Authorize developer accounts by using Azure Active Directory in Azure API Management

This article shows you how to enable access to the developer portal for users from Azure Active Directory (Azure AD). This guide also shows you how to manage groups of Azure AD users by adding external groups that contain the users.

Note

Azure AD integration is available in the Developer, Standard, and Premium tiers only.

Prerequisites

Authorize developer accounts by using Azure AD

  1. Sign in to the Azure portal.
  2. Select arrow.
  3. Type api in the search box.
  4. Select API Management services.
  5. Select your API Management service instance.
  6. Under SECURITY, select Identities.

  7. Select +Add from the top.

    The Add identity provider pane appears on the right.

  8. Under Provider type, select Azure Active Directory.

    Controls that enable you to enter other necessary information appear in the pane. The controls include Client ID and Client secret. (You get information about these controls later in the article.)

  9. Make a note of the contents of Redirect URL.

    Steps for adding an identity provider in the Azure portal

  10. In your browser, open a different tab.
  11. Go to the Azure portal.
  12. Select arrow.
  13. Type active. The Azure Active Directory pane appears.
  14. Select Azure Active Directory.
  15. Under MANAGE, select App registrations.
  16. Select New application registration.

    Selections for creating a new app registration

    The Create pane appears on the right. That's where you enter the Azure AD app-relevant information.

  17. Enter a name for the application.
  18. For the application type, select Web app/API.
  19. For the sign-in URL, enter the sign-in URL of your developer portal. In this example, the sign-in URL is https://apimwithaad.portal.azure-api.net/signin.
  20. Select Create to create the application.
  21. To find your app, select App registrations and search by name.

    Box where you search for an app

  22. After the application is registered, go to Reply URL and make sure Redirect URL is set to the value that you got from step 9.
  23. If you want to configure your application (for example, change App ID URL), select Properties.

    Opening the "Properties" pane

    If multiple Azure AD instances will be used for this application, select Yes for Multi-tenanted. The default is No.

  24. Set application permissions by selecting Required permissions.
  25. Select your application, and then select the Read directory data and Sign in and read user profile check boxes.

    Check boxes for permissions

  26. Select Grant permissions to consent application permissions.

    For more information about application permissions and delegated permissions, see Accessing the Graph API.

  27. In the left pane, copy the Application ID value.

    "Application ID" value

  28. Switch back to your API Management application.

    In the Add identity provider window, paste the Application ID value in the Client ID box.

  29. Switch back to the Azure AD configuration, and select Keys.
  30. Create a new key by specifying a name and duration.
  31. Select Save. The key is generated.

    Copy the key to the clipboard.

    Selections for creating a key

    Note

    Make a note of this key. After you close the Azure AD configuration pane, the key cannot be displayed again.

  32. Switch back to your API Management application.

    In the Add identity provider window, paste the key in the Client secret text box.

    Important

    Please make sure to update the Client secret before the key expires.

  33. The Add identity provider window also contains the Allowed Tenants text box. There, specify the domains of the Azure AD instances to which you want to grant access to the APIs of the API Management service instance. You can separate multiple domains with newlines, spaces, or commas.

    You can specify multiple domains in the Allowed Tenants section. Before any user can sign in from a different domain than the original domain where the application was registered, a global administrator of the different domain must grant permission for the application to access directory data. To grant permission, the global administrator should:

    a. Go to https://<URL of your developer portal>/aadadminconsent (for example, https://contoso.portal.azure-api.net/aadadminconsent).

    b. Type in the domain name of the Azure AD tenant that they want to give access to.

    c. Select Submit.

    In the following example, a global administrator from miaoaad.onmicrosoft.com is trying to give permission to this particular developer portal.

  34. After you specify the desired configuration, select Add.

    "Add" button in "Add identity provider" pane

After the changes are saved, users in the specified Azure AD instance can sign in to the developer portal by following the steps in Sign in to the developer portal by using an Azure AD account.

Entering the name of an Azure AD tenant

On the next screen, the global administrator is prompted to confirm giving the permission.

Confirmation of assigning permissions

If a non-global administrator tries to sign in before a global administrator grants permissions, the sign-in attempt fails and an error screen is displayed.

Add an external Azure AD group

After you enable access for users in an Azure AD instance, you can add Azure AD groups in API Management. Then, you can more easily manage the association of the developers in the group with the desired products.

To configure an external Azure AD group, you must first configure the Azure AD instance on the Identities tab by following the procedure in the previous section.

You add external Azure AD groups from the Groups tab of your API Management instance.

  1. Select the Groups tab.
  2. Select the Add AAD group button. "Add AAD group" button
  3. Select the group that you want to add.
  4. Press the Select button.

After you add an external Azure AD group, you can review and configure its properties. Select the name of the group from the Groups tab. From here, you can edit Name and Description information for the group.

Users from the configured Azure AD instance can now sign in to the developer portal. They can view and subscribe to any groups for which they have visibility.

Sign in to the developer portal by using an Azure AD account

To sign in to the developer portal by using an Azure AD account that you configured in the previous sections:

  1. Open a new browser window by using the sign-in URL from the Active Directory application configuration, and select Azure Active Directory.

    Sign-in page

  2. Enter the credentials of one of the users in Azure AD, and select Sign in.

    Signing in with username and password

  3. You might be prompted with a registration form if any additional information is required. Complete the registration form, and select Sign up.

    "Sign up" button on registration form

Your user is now signed in to the developer portal for your API Management service instance.

Developer portal after registration is complete