Authorize developer accounts by using Azure Active Directory in Azure API Management

Je li ova stranica od pomoći?

Imate dodatne povratne informacije?

Povratne informacije će biti poslane kompaniji Microsoft: pritiskom na dugme za slanje, vaše povratne informacije će se koristiti za unapređivanje proizvoda i usluga kompanije Microsoft. Pravila privatnosti.

In this article, you'll learn how to:

• Enable access to the developer portal for users from Azure Active Directory (Azure AD).
• Manage groups of Azure AD users by adding external groups that contain the users.

Prerequisites

• Complete the Create an Azure API Management instance quickstart.

• Import and publish an Azure API Management instance.

• Use the Bash environment in Azure Cloud Shell. For more information, see Azure Cloud Shell Quickstart - Bash.

  

• If you prefer to run CLI reference commands locally, install the Azure CLI. If you are running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.

  • If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For additional sign-in options, see Sign in with the Azure CLI.

  • When you're prompted, install Azure CLI extensions on first use. For more information about extensions, see Use extensions with the Azure CLI.

  • Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

Availability

Important

This feature is available in the Premium, Standard and Developer tiers of API Management.

Authorize developer accounts by using Azure AD

1. Sign in to the Azure portal.

2. Select .

3. Search for and select API Management services.

4. Select your API Management service instance.

5. Under Developer portal, select Identities.

6. Select +Add from the top to open the Add identity provider pane to the right.

7. Under Type, select Azure Active Directory from the drop-down menu.

   • Once selected, you'll be able to enter other necessary information.
   • Information includes Client ID and Client secret.
   • See more information about these controls later in the article.

8. Save the Redirect URL for later.

   

   Note

   There are two redirect URLs:
   

   • Redirect URL points to the latest developer portal of the API Management.
   • Redirect URL (deprecated portal) points to the deprecated developer portal of API Management.

   We recommended you use the latest developer portal Redirect URL.

9. In your browser, open the Azure portal in a new tab.

10. Navigate to App registrations to register an app in Active Directory.

11. Select New registration. On the Register an application page, set the values as follows:

    • Set Name to a meaningful name. e.g., developer-portal
    • Set Supported account types to Accounts in this organizational directory only.
    • Set Redirect URI to the value you saved from step 9.
    • Select Register.

12. After you've registered the application, copy the Application (client) ID from the Overview page.

13. Switch to the browser tab with your API Management instance.

14. In the Add identity provider window, paste the Application (client) ID value into the Client ID box.

15. Switch to the browser tab with the App Registration.

16. Select the appropriate app registration.

17. Under the Manage section of the side menu, select Certificates & secrets.

18. From the Certificates & secrets page, select the New client secret button under Client secrets.

    • Enter a Description.
    • Select any option for Expires.
    • Choose Add.

19. Copy the client Secret value before leaving the page. You will need it later.

20. Under Manage in the side menu, select Authentication.

21. Under the Implicit grant and hybrid flows sections, select the ID tokens checkbox.

22. Switch to the browser tab with your API Management instance.

23. Paste the secret into the Client secret field in the Add identity provider pane.

    Important

    Update the Client secret before the key expires.

24. In the Add identity provider pane's Allowed Tenants field, specify the Azure AD instances' domains to which you want to grant access to the API Management service instance APIs.

    • You can separate multiple domains with newlines, spaces, or commas.

    Note

    You can specify multiple domains in the Allowed Tenants section. A global administration must grant the application access to directory data before users can sign in from a different domain than the original app registration domain. To grant permission, the global administrator should:

    1. Go to https://<URL of your developer portal>/aadadminconsent (for example, https://contoso.portal.azure-api.net/aadadminconsent).
    2. Enter the domain name of the Azure AD tenant to which they want to grant access.
    3. Select Submit.

25. After you specify the desired configuration, select Add.

Once changes are saved, users in the specified Azure AD instance can sign into the developer portal by using an Azure AD account.

Add an external Azure AD group

Now that you've enabled access for users in an Azure AD tenant, you can:

• Add Azure AD groups into API Management.
• Control product visibility using Azure AD groups.

Follow these steps to grant:

• Directory.Read.All application permission for Microsoft Graph API.
• User.Read delegated permission for Microsoft Graph API.

1. Update the first 3 lines of the following Azure CLI script to match your environment and run it.

   $subId = "Your Azure subscription ID" #e.g. "1fb8fadf-03a3-4253-8993-65391f432d3a"
   $tenantId = "Your Azure AD Tenant or Organization ID" #e.g. 0e054eb4-e5d0-43b8-ba1e-d7b5156f6da8"
   $appObjectID = "Application Object ID that has been registered in AAD" #e.g. "2215b54a-df84-453f-b4db-ae079c0d2619"
   #Login and Set the Subscription
   az login
   az account set --subscription $subId
   #Assign the following permissions: Microsoft Graph Delegated Permission: User.Read, Microsoft Graph Application Permission: Directory.ReadAll
   az rest --method PATCH --uri "https://graph.microsoft.com/v1.0/$($tenantId)/applications/$($appObjectID)" --body "{'requiredResourceAccess':[{'resourceAccess': [{'id': 'e1fe6dd8-ba31-4d61-89e7-88639da4683d','type': 'Scope'},{'id': '7ab1d382-f21e-4acd-a863-ba3e13f7da61','type': 'Role'}],'resourceAppId': '00000003-0000-0000-c000-000000000000'}]}"
   

2. Log out and log back in to the Azure portal.

3. Navigate to the App Registration page for the application you registered in the previous section.

4. Click API Permissions. You should see the permissions granted by the Azure CLI script in step 1.

5. Select Grant admin consent for {tenantname} so that you grant access for all users in this directory.

Now you can add external Azure AD groups from the Groups tab of your API Management instance.

1. Under Developer portal in the side menu, select Groups.

2. Select the Add Azure AD group button.

   

3. Select the Tenant from the drop-down.

4. Search for and select the group that you want to add.

5. Press the Select button.

Once you add an external Azure AD group, you can review and configure its properties:

1. Select the name of the group from the Groups tab.
2. Edit Name and Description information for the group.

Users from the configured Azure AD instance can now:

• Sign into the developer portal.
• View and subscribe to any groups for which they have visibility.

Note

Learn more about the difference between Delegated and Application permissions types in Permissions and consent in the Microsoft identity platform article.

Developer portal: Add Azure AD account authentication

In the developer portal, you can sign in with Azure AD using the Sign-in button: OAuth widget included on the sign-in page of the default developer portal content.

Although a new account will automatically be created when a new user signs in with Azure AD, consider adding the same widget to the sign-up page. The Sign-up form: OAuth widget represents a form used for signing up with OAuth.

Important

You need to republish the portal for the Azure AD changes to take effect.

Legacy developer portal: How to sign in with Azure AD

Note

This documentation content is about the deprecated developer portal. You can continue to use it, as per usual, until its retirement in October 2023, when it will be removed from all API Management services. The deprecated portal will only receive critical security updates. Refer to the following articles for more details:

• Learn how to migrate to the new developer portal
• Azure API Management new developer portal overview
• Access and customize the new developer portal

To sign into the developer portal by using an Azure AD account that you configured in the previous sections:

1. Open a new browser window using the sign-in URL from the Active Directory application configuration.

2. Select Azure Active Directory.

   

3. Enter the credentials of one of the users in Azure AD.

4. Select Sign in.

   

5. If prompted with a registration form, complete with any additional information required.

6. Select Sign up.

   

Your user is now signed in to the developer portal for your API Management service instance.

Next Steps

• Learn how to Protect your web API backend in API Management by using OAuth 2.0 authorization with Azure AD
• Learn more about Azure Active Directory and OAuth2.0.
• Check out more videos about API Management.
• For other ways to secure your back-end service, see Mutual Certificate authentication.
• Create an API Management service instance.
• Manage your first API.