Azure API management policy error - Usage of type 'System.Security.Cryptography.Aes' is not supported within expressions

Jaydeep Suryawanshi 26 Reputation points

Hi Team,

I have encrypted the text in node js using 'aes-256-cbc' algorithm, this encrypted text will be shared in request header to APIM, but when I tried to decrypt the text using 'System.Security.Cryptography.Aes' in APIM policy, I get the below error.

"Error in element 'set-body' on line 262, column 10: Usage of type 'System.Security.Cryptography.Aes' is not supported within expressions".

However, same c# code execute in .net (6.0).

Node JS code to encrypt data:


  const crypto = require('crypto');
  const secret_key= 'bf3c199c2470cb477d907b1e0917c17b';
  const secret_iv = "5183666c72eec9e4";
  const ecnryption_method = "aes-256-cbc";
  var Name = 'Jaydeep Suryawanshi';
  const encrypt = ((text) => 
     let cipher = crypto.createCipheriv(ecnryption_method, secret_key,secret_iv);
     let encrypted = cipher.update(text, 'utf8', 'base64');
     encrypted +='base64');
     return encrypted.toString();

APIM policy Code :

    var aesManaged = Aes.Create();
    aesManaged.IV = System.Text.Encoding.UTF8.GetBytes("5183666c72eec9e4");
    aesManaged.Key = System.Text.Encoding.UTF8.GetBytes("bf3c199c2470cb477d907b1e0917c17b");
    aesManaged.Mode= CipherMode.CBC;

    var memoryStream = new MemoryStream(cipherText);
    var cryptoStream = new CryptoStream(memoryStream,aesCrypto.CreateDecryptor(Key, IV),CryptoStreamMode.Read);
    plaintext = new StreamReader(cryptoStream).ReadToEnd();
    return plaintext;       
Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,735 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Jaydeep Suryawanshi 26 Reputation points

    Hi MuthuKumaran, Thank you for you response.

    I had tried this policy earlier which is available in Github (Ref) but it was not working and was throwing below error

    "CS1061-'byte[]' does not contain a definition for 'Encrypt' and no accessible extension method 'Encrypt' accepting a first argument of type 'byte[]' could be found (are you missing a using directive or an assembly reference?)".

    I revalidated my policy and after doing some minor changes it started working. Pls check below latest code. Thanks for you clue.

    byte[] IV = System.Text.Encoding.UTF8.GetBytes("5183666c72eec9e4");
            byte[] Key = System.Text.Encoding.UTF8.GetBytes("bf3c199c2470cb477d907b1e0917c17b");
            byte[] textinBytes = Convert.FromBase64String("t/esIUJIgM5TU5+EsZQASCiAYWrcvMGyBvmvaHcdtdU=");
            var decryptedBytes = textinBytes.Decrypt("Aes", Key, IV);
            return decryptedBytes;    
    1 person found this answer helpful.

  2. MuthuKumaranMurugaachari-MSFT 22,136 Reputation points

    Jaydeep Suryawanshi Thank you for posting your question in Microsoft Q&A. Yes System.Security.Cryptography.Aes is not supported in policy expressions and the list of supported CLR types are listed in .NET Framework types allowed in policy expressions.

    We do have a sample policy snippet: Encrypt data using expressions.policy to encrypt text using AES algorithm and you can modify it for decrypt scenario like below (default mode is CBC):

                byte[] IV = System.Text.Encoding.UTF8.GetBytes("5183666c72eec9e4");
                byte[] Key = System.Text.Encoding.UTF8.GetBytes("bf3c199c2470cb477d907b1e0917c17b");
                byte[] textinBytes = Encoding.UTF8.GetBytes("cipherText");
                byte[] decryptedBytes = textinBytes.Decrypt("Aes", Key, IV);            
                string plaintext = Convert.ToBase64String(decryptedBytes);
                return plaintext;       

    For any feedback on supported policy expressions, feel free to submit via and our product team can review and prioritize it. I hope this helps with your question and let me know if you have any other questions.

    If you found the answer to your question helpful, please take a moment to mark it as "Yes" for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.

    0 comments No comments