Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
In this articleFind out about throttling in SharePoint Online and learn how to avoid being throttled or blocked.
Does this sound familiar? You're running an application - for example, to scan files in SharePoint Online - but you get throttled. Or even worse, you get blocked. What's going on and what can you do to make it stop? What is throttling?SharePoint Online uses throttling to maintain optimal performance and reliability of the SharePoint Online service. Throttling limits the number of API calls or operations within a time window to prevent overuse of resources. What happens when you get throttled in SharePoint Online?When usage limits are exceeded, SharePoint Online throttles any further requests from that client for a short period. For requests that a user performs directly in the browser, SharePoint Online redirects you to the throttling information page, and the requests fail. For requests that an application makes, including Microsoft Graph, CSOM or REST calls, SharePoint Online returns HTTP status code 429 ("Too many requests") or 503 ("Server Too Busy") and the requests will fail.
In both cases, a Retry-After header is included in the response indicating how long the calling application should wait before retrying or making a new request. Throttled requests count towards usage limits, so failure to honor Retry-After may result in more throttling. If the offending application continues to exceed usage limits, SharePoint Online may completely block the application or specific request patterns from the application; in this case, the application will keep getting HTTP status code 503, and Microsoft will notify the tenant of the block in the Office 365 Message Center. User ThrottlingThrottling limits the number of calls and operations collectively made by applications on behalf of a user to prevent overuse of resources. That said, it's rare for a user to get throttled in SharePoint Online. The service is robust, and it's designed to handle high volume. If you do get throttled, 99% of the time it is because of custom code, such as custom web parts, complex list view and queries, or custom apps users run. That doesn’t mean that there aren’t other ways to get throttled, just that they’re less common. For example, one user syncing a large amount of data across 10 machines at the same time could trigger throttling. Application ThrottlingIn addition to throttling by user account, limits are also applied to applications in a tenant. Every application has its own limits in a tenant, which are based on the number of licenses purchased per organization (see the plans listed on SharePoint Limits for licenses included). Every request that an application makes across all API endpoints, including Microsoft Graph, CSOM and REST, counts towards the application’s usage. SharePoint provides various APIs. Different APIs have different costs depending on the complexity of the API. The cost of APIs is normalized by SharePoint and expressed by resource units. Application’s limits are also defined using resource units. The table below defines the resource unit limits for an application in a tenant:
Note We reserve the right to change the resource unit limits. In terms of API costs, Microsoft Graph APIs have a predetermined resource unit cost per request:
Note We reserve the right to change the API resource unit cost. Delta with a token is the most efficient way to scan content in SharePoint, and we talk more in details at the best practices for scanning applications. To help applications that follow the guidance, we lower the resource unit cost of delta requests with a token to 1 resource unit, although it's a multi-item query. The delta request without a token is considered a multi-item query and costs 2 resource units per request. In batching, requests in a batch are evaluated individually by resource units. CSOM and REST don't have a predetermined resource unit cost and they usually consume more resource units than Microsoft Graph APIs to achieve the same functionality. And in addition to resource unit limits, CSOM and REST are also subject to other internal resource limits, so if applications call CSOM and REST, they may experience more throttling than the limits described in this document. We highly recommend you choose Microsoft Graph APIs over CSOM and REST APIs when possible. Since application limits are in resource units, the actual request rate, such as requests per minute, depends on application’s API choice and the corresponding API resource unit cost. In general, you can estimate the request rate using an average of 2 resource units per request and divide resource unit limits by 2 to get the estimated request rate. Although each application has its own limits within a tenant and we allow tenants to run more than one application, multiple applications running against the same tenant share the same resource bucket, and in rare occurrences can cause rate limiting when too many applications send requests at the time. How to handle throttling?Below is a quick summary of the best practices to handle throttling:
As stated earlier, Microsoft Graph is cloud born APIs that have the latest improvements and optimizations. In general, Microsoft Graph consumes less resource than CSOM and REST to achieve the same functionality. Hence, adopting Microsoft Graph can improve application's performance and reduce throttling. If you do run into throttling, we require using the Retry-After HTTP header to ensure minimum delay until the throttle is removed. The RateLimit HTTP headers send you early signals when you're close to limits and you can proactively reduce requests to avoid hitting the throttle. Retry-after headerWhen applications experience throttling, SharePoint Online returns a Retry-After HTTP header in the request indicating how long in seconds the calling application should wait before retrying or making a new request. Honoring the Retry-After HTTP header is the fastest way to handle being throttled because SharePoint Online dynamically determines the right time to try again. Throttled requests count towards usage limits, so failure to honor Retry-After may result in more throttling. In other words, aggressive retries work against calling applications because even though the calls fail, they still count towards usage limits. Honoring the Retry-After HTTP header will ensure the shortest delay and reduce wasting quotas in throttled requests. RateLimit headers - previewIn addition to the Retry-After header in the response of throttled requests, SharePoint Online also returns the IETF RateLimit headers for selected limits in certain conditions to help applications manage rate limiting. We recommend applications to take advantage of these headers to avoid hitting throttle.
Note These headers are currently in beta and subject to change. At the time when the headers were adopted, the IETF specification was in draft. The current implementation is based on the draft-03 of the IETF specification. There is the potential for changes when the specification is final, and we will adapt to those changes in the future. The RateLimit headers are returned on a best-efforts basis, so applications may not receive the headers under all conditions. Additionally, there are other limits that aren't presented in the RateLimit headers, so applications can get throttled even before reaching the limit described in the RateLimit headers. Below is the list of limits that we support the RateLimit headers for. The policies and values are subject to change:
Below are some examples to help you understand the RateLimit headers:
How to decorate your http traffic?Well-decorated traffic will be prioritized over traffic that isn't properly decorated. What is the definition of undecorated traffic?
What are the recommendations?
Note Format of the user agent string is expected to follow RFC2616, so please follow up on the above guidance on the right separators. It is also fine to append existing user agent string with the requested information. The most common causes of per-user throttling in SharePoint Online are client-side object model (CSOM) or Representational State Transfer (REST) code that performs too many actions too frequently.
Scenario specific limitsWhen using app-only authentication with Sites.Read.All permissionWhen you're using SharePoint Online search APIs with app-only authentication and the app having Sites.Read.All permission (or stronger), the app will be registered with full permissions, and is allowed to query all your SharePoint Online content (including user’s private ODB content). To ensure the service remains fast and reliable, queries using such permission are throttled at 25 requests per second. The search query will return with an http 429 response. When waiting for throttling recovery, you should ensure to pause all search query requests you may be making to the service using similar app-only permission. Making more calls while receiving throttle responses will extend the time it takes for your app to become unthrottled. When searching for people search resultsWhen searching using a result source that requests people results, we may throttle any requests exceeding a limit of 25 requests per second. This limit applies jointly to all requests using the out-of-the-box "Local People Results" result source and all requests using custom people search result sources. If you have applications or components, which are causing your people search requests to get throttled, we recommend that you:
Blocking is the most extreme form of throttling. We rarely ever block a tenant, unless we detect long-term, excessive traffic that may threaten the overall health of the SharePoint Online service. We apply blocks to prevent excessive traffic from degrading the performance and reliability of SharePoint Online. A block - which is placed at the app or user level - prevents the offending process from running until you fix the problem. If we block your subscription, you must take action to modify the offending processes before the block can be removed. If we block your subscription, we'll notify you of the block in the Office 365 Message Center. The message describes what caused the block, provides guidance on how to resolve the offending issue, and tells you who to contact to get the block removed. See also
FeedbackSubmit and view feedback for Which of the following access control methods is based on permissions defined by a role such as manager authorized user or guest )?control. An access control method based on an object's owner and permissions granted by the owner is referred to as: discretionary access control (DAC).
What is it called if a hacker takes down multiple services very quickly with the help of botnets?What is it called if a hacker takes down multiple services very quickly with the help of botnets? Distributed denial-of-service (DDoS)
Which explains how US tariffs affect the prices of Chinese and US goods quizlet?Which explains how US tariffs affect the prices of Chinese and US goods? They make Chinese goods more expensive and US goods comparatively cheaper.
Which type of cyberattack sends extremely high volumes of network traffic such as packets data or transactions that render the victim's network unavailable or unusable?___ botnet attacks are a type of cyberattack in which extremely high volumes of network traffic such as packets, data or transactions are sent to the target victim's network to make their network and systems (ie e-commerce website or web app) unavailable or unusable.
|