diff --git a/api_app/services/aad_authentication.py b/api_app/services/aad_authentication.py
index e475b9661..83d5c5e3b 100644
--- a/api_app/services/aad_authentication.py
+++ b/api_app/services/aad_authentication.py
@@ -26,6 +26,7 @@
 
 
 MICROSOFT_GRAPH_URL = config.MICROSOFT_GRAPH_URL.strip("/")
+GRAPH_REQUEST_TIMEOUT = 10
 
 
 class PrincipalType(Enum):
@@ -325,7 +326,8 @@ def get_assignable_users(self, filter: str = "", maxResultCount: int = 5) -> Lis
         users_endpoint = f"{MICROSOFT_GRAPH_URL}/v1.0/users?$filter=startswith(displayName,'{filter}')&$top={maxResultCount}"
 
         graph_data = requests.get(users_endpoint,
-                                  headers=self._get_auth_header(msgraph_token)).json()
+                                  headers=self._get_auth_header(msgraph_token),
+                                  timeout=GRAPH_REQUEST_TIMEOUT).json()
         result = []
 
         for user_data in graph_data["value"]:
@@ -443,7 +445,7 @@ def _assign_workspace_user_to_application(self, user_id: str, workspace: Workspa
             "appRoleId": role_id,
         }
 
-        response = requests.post(url, json=body, headers=self._get_auth_header(msgraph_token))
+        response = requests.post(url, json=body, headers=self._get_auth_header(msgraph_token), timeout=GRAPH_REQUEST_TIMEOUT)
         return response
 
     def _get_role_assignment_for_user(self, user_id: str, role_id: str) -> dict:
@@ -468,7 +470,7 @@ def _remove_workspace_user_from_application(self, user_id: str, role_id: str) ->
 
         msgraph_token = self._get_msgraph_token()
         url = f"{MICROSOFT_GRAPH_URL}/v1.0/users/{user_id}/appRoleAssignments/{role_assignment['id']}"
-        response = requests.delete(url, headers=self._get_auth_header(msgraph_token))
+        response = requests.delete(url, headers=self._get_auth_header(msgraph_token), timeout=GRAPH_REQUEST_TIMEOUT)
         return response
 
     def _get_batch_users_by_role_assignments_body(self, roles_graph_data):
@@ -519,9 +521,9 @@ def _ms_graph_query(self, url: str, http_method: str, json=None) -> dict:
                 break
             logger.debug(f"Making request to: {url}")
             if json:
-                response = requests.request(method=http_method, url=url, json=json, headers=auth_headers)
+                response = requests.request(method=http_method, url=url, json=json, headers=auth_headers, timeout=GRAPH_REQUEST_TIMEOUT)
             else:
-                response = requests.request(method=http_method, url=url, headers=auth_headers)
+                response = requests.request(method=http_method, url=url, headers=auth_headers, timeout=GRAPH_REQUEST_TIMEOUT)
             url = ""
             if response.status_code == 200:
                 json_response = response.json()