookChartSeries workbookChartSeriesFormat workbookChartTitle

workbookChartTitleFormat workbookComment workbookCommentReply workbookFilter workbookFormatProtection workbookNamedItem workbookOperation workbookPivotTable workbookRange workbookRangeBorder workbookRangeFill workbookRangeFont workbookRangeFormat workbookRangeSort workbookRangeView workbookTable workbookTableColumn workbookTableRow workbookTableSort workbookWorksheet workbookWorksheetProtection

Education service limits

Request type	Limit per app for all tenants	Limit per app per tenant
Any	400000 requests per 20 seconds	35000 requests per 10 seconds

The preceding limits apply to the following resources:

educationClass educationCourse educationOnPremisesInfo educationOrganization educationRelatedContact educationRoot	educationSchool educationStudent educationTeacher educationTerm educationUser

Files and lists service limits

For service limits for OneDrive, OneDrive for Business, and SharePoint Online, see Avoid getting throttled or blocked in SharePoint Online.

The preceding information applies to the following resources:

baseItem baseItemVersion columnDefinition columnLink contentType drive driveItem driveItemVersion fieldValueSet itemActivity	itemActivityStat itemAnalytics list listItem listItemVersion permission sharedDriveItem site thumbnailSet

Identity and access reports service limits

Request type	Limit per app per tenant
Any	Five requests per 10 seconds

The preceding limits apply to the following resources:

applicationSignInDetailedSummary applicationSignInSummary auditLogRoot authenticationMethod azureADUserFeatureUsage credentialUsageSummary credentialUserRegistrationCount	credentialUserRegistrationDetails directoryAudit provisioningObjectSummary relyingPartyDetailedSummary signIn userCredentialUsageDetails

Identity and access reports best practices

Microsoft Entra reporting APIs are throttled when Microsoft Entra ID receives too many calls during a given timeframe from a tenant or app. Calls might also be throttled if the service takes too long to respond. If your requests still fail with a 429 Too Many Requests error code despite applying the best practices to handle throttling, try reducing the amount of data returned. Try these approaches first:

• Use filters to target your query to just the data you need. If you only need a certain type of event or a subset of users, for example, filter out other events using the $filter and $select query parameters to reduce the size of your response object and the risk of throttling.
• If you need a broad set of Microsoft Entra ID reporting data, use $filter on the createdDateTime to limit the number of sign-in events you query in a single call. Then, iterate through the next timespan until you have all the records you need. For example, if you're being throttled, you can begin with a call that requests three days of data and iterate with shorter timespans until your requests are no longer throttled.

Identity and access service limits

Pattern

Throttling is based on a token bucket algorithm, which works by adding individual costs of requests. The sum of request costs is then compared against predetermined limits. Only the requests exceeding the limits are throttled. If any of the limits are exceeded, the response is 429 Too Many Requests. It's possible to receive 429 Too Many Requests responses even when the following limits aren't reached, in situations when the services are under an important load or based on data volume for a specific tenant. The following table lists existing limits.

Limit type	Resource unit quota	Write quota
application+tenant pair	S: 3,500 ResourceUnits per 10 seconds M: 5,000 ResourceUnits per 10 seconds L: 8,000 ResourceUnits per 10 seconds	3,000 requests per 2 minutes and 30 seconds
application	150,000 ResourceUnits per 20 seconds	35,000 requests per 5 minutes
tenant	Not Applicable	18,000 requests per 5 minutes

Note

The application + tenant pair limit varies based on the number of users in the tenant requests are run against. The tenant sizes are defined as follows: S - under 50 users, M - between 50 and 500 users, and L - above 500 users.

The preceding limits apply to the following resources:

application contract device directoryObjectPartnerReference directoryObject directoryRoleTemplate directoryRole domainDnsCnameRecord domainDnsMxRecord domainDnsRecord domainDnsSrvRecord domainDnsTxtRecord domainDnsUnavailableRecord domain endpoint extensionProperty	groupSettingTemplate groupSetting group homeRealmDiscoveryPolicy licenseDetails oauth2PermissionGrant organization orgContact policyBase servicePrincipal stsPolicy subscribedSku tokenIssuancePolicy tokenLifetimePolicy user

The following table lists base request costs. Any requests not listed have a base cost of 1.

Operation	Request Path	Base Resource Unit Cost	Write Cost
GET	applications	2	0
GET	applications/{id}/extensionProperties	2	0
GET	contracts	3	0
POST	directoryObjects/getByIds	3	0
GET	domains/{id}/domainNameReferences	4	0
POST	getObjectsById	3	0
GET	groups/{id}/members	3	0
GET	groups/{id}/transitiveMembers	5	0
POST	isMemberOf	4	0
POST	me/checkMemberGroups	4	0
POST	me/checkMemberObjects	4	0
POST	me/getMemberGroups	2	0
POST	me/getMemberObjects	2	0
GET	me/licenseDetails	2	0
GET	me/memberOf	2	0
GET	me/ownedObjects	2	0
GET	me/transitiveMemberOf	2	0
GET	oauth2PermissionGrants	2	0
GET	oauth2PermissionGrants/{id}	2	0
GET	servicePrincipals/{id}/appRoleAssignments	2	0
GET	subscribedSkus	3	0
GET	users	2	0
GET	Any identity path not listed in the table	1	0
POST	Any identity path not listed in the table	1	1
PATCH	Any identity path not listed in the table	1	1
PUT	Any identity path not listed in the table	1	1
DELETE	Any identity path not listed in the table	1	1

Important

The cost of POST, PATCH, and DELETE operations on the applications request path depends on the signInAudience type. For apps where the signInAudience is AzureADMyOrg or AzureADMultipleOrgs, the cost is 70,000 requests per 5 minutes; while for apps where the signInAudience is AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount, the cost is 60 requests per minute.

Other factors that affect a request cost:

• Using $select decreases cost by 1
• Using $expand increases cost by 1
• Using $top with a value of less than 20 decreases cost by 1
• Creating a user in a Microsoft Entra ID B2C tenant increases cost by 4

Note

A request cost can never be lower than 1. Any request cost that applies to a request path starting with me/ also applies to equivalent requests starting with users/{id | userPrincipalName}/.

Additional headers

Request headers

• x-ms-throttle-priority - If the header doesn't exist or is set to any other value, it indicates a normal request. We recommend setting priority to high only for the requests initiated by the user. This header can have one of the following values:
  • Low - Indicates the request is low priority. Throttling this request doesn't cause user-visible failures.
  • Normal - Default if no value is provided. Indicates that the request is default priority.
  • High - Indicates that the request is high priority. Throttling this request causes user-visible failures.

Note

Should requests be throttled, low priority requests will be throttled first, normal priority requests second, and high priority requests last. Using the priority request header does not change the limits.

Regular responses requests

• x-ms-resource-unit - Indicates the resource unit used for this request. Values are positive integers.
• x-ms-throttle-limit-percentage - Returned only when the application consumed more than 0.8 of its limit. The value ranges from 0.8 to 1.8 and is a percentage of the use of the limit. Callers can use this value to set up an alert and take action.

Throttled responses requests

• x-ms-throttle-scope - for example, Tenant_Application/ReadWrite/9a3d526c-b3c1-4479-ba74-197b5c5751ae/0785ef7c-2d7a-4542-b048-95bcab406e0b. Indicates the scope of throttling with the following format <Scope>/<Limit>/<ApplicationId>/<TenantId|UserId|ResourceId>:
  • Scope: (string, required)
    • Tenant_Application - All requests for a particular tenant for the current application.
    • Tenant - All requests for the current tenant, regardless of the application.
    • Application - All requests for the current application.
  • Limit: (string, required)
    • Read: Read requests for the scope (GET)
    • Write: Write requests for the scope (POST, PATCH, PUT, DELETE...)
    • ReadWrite: All Requests for the scope (any)
  • ApplicationId (Guid, required)
  • TenantId|UserId|ResourceId: (Guid, required)
• x-ms-throttle-information - Indicates the reason for throttling and can have any value (string). The value is provided for diagnostics and troubleshooting purposes, some examples include:
  • CPULimitExceeded - Throttling is because the limit for cpu allocation is exceeded.
  • WriteLimitExceeded - Throttling is because the write limit is exceeded.
  • ResourceUnitLimitExceeded - Throttling is because the limit for the allocated resource unit is exceeded.

Identity and access data policy operation service limits

Request type	Limit per tenant
POST on exportPersonalData	1,000 requests per day for any subject and 100 per subject per day
Any other request	10,000 requests per hour

The preceding limits apply to the following resources:

• dataPolicyOperation

Note

The resources listed earlier do not return a Retry-After header on 429 Too Many Requests responses.

Identity protection and conditional access service limits

Request type	Limit per tenant for all apps
Any	One request per second

riskDetection riskyUser riskyUserHistoryItem namedLocation countryNamedLocation ipNamedLocation conditionalAccessPolicy

Note

The resources listed earlier do not return a Retry-After header on 429 Too Many Requests responses.

Identity providers service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
Any	300 requests per 1 minute	200 requests per 1 minute

The preceding limits apply to the following resources:

assignmentOrder authenticationEventListener authenticationFlowsPolicy b2cAuthenticationMethodsPolicy b2cIdentityUserFlow b2xIdentityUserFlow builtInIdentityProvider customAuthenticationExtension identityApiConnector identityBuiltInUserFlowAttribute identityCustomUserFlowAttribute identityProvider identityUserFlow	identityUserFlowAttribute identityUserFlowAttributeAssignment openIdConnectIdentityProvider openIdConnectProvider socialIdentityProvider trustFrameworkKeySet trustFrameworkPolicy userFlowLanguageConfiguration userFlowLanguagePage

Information protection service limits

The following limits apply to any request on /informationProtection.

For email, the resource is a unique network message ID/recipient pair. For example, submitting an email with the same message ID sent to the same person multiple times in a 15-minute period triggers the limit per resource limits listed in the following table. However, you can submit up to 150 unique emails every 15 minutes (tenant limit).

Operation	Limit per tenant	Limit per resource (email, URL, file)
POST	150 requests per 15 minutes and 10,000 requests per 24 hours	One request per 15 minutes and 3 requests per 24 hours

threatAssessmentRequest threatAssessmentResult mailAssessmentRequest emailFileAssessmentRequest fileAssessmentRequest urlAssessmentRequest

Insights service limits

The following limits apply to any request on me/insights or users/{id}/insights.

Limit	Applies to
10,000 API requests in a 10-minute period	v1.0 and beta endpoints
Four concurrent requests	v1.0 and beta endpoints

The preceding limits apply to the following resources:

• people
• sharedInsight
• trending
• usedInsight

Intune service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

microsoftTunnelConfiguration microsoftTunnelHealthThreshold microsoftTunnelServer microsoftTunnelServerLogCollectionResponse microsoftTunnelSite

Intune android for work service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

androidDeviceOwnerEnrollmentProfile androidForWorkAppConfigurationSchema androidForWorkEnrollmentProfile androidForWorkSettings androidManagedStoreAccountEnterpriseSettings androidManagedStoreAppConfigurationSchema

Intune applications service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

androidForWorkApp androidForWorkMobileAppConfiguration androidLobApp androidManagedStoreApp androidManagedStoreAppConfiguration androidManagedStoreWebApp androidStoreApp enterpriseCodeSigningCertificate iosLobApp iosLobAppProvisioningConfiguration iosLobAppProvisioningConfigurationAssignment iosMobileAppConfiguration iosStoreApp iosVppApp iosVppAppAssignedDeviceLicense iosVppAppAssignedLicense iosVppAppAssignedUserLicense macOSLobApp macOSMdatpApp macOSMicrosoftEdgeApp macOSOfficeSuiteApp macOsVppApp macOsVppAppAssignedLicense managedAndroidLobApp managedAndroidStoreApp managedApp managedDeviceMobileAppConfiguration managedDeviceMobileAppConfigurationAssignment managedDeviceMobileAppConfigurationDeviceStatus managedDeviceMobileAppConfigurationDeviceSummary managedDeviceMobileAppConfigurationUserStatus managedDeviceMobileAppConfigurationUserSummary managedIOSLobApp

managedIOSStoreApp managedMobileLobApp microsoftStoreForBusinessApp microsoftStoreForBusinessContainedApp mobileApp mobileAppAssignment mobileAppCategory mobileAppContent mobileAppContentFile mobileAppDependency mobileAppInstallStatus mobileAppInstallSummary mobileAppProvisioningConfigGroupAssignment mobileAppRelationship mobileAppSupersedence mobileContainedApp mobileLobApp officeSuiteApp symantecCodeSigningCertificate userAppInstallStatus webApp win32LobApp windowsAppX windowsMicrosoftEdgeApp windowsMobileMSI windowsPhone81AppX windowsPhone81AppXBundle windowsPhone81StoreApp windowsPhoneXAP windowsStoreApp windowsUniversalAppX windowsUniversalAppXContainedApp

Intune auditing service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

auditEvent

Intune books service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

deviceInstallState eBookInstallSummary iosVppEBook iosVppEBookAssignment managedEBook managedEBookAssignment managedEBookCategory userInstallStateSummary

Intune bundles service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

assignmentFilterEvaluationStatusDetails deviceAndAppManagementAssignmentFilter deviceCompliancePolicyPolicySetItem deviceConfigurationPolicySetItem deviceManagementConfigurationPolicyPolicySetItem deviceManagementScriptPolicySetItem enrollmentRestrictionsConfigurationPolicySetItem iosLobAppProvisioningConfigurationPolicySetItem, managedAppProtectionPolicySetItem	managedDeviceMobileAppConfigurationPolicySetItem mdmWindowsInformationProtectionPolicyPolicySetItem mobileAppPolicySetItem policySet policySetAssignment policySetItem targetedManagedAppConfigurationPolicySetItem windows10EnrollmentCompletionPageConfigurationPolicySetItem windowsAutopilotDeploymentProfilePolicySetItem

Intune chromebook sync service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

chromeOSOnboardingSettings

Intune company terms service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

termsAndConditions termsAndConditionsAcceptanceStatus termsAndConditionsAssignment termsAndConditionsGroupAssignment

Intune device config v2 service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

deviceManagementConfigurationCategory deviceManagementConfigurationChoiceSettingCollectionDefinition deviceManagementConfigurationChoiceSettingDefinition deviceManagementConfigurationPolicy deviceManagementConfigurationPolicyAssignment deviceManagementConfigurationPolicyTemplate deviceManagementConfigurationSetting	deviceManagementConfigurationSettingDefinition deviceManagementConfigurationSettingGroupCollectionDefinition deviceManagementConfigurationSettingGroupDefinition deviceManagementConfigurationSettingTemplate deviceManagementConfigurationSimpleSettingCollectionDefinition deviceManagementConfigurationSimpleSettingDefinition deviceManagementReusablePolicySetting

Intune device configuration service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

advancedThreatProtectionOnboardingDeviceSettingState advancedThreatProtectionOnboardingStateSummary androidCertificateProfileBase androidCompliancePolicy androidCustomConfiguration androidDeviceComplianceLocalActionBase androidDeviceComplianceLocalActionLockDevice androidDeviceComplianceLocalActionLockDeviceWithPasscode androidDeviceOwnerCertificateProfileBase androidDeviceOwnerCompliancePolicy androidDeviceOwnerDerivedCredentialAuthenticationConfiguration androidDeviceOwnerEnterpriseWiFiConfiguration androidDeviceOwnerGeneralDeviceConfiguration androidDeviceOwnerImportedPFXCertificateProfile androidDeviceOwnerPkcsCertificateProfile androidDeviceOwnerScepCertificateProfile androidDeviceOwnerTrustedRootCertificate androidDeviceOwnerVpnConfiguration androidDeviceOwnerWiFiConfiguration androidEasEmailProfileConfiguration androidEnterpriseWiFiConfiguration androidForWorkCertificateProfileBase androidForWorkCompliancePolicy androidForWorkCustomConfiguration androidForWorkEasEmailProfileBase androidForWorkEnterpriseWiFiConfiguration androidForWorkGeneralDeviceConfiguration androidForWorkGmailEasConfiguration androidForWorkImportedPFXCertificateProfile androidForWorkNineWorkEasConfiguration androidForWorkPkcsCertificateProfile androidForWorkScepCertificateProfile androidForWorkTrustedRootCertificate androidForWorkVpnConfiguration androidForWorkWiFiConfiguration androidGeneralDeviceConfiguration androidImportedPFXCertificateProfile androidOmaCpConfiguration androidPkcsCertificateProfile androidScepCertificateProfile androidTrustedRootCertificate androidVpnConfiguration androidWiFiConfiguration androidWorkProfileCertificateProfileBase androidWorkProfileCompliancePolicy androidWorkProfileCustomConfiguration androidWorkProfileEasEmailProfileBase androidWorkProfileEnterpriseWiFiConfiguration androidWorkProfileGeneralDeviceConfiguration androidWorkProfileGmailEasConfiguration androidWorkProfileNineWorkEasConfiguration androidWorkProfilePkcsCertificateProfile androidWorkProfileScepCertificateProfile androidWorkProfileTrustedRootCertificate androidWorkProfileVpnConfiguration androidWorkProfileWiFiConfiguration aospDeviceOwnerCompliancePolicy aospDeviceOwnerDeviceConfiguration appleDeviceFeaturesConfigurationBase appleExpeditedCheckinConfigurationBase appleVpnConfiguration cartToClassAssociation defaultDeviceCompliancePolicy deviceComplianceActionItem deviceComplianceDeviceOverview deviceComplianceDeviceStatus deviceCompliancePolicy deviceCompliancePolicyAssignment deviceCompliancePolicyDeviceStateSummary deviceCompliancePolicyGroupAssignment deviceCompliancePolicySettingStateSummary deviceCompliancePolicyState deviceComplianceScheduledActionForRule deviceComplianceSettingState deviceComplianceUserOverview deviceComplianceUserStatus deviceConfiguration deviceConfigurationAssignment deviceConfigurationConflictSummary deviceConfigurationDeviceOverview deviceConfigurationDeviceStateSummary deviceConfigurationDeviceStatus deviceConfigurationGroupAssignment deviceConfigurationState deviceConfigurationUserOverview deviceConfigurationUserStateSummary deviceConfigurationUserStatus deviceManagement deviceSetupConfiguration easEmailProfileConfigurationBase editionUpgradeConfiguration iosCertificateProfile iosCertificateProfileBase iosCompliancePolicy iosCustomConfiguration

iosDerivedCredentialAuthenticationConfiguration iosDeviceFeaturesConfiguration iosEasEmailProfileConfiguration iosEducationDeviceConfiguration iosEduDeviceConfiguration iosEnterpriseWiFiConfiguration iosExpeditedCheckinConfiguration iosGeneralDeviceConfiguration iosikEv2VpnConfiguration iosImportedPFXCertificateProfile iosPkcsCertificateProfile iosScepCertificateProfile iosTrustedRootCertificate iosUpdateConfiguration iosUpdateDeviceStatus iosVpnConfiguration iosWiFiConfiguration macOSCertificateProfileBase macOSCompliancePolicy macOSCustomAppConfiguration macOSCustomConfiguration macOSDeviceFeaturesConfiguration macOSEndpointProtectionConfiguration macOSEnterpriseWiFiConfiguration macOSExtensionsConfiguration macOSGeneralDeviceConfiguration macOSImportedPFXCertificateProfile macOSPkcsCertificateProfile macOSScepCertificateProfile macOSSoftwareUpdateAccountSummary macOSSoftwareUpdateCategorySummary macOSSoftwareUpdateConfiguration macOSSoftwareUpdateStateSummary macOSTrustedRootCertificate macOSVpnConfiguration macOSWiFiConfiguration macOSWiredNetworkConfiguration managedAllDeviceCertificateState managedDeviceCertificateState managedDeviceEncryptionState managedDeviceMobileAppConfigurationState ndesConnector restrictedAppsViolation settingStateDeviceSummary sharedPCConfiguration softwareUpdateStatusSummary unsupportedDeviceConfiguration vpnConfiguration windows10CertificateProfileBase windows10CompliancePolicy windows10CustomConfiguration windows10DeviceFirmwareConfigurationInterface windows10EasEmailProfileConfiguration windows10EndpointProtectionConfiguration windows10EnterpriseModernAppManagementConfiguration windows10GeneralConfiguration windows10ImportedPFXCertificateProfile windows10MobileCompliancePolicy windows10NetworkBoundaryConfiguration windows10PFXImportCertificateProfile windows10PkcsCertificateProfile windows10SecureAssessmentConfiguration windows10TeamGeneralConfiguration windows10VpnConfiguration windows81CertificateProfileBase windows81CompliancePolicy windows81GeneralConfiguration windows81SCEPCertificateProfile windows81TrustedRootCertificate windows81VpnConfiguration windows81WifiImportConfiguration windowsAssignedAccessProfile windowsCertificateProfileBase windowsDefenderAdvancedThreatProtectionConfiguration windowsDeliveryOptimizationConfiguration windowsDomainJoinConfiguration windowsHealthMonitoringConfiguration windowsIdentityProtectionConfiguration windowsKioskConfiguration windowsPhone81CertificateProfileBase windowsPhone81CompliancePolicy windowsPhone81CustomConfiguration windowsPhone81GeneralConfiguration windowsPhone81ImportedPFXCertificateProfile windowsPhone81SCEPCertificateProfile windowsPhone81TrustedRootCertificate windowsPhone81VpnConfiguration windowsPhoneEASEmailProfileConfiguration windowsPrivacyDataAccessControlItem windowsUpdateForBusinessConfiguration windowsUpdateState windowsVpnConfiguration windowsWifiConfiguration windowsWifiEnterpriseEAPConfiguration

Intune device enrollment service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

complianceManagementPartner deviceAppManagement deviceCategory deviceComanagementAuthorityConfiguration deviceEnrollmentConfiguration deviceEnrollmentLimitConfiguration deviceEnrollmentPlatformRestrictionsConfiguration deviceEnrollmentWindowsHelloForBusinessConfiguration deviceManagementExchangeConnector	deviceManagementExchangeOnPremisesPolicy deviceManagementPartner enrollmentConfigurationAssignment mobileThreatDefenseConnector onPremisesConditionalAccessSettings sideLoadingKey vppToken windows10EnrollmentCompletionPageConfiguration

Intune device intent service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

deviceManagementAbstractComplexSettingDefinition deviceManagementAbstractComplexSettingInstance deviceManagementBooleanSettingInstance deviceManagementCollectionSettingDefinition deviceManagementCollectionSettingInstance deviceManagementComplexSettingDefinition deviceManagementComplexSettingInstance deviceManagementIntegerSettingInstance deviceManagementIntent deviceManagementIntentAssignment deviceManagementIntentDeviceSettingStateSummary deviceManagementIntentDeviceState deviceManagementIntentDeviceStateSummary deviceManagementIntentSettingCategory

deviceManagementIntentUserState deviceManagementIntentUserStateSummary deviceManagementSettingCategory deviceManagementSettingDefinition deviceManagementSettingInstance deviceManagementStringSettingInstance deviceManagementTemplate deviceManagementTemplateSettingCategory securityBaselineCategoryStateSummary securityBaselineDeviceState securityBaselineSettingState securityBaselineState securityBaselineStateSummary securityBaselineTemplate

Intune devices service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	400 requests per 20 seconds	200 requests per 20 seconds
Any	4000 requests per 20 seconds	2000 requests per 20 seconds

The preceding limits apply to the following resources:

applePushNotificationCertificate appLogCollectionRequest cloudPCConnectivityIssue comanagementEligibleDevice dataSharingConsent detectedApp deviceComplianceScript deviceComplianceScriptDeviceState deviceComplianceScriptRunSummary deviceCustomAttributeShellScript deviceHealthScript deviceHealthScriptAssignment deviceHealthScriptDeviceState deviceHealthScriptRunSummary deviceLogCollectionResponse deviceManagementScript deviceManagementScriptAssignment deviceManagementScriptDeviceState deviceManagementScriptGroupAssignment deviceManagementScriptRunSummary deviceManagementScriptUserState deviceShellScript malwareStateForWindowsDevice managedDevice managedDeviceOverview remoteActionAudit userExperienceAnalyticsAppHealthApplicationPerformance userExperienceAnalyticsAppHealthAppPerformanceByAppVersion userExperienceAnalyticsAppHealthAppPerformanceByOSVersion userExperienceAnalyticsAppHealthDeviceModelPerformance

userExperienceAnalyticsAppHealthDevicePerformance userExperienceAnalyticsAppHealthDevicePerformanceDetails userExperienceAnalyticsAppHealthOSVersionPerformance userExperienceAnalyticsBaseline userExperienceAnalyticsCategory userExperienceAnalyticsDevicePerformance userExperienceAnalyticsDeviceScores userExperienceAnalyticsDeviceStartupHistory userExperienceAnalyticsDeviceStartupProcess userExperienceAnalyticsDeviceStartupProcessPerformance userExperienceAnalyticsDeviceWithoutCloudIdentity userExperienceAnalyticsImpactingProcess userExperienceAnalyticsMetric userExperienceAnalyticsMetricHistory userExperienceAnalyticsNotAutopilotReadyDevice userExperienceAnalyticsOverview userExperienceAnalyticsRegressionSummary userExperienceAnalyticsRemoteConnection userExperienceAnalyticsResourcePerformance userExperienceAnalyticsScoreHistory userExperienceAnalyticsWorkFromAnywhereDevice userExperienceAnalyticsWorkFromAnywhereMetric windowsDeviceMalwareState windowsMalwareInformation windowsManagedDevice windowsManagementApp windowsManagementAppHealthState windowsManagementAppHealthSummary windowsProtectionState

Intune endpoint protection service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

deviceManagementDerivedCredentialSettings deviceManagementResourceAccessProfileAssignment deviceManagementResourceAccessProfileBase windows10XCertificateProfile windows10XSCEPCertificateProfile windows10XTrustedRootCertificate windows10XVpnConfiguration windows10XWifiConfiguration

Intune enrollment service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

complianceManagementPartner deviceAppManagement deviceCategory deviceComanagementAuthorityConfiguration deviceEnrollmentConfiguration deviceEnrollmentLimitConfiguration deviceEnrollmentPlatformRestrictionsConfiguration deviceEnrollmentWindowsHelloForBusinessConfiguration deviceManagementExchangeConnector	deviceManagementExchangeOnPremisesPolicy deviceManagementPartner enrollmentConfigurationAssignment mobileThreatDefenseConnector onPremisesConditionalAccessSettings sideLoadingKey vppToken windows10EnrollmentCompletionPageConfiguration

Intune GPAnalytics service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

groupPolicyMigrationReport groupPolicyObjectFile groupPolicySettingMapping unsupportedGroupPolicyExtension

Intune managed applications service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

androidManagedAppProtection androidManagedAppRegistration defaultManagedAppProtection iosManagedAppProtection iosManagedAppRegistration managedAppConfiguration managedAppOperation managedAppPolicy managedAppPolicyDeploymentSummary managedAppProtection managedAppRegistration managedAppStatus	managedAppStatusRaw managedMobileApp mdmWindowsInformationProtectionPolicy targetedManagedAppConfiguration targetedManagedAppPolicyAssignment targetedManagedAppProtection windowsInformationProtection windowsInformationProtectionAppLockerFile windowsInformationProtectionDeviceRegistration windowsInformationProtectionPolicy windowsInformationProtectionWipeAction

Intune notifications service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

localizedNotificationMessage notificationMessageTemplate

Intune ODJ service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

deviceManagementDomainJoinConnector

Intune partner integration service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

appVulnerabilityManagedDevice appVulnerabilityMobileApp appVulnerabilityTask configManagerCollection deviceAppManagementTask securityConfigurationTask unmanagedDeviceDiscoveryTask vulnerableManagedDevice

Intune rbac service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

deviceAndAppManagementRoleAssignment deviceAndAppManagementRoleDefinition resourceOperation roleAssignment roleDefinition roleScopeTag roleScopeTagAutoAssignment

Intune remote assistance service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

remoteAssistancePartner remoteAssistanceSettings

Intune telephony service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

embeddedSIMActivationCodePool embeddedSIMActivationCodePoolAssignment embeddedSIMDeviceState

Intune TEM service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

telecomExpenseManagementPartner

Intune troubleshooting service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

appleVppTokenTroubleshootingEvent deviceManagementAutopilotEvent deviceManagementAutopilotPolicyStatusDetail deviceManagementTroubleshootingEvent enrollmentTroubleshootingEvent mobileAppIntentAndState mobileAppTroubleshootingEvent

Intune unlock service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

windowsDefenderApplicationControlSupplementalPolicy windowsDefenderApplicationControlSupplementalPolicyAssignment windowsDefenderApplicationControlSupplementalPolicyDeploymentStatus windowsDefenderApplicationControlSupplementalPolicyDeploymentSummary

Intune updates service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

windowsFeatureUpdateCatalogItem windowsFeatureUpdateProfile windowsFeatureUpdateProfileAssignment windowsQualityUpdateCatalogItem windowsQualityUpdateProfile windowsQualityUpdateProfileAssignment windowsUpdateCatalogItem

Intune wip service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

intuneBrandingProfile intuneBrandingProfileAssignment windowsInformationProtectionAppLearningSummary windowsInformationProtectionNetworkLearningSummary

Invitation manager service limits

The following limits apply to any request on /invitations.

Operation	Limit per tenant for all apps
Any operation	150 requests per 5 seconds

Microsoft 365 reports service limits

The following limits apply to any request on /reports.

Operation	Limit per app per tenant	Limit per tenant for all apps
Any request (CSV)	14 requests per 10 minutes	40 requests per 10 minutes
Any request (JSON, beta)	100 requests per 10 minutes	n/a

The preceding limits apply individually to each report API. For example, a request to the Microsoft Teams user activity report API and a request to the Outlook user activity report API within 10 minutes count as one request out of 14 for each API, not two requests out of 14 for both.

The preceding limits apply to all usage reports resources.

Microsoft Teams service limits

Limits are expressed as requests per second (rps).

Teams request type	Limit per app per tenant	Limit per app across all tenants
GET team	30 rps	600 rps
GET channel	30 rps	600 rps
GET tab for channel, chat	30 rps	600 rps
GET installedApps for chat, user, team	30 rps	600 rps
GET appCatalogs	30 rps	600 rps
POST channel	30 rps	300 rps
POST tab for channel or chat	30 rps	300 rps
POST installedApps for chat, user, team	30 rps	300 rps
POST appCatalogs	30 rps	300 rps
PATCH team, channel, tab	30 rps	300 rps
DELETE channel	15 rps	150 rps
DELETE tab for chat, channel	15 rps	150 rps
DELETE installedApps for chat, user, team	15 rps	150 rps
DELETE appCatalogs	15 rps	150 rps
GET /teams/{team-id}, joinedTeams	30 rps	300 rps
POST /teams	10 rps	100 rps
PUT /groups/{team-id}/team	Six rps	150 rps
POST /{team-id}/ clone	Six rps	150 rps
GET channel message	20 rps	200 rps
GET 1:1/group chat message	20 rps	200 rps
POST channel message	50 rps	500 rps
POST 1:1/group chat message	20 rps	200 rps
GET /teams/{team-id}/schedule and all APIs under this path	30 rps	600 rps
POST /teams/{team-id}/schedule and all APIs under this path	30 rps	300 rps
PUT /teams/{team-id}/schedule and all APIs under this path	30 rps	300 rps
POST /teams/{team-id}/sendActivityNotification	Five rps	50 rps
POST /chats/{chat-id}/sendActivityNotification	Five rps	50 rps
POST /users/{user-id}/teamwork/sendActivityNotification	Five rps	50 rps
POST /teamwork/sendActivityNotificationToRecipients	Two rps	20 rps
GET /teams/{team-id}/members	60 rps	1200 rps
GET /teams/{team-id}/channels	60 rps	1200 rps
GET /teams/{team-id}/channels/{channel-id}/members	60 rps	1200 rps
Get all channel messages for a team GET teams/{team-id}/channels/getAllMessages GET teams/{team-id}/channels/allMessages	200rps	1000rps
Get all chat messages for a user GET users/{user-id}/chats/getAllMessages GET users/{user-id}/chats/allMessages	200rps	1000rps
Other GET API calls for Microsoft Teams	30 rps	1500 rps
Other API calls for Microsoft Teams	30 rps	300 rps

A maximum of four requests per second per app can be issued on a given team or channel.

A maximum of one request per second per user can be issued when doing POST message in a given chat or channel (This throttling limit doesn't apply to migration).

See also Microsoft Teams limits and polling requirements.

The preceding limits apply to the following resources:

aadUserConversationMember changeTrackedEntity channel chatMessage chatMessageHostedContent conversationMember offerShiftRequest openShift openShiftChangeRequest schedule schedulingGroup shift shiftPreferences	swapShiftsChangeRequest team teamsApp teamsAppDefinition teamsAppInstallation teamsAsyncOperation teamsTab teamsTemplate teamwork timeOff timeOffReason timeOffRequest userSettings workforceIntegration

Multitenant management service limits

Request type	Limit per tenant for all apps	Limit per app per tenant
POST, PUT, DELETE, PATCH	200 requests per 20 seconds	100 requests per 20 seconds
Any	2000 requests per 20 seconds	1000 requests per 20 seconds

The preceding limits apply to the following resources:

aggregatedPolicyCompliance cloudPcConnection cloudPcDevice cloudPcOverview conditionalAccessPolicyCoverage credentialUserRegistrationsSummary deviceCompliancePolicySettingStateSummary managedDeviceCompliance managedDeviceComplianceTrend managedTenant managementAction managementActionTenantDeploymentStatus	managementIntent managementTemplate riskyUser tenant tenantCustomizedInformation tenantDetailedInformation tenantGroup tenantRelationship tenantTag windowsDeviceMalwareState windowsProtectionState

OneNote service limits

Limit type	Limit per app per user (delegated context)	Limit per app (app-only context)
Requests rate	120 requests per 1 minute and 400 per 1 hour	240 requests per 1 minute and 800 per 1 hour
Concurrent requests	Five concurrent requests	20 concurrent requests

The preceding limits apply to the following resources:

notebook onenote onenoteOperation onenotePage onenoteResource onenoteSection sectionGroup

You can find additional information about best practices in OneNote API throttling and how to avoid it.

Note

The resources listed earlier do not return a Retry-After header on 429 Too Many Requests responses.

Open and schema extensions service limits

Request type	Limit per app per tenant
Any	455 requests per 10 seconds

The preceding limits apply to the following resources:

administrativeUnit contact device event group message	openTypeExtension organization post schemaExtension user

Outlook service limits

Outlook service limits apply to the public cloud and national cloud deployments.

Limits per app ID and mailbox combination

The Outlook service applies limits to each app ID and mailbox combination - that is, a specific app accessing a specific user or group mailbox. Exceeding the limit for one mailbox doesn't affect the ability of the application to access another mailbox.

Limit	Applies to
10,000 API requests in a 10 minute period	v1.0 and beta endpoints
Four concurrent requests	v1.0 and beta endpoints
150 megabytes (MB) upload (PATCH, POST, PUT) in a 5-minute period	v1.0 and beta endpoints

Outlook service resources

API	Resources
Search API (preview)	External item (Microsoft Search)
Profile API	Photo
Calendar API	event eventMessage calendar calendarGroup outlookCategory attachment place (preview)
Mail API	message mailFolder mailSearchFolder messageRule outlookCategory attachment
Personal contacts API	contact contactFolder outlookCategory
Social and workplace intelligence	person
To-do tasks API (preview)	outlookTask outlookTaskFolder outlookTaskGroup outlookCategory attachment

Outlook service limits for JSON batching

When an app makes a JSON batch request that consists of multiple, unordered individual requests to the Outlook service, by default, Microsoft Graph sends the Outlook service up to four individual requests from the batch at a time, regardless of the target mailboxes of those requests. The Outlook service can execute these requests in parallel at any point, also irrespective of the target mailbox. Since Microsoft Graph sends only up to four requests to run in parallel, the execution of that batch stays within Outlook's concurrency limits for the same mailbox.

Alternatively, an app can use the dependsOn property to order requests within a batch. Microsoft Graph sends the Outlook service one request from the batch at a time following the specified order, and Outlook executes each individual request in the batch sequentially.

In other words, when targeting the same mailbox, apps that allow multiple batch requests to run in parallel can use either of the following approaches:

• If the individual requests don't have to be ordered, have individual requests from a single batch run concurrently.
• Use the dependsOn property to order requests in a batch, and have up to four such batch requests run concurrently.

Project Rome service limits

Request type	Limit per user for all apps
GET	400 requests per 5 minutes and 12,000 requests per one day
POST, PUT, PATCH, DELETE	100 requests per 5 minutes and 8,000 requests per one day

The preceding limits apply to the following resources:

• activityHistoryItem
• userActivity

Security detections and incidents service limits

The following limits apply to any request on /security.

Operation	Limit per app per tenant
Any operation on alert, securityActions, secureScore	150 requests per minute
Any operation on tiIndicator	1,000 requests per minute
Any operation on secureScore or secureScorecontrolProfile	10,000 API requests in a 10-minute period
Any operation on secureScore or secureScorecontrolProfile	Four concurrent requests

Security eDiscovery service limits

The following limits apply to any request on /security/eDiscoveryCases.

Operation	Limit per app per tenant
Any	Five requests per minute

Service Communications service limits

The following limits apply to any type of requests for service communications under /admin/serviceAnnouncement/.

Request type	Limit per app per tenant
Any	240 requests per 60 seconds
Any	800 requests per hour

Subscription service limits

Request type	Limit per app for all tenants	Limit per app per tenant
POST, PUT, DELETE, PATCH	2000 requests per 20 seconds	500 requests per 20 seconds
POST /reauthorize subscription by ID	4000 requests per 20 seconds	1000 requests per 20 seconds
GET Subscription by Id	2000 requests per 20 seconds	500 requests per 20 seconds
GET Subscription List	40 requests per 20 seconds	25 requests per 20 seconds

The preceding limits apply to the subscription resource.

Tasks and plans service limits

Service limits for Planner aren't available.

The preceding information applies to the following resources:

planner plannerAssignedToTaskBoardTaskFormat plannerBucket plannerBucketTaskBoardTaskFormat plannerGroup plannerPlan	plannerPlanDetails plannerProgressTaskBoardTaskFormat plannerTask plannerTaskDetails plannerUser

Viva Engage service limits

Viva Engage API calls are subject to rate limiting, allowing 10 requests per user, per app, within a 30-second time period. When you exceed the rate limit, all subsequent requests return a 429 Too Many Requests response code.

Related content

• Best practices for working with Microsoft Graph