Microsoft 365 Defender APIs license and terms of use

Applies to:

  • Microsoft 365 Defender


Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Official terms

Microsoft 365 Defender APIs are governed by the Microsoft APIs license and terms of use.

Microsoft and any contributors grant you a license to the Microsoft documentation and other content in this repository, under the Creative Commons Attribution 4.0 International Public License. For more information, see the LICENSE file.

Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries.

The licenses for this project don't grant you rights to use any Microsoft names, logos, or trademarks. Microsoft's general trademark guidelines can be found at Microsoft Trademarks.

Privacy information can be found at Privacy at Microsoft.

Microsoft and any contributors reserve all other rights, whether under their respective copyrights, patents, or trademarks, whether by implication, estoppel or otherwise.

Other restrictions

The advanced hunting API has some limitations on the number of results returned, and the data that can be queried.

  1. You can only query data from the past 30 days.
  2. The results will include a maximum of 100,000 rows.

Quotas and resource allocation

The Microsoft 365 Defender APIs have throttling thresholds.

  • Incidents API: Up to 50 calls per minute or 1500 calls per hour.
  • Advanced Hunting API: Up to 45 calls per minute, 10 minutes of running time per hour, and 4 hours of running time per day.

The HTTP response status code indicating throttling is 429.

If your request has been throttled, the response body will indicate the time when you can start making requests again.