o365 throttling and its impact on Symantec CloudSOC
search cancel

o365 throttling and its impact on Symantec CloudSOC


Article ID: 236764


Updated On:


CASB Securlet SAAS


Office 365 Securet is throttled.

Possible 503 errors reported in CloudSOC investigate.

Does the o365 securlet rescan affect MSFT throttling?


Microsoft limits the API calls to its platform to prevent the overuse of resources and to maintain its performance and reliability.

Here’s Microsoft’s documentation on API throttling - https://learn.microsoft.com/en-us/graph/throttling . The exact quota of API is not specified. According to Microsoft, throttling limits vary based on the scenario.

It is possible that the consumers of the API, like CloudSOC could make a high number of API calls, especially when mass changes are made to SharePoint/ OneDrive/ Email data including: data migration, rights or data modification. Consequently, those API calls could be throttled by Microsoft.

When throttling occurs, CloudSOC will resend and process the API requests following Microsoft best practices. The Broadcom CASB team continues to work directly with Microsoft to ensure best practices are followed in order to be efficient.

Potential Actions:
  • No action required unless symptoms are unmanageable: (Major delays in inspection, SharePoint interface issues)
  • Broadcom support can verify the API calls are related to specific activity.
  • Microsoft support can verify the number of API calls are related to the o365 Securet App.

Impact of the O365 Securlet Re-scan Feature:

Symantec currently offers a re-scan of all exposed content. A customized re-scan of all content, including the unexposed content and limiting by user, site or time-frame can be performed by contacting support. Symantec is currently working on a feature that would support such customized re-scans.

The securlet re-scan will issue additional API calls which could cause additional throttling from Microsoft and could delay the receipt of events from Microsoft.

The re-scan message warns that the process could take from hours to days.

Without running a re-scan your documents are still protected as the document will be re-scanned the next time the document is touched.


Additional Information

Microsoft's throttling guide

Possible symptoms of throttling include:

  • A 503 messages may appear in CloudSOC investigate for activity.
  • O365 securlet activity may be delayed in CloudSOC investigate for SharePoint events. (Gatelet activity is not affected).
  • Microsoft SharePoint online customers could receive a Microsoft notification that their subscription is throttled because of excessive resource consumption from the app 'Office 365 Securlet'. The notification warns that the apps processes might fail.
  • 429 error, "Please wait" could be reported by CloudSOC or SharePoint back-end logs.