Client Throttling

How does it work

MSAL detects certain conditions (see below) where the application should not make repeated calls to AAD. If a call is made, then an MsalThrottledServiceException or an MsalThrottledUiRequiredException is thrown by MSAL. These are subtypes of MsalServiceException, so this behaviour does not introduce a breaking change. If MSAL would not apply client-side throttling, the application would still not be able to acquire tokens, as AAD would throw the error.

Conditions to get throttled

AAD is telling the application to back off

• If the server is having problems or if an application is requesting tokens too often, AAD will responds with an HTTP code 429 and with header of Retry-After X seconds. The application will see an MsalServiceException with header details. The throttling state is maintained for the X seconds. Affects all flows. Introduced in 4.13.0.

AAD is having problems

• If AAD is having problems it may respond with an HTTP 5xx error code with no Retry-After header. The throttling state is maintained for 1 minute. Affects only public client flows. Introduced in 4.13.0

Application is ignoring MsalUiRequiredException

• MSAL throws MsalUiRequiredException when authentication cannot be resolved silently and the end-user needs to use a browser. This is a common occurrence when a tenant admin introduced 2FA or when a user password expires. Retrying the silent authentication cannot succeed. Affects only the AcquireTokenSilent. Introduced in 4.14.0