Microsoft Defender · Rate Limits

Microsoft Defender Rate Limits

Microsoft Defender rate limits depend on the API surface. The Microsoft Defender for Endpoint REST API (api.securitycenter.microsoft.com / api.security.microsoft.com) caps most endpoints at 100 calls per minute and 1,500 calls per hour per tenant per app, with some endpoints (advanced hunting, indicators) at lower limits. Defender for Cloud configuration goes through Azure Resource Manager (ARM) and uses the standard ARM token-bucket throttling. Microsoft Graph Security API calls are governed by Microsoft Graph throttling. All surfaces use HTTP 429 with Retry-After.

Microsoft Defender Rate Limits is the machine-readable rate-limit profile for Microsoft Defender on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 6 rate-limit definitions, measuring requests_per_minute, requests_per_hour, queries_per_minute, indicators_per_tenant, and requests_per_10s.

The profile also includes 5 backoff/retry policies defined and response codes documented for throttled, serviceUnavailable, and forbidden.

Tagged areas include Security, Endpoint, XDR, Cloud Security, and Microsoft.

6 Limits Throttle: 429
SecurityEndpointXDRCloud SecurityMicrosoftRate Limiting

Limits

Defender for Endpoint API — general tenant/app
requests_per_minute · minute
100
100 calls per minute and 1,500 calls per hour per tenant per app for most endpoints.
Defender for Endpoint API — hourly cap tenant/app
requests_per_hour · hour
1500
1,500 calls per hour per tenant per app.
Advanced Hunting API tenant
queries_per_minute · minute
45
45 advanced-hunting queries per minute per tenant; 1,500 per hour. Each query has a 10-second runtime cap and 10,000-row result cap.
Indicators API tenant
indicators_per_tenant
15000
Maximum 15,000 file/IP/URL indicators per tenant.
Microsoft Graph Security app/tenant
requests_per_10s
see vendor docs
Standard Microsoft Graph throttling; many endpoints share the per-app per-tenant 130k/10s envelope.
Defender for Cloud configuration (ARM) subscription/region
requests_per_second · second
25
Standard ARM read bucket; writes share ARM write bucket of 10/sec.

Policies

Honor Retry-After
429 responses include Retry-After. Implement exponential backoff with jitter.
Use $batch for Microsoft Graph
Batch up to 20 Graph requests with a single HTTP call to reduce the per-app throttling pressure.
Page advanced hunting
Advanced Hunting caps result rows at 10,000 — paginate via timestamps for large time ranges.
App registration scope
Each app registration has its own per-tenant quota; spread automation across multiple apps if you need more headroom.
No support raise
Per-app quotas are typically not raised by support. Use Microsoft Graph Security streaming API (event hubs / log analytics) for high-volume telemetry.

Sources