Member-only story
APIM with EntraID using App roles
API Authentication with API Management (APIM) using APIM Policies with Entra ID and App Roles
The main objective of is to demonstrate how Azure API Management (APIM) can centralized authentication and authorizaton of APIs using Entra ID using APIM Policy (validate-jwt) and App Roles of Entra ID.
This is very usefull when you have legacy API, APIs, APIs with no OAuth 2.0 / OIDC or even if you need to centralized management of authentication and authentication in one single pane of glass
Architecture
For this, given a public API (Conference API), with 2 Operations (GetSessions and GetSpeakers) we will now add Authentication (AuthN) and Authorization (AuthZ), requiring a role of Admin to access GetSpeakers Operation, and role of Member to call GetSessions Operation of API.
To do this, we will create 2 App Roles, APIMAuth.Admins and APIMAuth.Members, and assign users to this App Roles. In APIM, we will import the API and will create Policies (validate-jwt) for 2 operations: GetSpeakers and GetSessions. For GetSpeakers we will require APIMAuth.Admins App Role, and for GetSessions we will require APIMAuth.Members.
Import an API in APIM
For this demo, we will use Conference API (https://conferenceapi.azurewebsites.net), a backend API for demos proposed, provided by Microsoft. Use this guide Tutorial: Import and publish your first API for more details if need to import API to your API Management.
- In the Azure portal, search for and select API Management services.
- On the API Management services page, select your API Management instance.
- In the left navigation of your API Management instance, select APIs.
- Select the OpenAPI tile.
- In the Create from OpenAPI specification window, select Full.
- Enter the values from the following table.
- Click Save
