Azure Key Vault · Rate Limits

Microsoft Azure Key Vault Rate Limits

Azure Key Vault enforces per-vault and per-subscription/region request-rate limits separately for HSM and non-HSM operations. Limits are intentionally low compared to general data services because Key Vault is a control-plane-style service. Managed HSM has its own higher per-pool transaction limits.

Microsoft Azure Key Vault Rate Limits is the machine-readable rate-limit profile for Azure Key Vault on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 7 rate-limit definitions, measuring requests_per_10_seconds and requests_per_second.

The profile also includes 4 backoff/retry policies defined and response codes documented for throttled.

Tagged areas include Rate Limiting, Security, Key Management, and Microsoft Azure.

7 Limits Throttle: 429
Rate LimitingSecurityKey ManagementMicrosoft Azure

Limits

HSM keys - other transactions per vault per 10s vault
requests_per_10_seconds · second
1000
HSM keys - cryptographic operations per vault per 10s vault
requests_per_10_seconds
see Azure Key Vault service limits (varies by key type)
Software keys - cryptographic operations per vault per 10s vault
requests_per_10_seconds · second
2000
Software keys - other operations per vault per 10s vault
requests_per_10_seconds · second
4000
Secrets, managed storage, vault transactions per vault per 10s vault
requests_per_10_seconds · second
4000
Subscription/region aggregate subscription/region
requests_per_10_seconds
see Azure Key Vault service limits (per subscription per region)
Managed HSM transactions managed_hsm
requests_per_second
see Managed HSM throughput targets

Policies

Honor Retry-After
Wait the duration specified in Retry-After before retrying. Throttling on Key Vault is by design tighter than data-plane services.
Cache and reuse access tokens
Acquire AAD access tokens once and reuse for the token lifetime; do not call AAD on every Key Vault operation.
Cache key material locally
For high-throughput crypto, use a Managed HSM with envelope encryption and cache the data encryption key (DEK) locally rather than calling Key Vault per operation.
Backoff with jitter
Apply exponential backoff with jitter on 429 responses to avoid retry storms across callers.

Sources