Authorize developer accounts by using Azure Active Directory in Azure API Management
This article shows you how to enable access to the developer portal for users from Azure Active Directory (Azure AD). This guide also shows you how to manage groups of Azure AD users by adding external groups that contain the users.
Azure AD integration is available in the Developer, Standard, and Premium tiers only.
- Complete the following quickstart: Create an Azure API Management instance.
- Import and publish an Azure API Management instance. For more information, see Import and publish.
Authorize developer accounts by using Azure AD
- Sign in to the Azure portal.
- Select .
- Type api in the search box.
- Select API Management services.
- Select your API Management service instance.
Under SECURITY, select Identities.
Select +Add from the top.
The Add identity provider pane appears on the right.
Under Provider type, select Azure Active Directory.
Controls that enable you to enter other necessary information appear in the pane. The controls include Client ID and Client secret. (You get information about these controls later in the article.)
Make a note of the contents of Redirect URL.
- In your browser, open a different tab.
- Go to the Azure portal.
- Select .
- Type active. The Azure Active Directory pane appears.
- Select Azure Active Directory.
- Under MANAGE, select App registrations.
Select New application registration.
The Create pane appears on the right. That's where you enter the Azure AD app-relevant information.
- Enter a name for the application.
- For the application type, select Web app/API.
- For the sign-in URL, enter the sign-in URL of your developer portal. In this example, the sign-in URL is
- Select Create to create the application.
To find your app, select App registrations and search by name.
- After the application is registered, go to Reply URL and make sure Redirect URL is set to the value that you got from step 9.
If you want to configure your application (for example, change App ID URL), select Properties.
If multiple Azure AD instances will be used for this application, select Yes for Multi-tenanted. The default is No.
- Set application permissions by selecting Required permissions.
Select your application, and then select the Read directory data and Sign in and read user profile check boxes.
For more information about application permissions and delegated permissions, see Accessing the Graph API.
In the left pane, copy the Application ID value.
Switch back to your API Management application.
In the Add identity provider window, paste the Application ID value in the Client ID box.
- Switch back to the Azure AD configuration, and select Keys.
- Create a new key by specifying a name and duration.
Select Save. The key is generated.
Copy the key to the clipboard.
Make a note of this key. After you close the Azure AD configuration pane, the key cannot be displayed again.
Switch back to your API Management application.
In the Add identity provider window, paste the key in the Client secret text box.
Please make sure to update the Client secret before the key expires.
The Add identity provider window also contains the Allowed Tenants text box. There, specify the domains of the Azure AD instances to which you want to grant access to the APIs of the API Management service instance. You can separate multiple domains with newlines, spaces, or commas.
You can specify multiple domains in the Allowed Tenants section. Before any user can sign in from a different domain than the original domain where the application was registered, a global administrator of the different domain must grant permission for the application to access directory data. To grant permission, the global administrator should:
a. Go to
https://<URL of your developer portal>/aadadminconsent(for example, https://contoso.portal.azure-api.net/aadadminconsent).
b. Type in the domain name of the Azure AD tenant that they want to give access to.
c. Select Submit.
In the following example, a global administrator from miaoaad.onmicrosoft.com is trying to give permission to this particular developer portal.
After you specify the desired configuration, select Add.
After the changes are saved, users in the specified Azure AD instance can sign in to the developer portal by following the steps in Sign in to the developer portal by using an Azure AD account.
On the next screen, the global administrator is prompted to confirm giving the permission.
If a non-global administrator tries to sign in before a global administrator grants permissions, the sign-in attempt fails and an error screen is displayed.
Add an external Azure AD group
After you enable access for users in an Azure AD instance, you can add Azure AD groups in API Management. Then, you can more easily manage the association of the developers in the group with the desired products.
To configure an external Azure AD group, you must first configure the Azure AD instance on the Identities tab by following the procedure in the previous section.
You add external Azure AD groups from the Groups tab of your API Management instance.
- Select the Groups tab.
- Select the Add AAD group button.
- Select the group that you want to add.
- Press the Select button.
After you add an external Azure AD group, you can review and configure its properties. Select the name of the group from the Groups tab. From here, you can edit Name and Description information for the group.
Users from the configured Azure AD instance can now sign in to the developer portal. They can view and subscribe to any groups for which they have visibility.
To sign in to the developer portal by using an Azure AD account that you configured in the previous sections:
Open a new browser window by using the sign-in URL from the Active Directory application configuration, and select Azure Active Directory.
Enter the credentials of one of the users in Azure AD, and select Sign in.
You might be prompted with a registration form if any additional information is required. Complete the registration form, and select Sign up.
Your user is now signed in to the developer portal for your API Management service instance.