Authorize developer accounts by using Azure Active Directory in Azure API Management
This article shows you how to enable access to the developer portal for users from Azure Active Directory (Azure AD). This guide also shows you how to manage groups of Azure AD users by adding external groups that contain the users.
- Complete the following quickstart: Create an Azure API Management instance.
- Import and publish an Azure API Management instance. For more information, see Import and publish.
This feature is available in the Premium, Standard and Developer tiers of API Management.
Authorize developer accounts by using Azure AD
Sign in to the Azure portal.
Type api in the search box.
Select API Management services.
Select your API Management service instance.
Under Security, select Identities.
Select +Add from the top.
The Add identity provider pane appears on the right.
Under Provider type, select Azure Active Directory.
Controls that enable you to enter other necessary information appear in the pane. The controls include Client ID and Client secret. (You get information about these controls later in the article.)
Make a note of the content of Redirect URL.
In your browser, open a different tab.
Navigate to the Azure portal - App registrations to register an app in Active Directory.
Under Manage, select App registrations.
Select New registration. On the Register an application page, set the values as follows:
- Set Name to a meaningful name. e.g., developer-portal
- Set Supported account types to Accounts in this organizational directory only.
- Set Redirect URI to the value you got from step 9.
- Choose Register.
After the application is registered, copy the Application (client) ID from the Overview page.
Go back to your API Management instance. In the Add identity provider window, paste the Application (client) ID value into the Client ID box.
Switch back to the Azure AD configuration, Select Certificates & secrets under Manage. Select the New client secret button. Enter a value in Description, select any option for Expires and choose Add. Copy the client secret value before leaving the page. You will need it in the next step.
Under Manage, select Authentication and then select ID tokens under Implicit Grant
Go back to your API Management instance, paste the secret into the Client secret box.
Please make sure to update the Client secret before the key expires.
The Add identity provider window also contains the Allowed Tenants text box. There, specify the domains of the Azure AD instances to which you want to grant access to the APIs of the API Management service instance. You can separate multiple domains with newlines, spaces, or commas.
You can specify multiple domains in the Allowed Tenants section. Before any user can sign in from a different domain than the original domain where the application was registered, a global administrator of the different domain must grant permission for the application to access directory data. To grant permission, the global administrator should:
a. Go to
https://<URL of your developer portal>/aadadminconsent (for example, https://contoso.portal.azure-api.net/aadadminconsent).
b. Type in the domain name of the Azure AD tenant that they want to give access to.
c. Select Submit.
- After you specify the desired configuration, select Add.
After the changes are saved, users in the specified Azure AD instance can sign in to the developer portal by following the steps in Sign in to the developer portal by using an Azure AD account.
Add an external Azure AD group
After you enable access for users in an Azure AD instance, you can add Azure AD groups in API Management. Then, you can more easily manage the association of the developers in the group with the desired products.
To add an external Azure AD group, you must first configure the Azure AD instance on the Identities tab by following the procedure in the previous section. Additionally, the application must be granted access to Azure AD Graph API with
You add external Azure AD groups from the Groups tab of your API Management instance.
- Select the Groups tab.
- Select the Add AAD group button.
- Select the group that you want to add.
- Press the Select button.
After you add an external Azure AD group, you can review and configure its properties. Select the name of the group from the Groups tab. From here, you can edit Name and Description information for the group.
Users from the configured Azure AD instance can now sign in to the developer portal. They can view and subscribe to any groups for which they have visibility.
To sign in to the developer portal by using an Azure AD account that you configured in the previous sections:
Open a new browser window by using the sign-in URL from the Active Directory application configuration, and select Azure Active Directory.
Enter the credentials of one of the users in Azure AD, and select Sign in.
You might be prompted with a registration form if any additional information is required. Complete the registration form, and select Sign up.
Your user is now signed in to the developer portal for your API Management service instance.