Integrating Azure AD B2C Users with Azure API Management for Access Control

Question

Integrating Azure AD B2C Users with Azure API Management for Access Control

hampton123 1,175

I'm wondering if it's possible to integrate Azure AD B2C users with Azure API Management (APIM). I want to create an APIM instance that not only hosts a large number of APIs but also restricts and grants access for users across these APIs within the same APIM instance. While APIM excels in managing access to different APIs for individual users, I'm utilizing Azure AD B2C to handle external user management. My question is whether it's feasible to seamlessly incorporate B2C-managed users into the APIM environment, allowing for user-specific access control across multiple APIs within the APIM instance. Thanks in advance!

Also, if there's a better method of having an APIM instance that can manage user access to multiple API's using B2C, I would love to hear it :)

Tushar Kumar 3,371 Reputation points MVP

2023-09-01T23:11:18.5233333+00:00

https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-aad-b2c are you looking for something like this??
hampton123 1,175 Reputation points

2023-09-05T16:53:02.5833333+00:00

Hi Tushar Kumar, thank you for your response! This looks like something I could use. Does this allow for external user management for APIs? Like for example I can grant an account permissions for one API, while another account could have only have permissions to access another API?
JananiRamesh-MSFT 29,261 Reputation points

2023-09-08T17:15:08.1933333+00:00

Hi Hunter B Thanks for reaching out. They are different ways to restrict access in Azure APIM could you please confirm in which way you need to implement.

Do you need to control user access to APIs in developer portal? please refer:
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-aad-b2c

or

do you want restricting users in consuming the API's (Controlling API access from any client application / postman)? please refer: https://learn.microsoft.com/en-us/azure/api-management/validate-jwt-policy

or

Do you mean controlling access to APIs in azure portal for specific users? please refer: https://techcommunity.microsoft.com/t5/azure-paas-blog/usage-of-custom-rbac-roles-in-azure-api-management/ba-p/1560571

Let me know if you have any further questions.
hampton123 1,175 Reputation points

2023-09-09T11:47:45.84+00:00

Hi @JananiRamesh-MSFT thank you for your reply! I think the method that fits the closest to what I’m looking for is controlling user access to api’s in the developer portal.

When a user logs into the developer portal through B2C, I want to manage the APIs they have access to. So the APIs one B2C user accesses would be different than another B2C user. Hopefully that makes sense. Is that possible?
Thomas Meads 1,586 Reputation points

2023-09-09T20:13:23.27+00:00

This is a challenging question to answer without more information on what determines a users access?

B2C uses OAuth2 and is very good at authenticating a user however it tends to fall down when it comes to authorization mainly due to the fact it is very case by case. Do you need RBAC, Attribute access control, etc.
hampton123 1,175 Reputation points

2023-09-13T13:27:21.8666667+00:00

Hi Thomas Meads thank you for the response, maybe what I'm getting mixed up on is the terminology. I'll try to clear things up with this comment and try to paint a picture of my understanding just to see if I'm messing up the terminology or if I'm just conveying things incorrectly :)

I want to control user access to APIs in developer portal like JananiRamesh-MSFT was stating, but for B2C users. From my understanding of the user access control settings (in non-consumption based tiers) in API Management, there are user access management options for developer accounts. So developer accounts can be assigned access to different APIs. One developer account may have access to a certain API, while another developer account could have access to other APIs.

I want to have B2C users sign in to my API Management instance. However, I was not sure if I would be able to grant access for specific APIs within my API Management instance for individual B2C users, similar to how developer accounts work.

Regarding RBAC, I don't think I need RBAC because from my understanding (I could be wrong haha) RBAC is based more on controlling Azure resource's level of access, rather than the access of individual users of my system.

Essentially I just want the same amount of access control users can use with developer accounts in API Management, but with B2C users instead of developer accounts. Is this possible?

Hopefully I cleared things up a little bit, but please let me know if I need to be more clear.

Accepted answer

0 additional answers

Your answer

Tushar Kumar 3,371 Reputation points MVP

2023-09-01T23:11:18.5233333+00:00

https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-aad-b2c are you looking for something like this??
hampton123 1,175 Reputation points

2023-09-05T16:53:02.5833333+00:00

Hi Tushar Kumar, thank you for your response! This looks like something I could use. Does this allow for external user management for APIs? Like for example I can grant an account permissions for one API, while another account could have only have permissions to access another API?
JananiRamesh-MSFT 29,261 Reputation points

2023-09-08T17:15:08.1933333+00:00

Hi Hunter B Thanks for reaching out. They are different ways to restrict access in Azure APIM could you please confirm in which way you need to implement.

Do you need to control user access to APIs in developer portal? please refer:
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-aad-b2c

or

do you want restricting users in consuming the API's (Controlling API access from any client application / postman)? please refer: https://learn.microsoft.com/en-us/azure/api-management/validate-jwt-policy

or

Do you mean controlling access to APIs in azure portal for specific users? please refer: https://techcommunity.microsoft.com/t5/azure-paas-blog/usage-of-custom-rbac-roles-in-azure-api-management/ba-p/1560571

Let me know if you have any further questions.
hampton123 1,175 Reputation points

2023-09-09T11:47:45.84+00:00

Hi @JananiRamesh-MSFT thank you for your reply! I think the method that fits the closest to what I’m looking for is controlling user access to api’s in the developer portal.

When a user logs into the developer portal through B2C, I want to manage the APIs they have access to. So the APIs one B2C user accesses would be different than another B2C user. Hopefully that makes sense. Is that possible?
Thomas Meads 1,586 Reputation points

2023-09-09T20:13:23.27+00:00

This is a challenging question to answer without more information on what determines a users access?

B2C uses OAuth2 and is very good at authenticating a user however it tends to fall down when it comes to authorization mainly due to the fact it is very case by case. Do you need RBAC, Attribute access control, etc.
hampton123 1,175 Reputation points

2023-09-13T13:27:21.8666667+00:00

Hi Thomas Meads thank you for the response, maybe what I'm getting mixed up on is the terminology. I'll try to clear things up with this comment and try to paint a picture of my understanding just to see if I'm messing up the terminology or if I'm just conveying things incorrectly :)

I want to control user access to APIs in developer portal like JananiRamesh-MSFT was stating, but for B2C users. From my understanding of the user access control settings (in non-consumption based tiers) in API Management, there are user access management options for developer accounts. So developer accounts can be assigned access to different APIs. One developer account may have access to a certain API, while another developer account could have access to other APIs.

I want to have B2C users sign in to my API Management instance. However, I was not sure if I would be able to grant access for specific APIs within my API Management instance for individual B2C users, similar to how developer accounts work.

Regarding RBAC, I don't think I need RBAC because from my understanding (I could be wrong haha) RBAC is based more on controlling Azure resource's level of access, rather than the access of individual users of my system.

Essentially I just want the same amount of access control users can use with developer accounts in API Management, but with B2C users instead of developer accounts. Is this possible?

Hopefully I cleared things up a little bit, but please let me know if I need to be more clear.

Answer 1

Thomas Meads 1,586

Hi,

Having tested this with Azure AD just to make sure I had my head round it.

All developer portal users are treated the same regardless of where their identity comes from. So yes you can control user accounts from B2C using subscriptions on the account and connecting that to a product or an API.

Follow the guide provided by @JananiRamesh-MSFT to add Azure B2C auth. Then once the user signs up you will be able to assign them to the apis you wish for them to access.

Hope this helps.

hampton123 1,175 Reputation points

2023-09-18T13:16:51.0266667+00:00

Hi Thomas Meads, thank you for testing this in Azure AD!

It's good to hear that all portal users are treated the same, I'll definitely be integrating this into my API.

Just to be 100% clear, this is the specific tutorial you are referring to sent by JananiRamesh-MSFT, correct?
Thomas Meads 1,586 Reputation points

2023-09-18T13:20:02.4766667+00:00

Yes that is the tutorial I am referring to.
hampton123 1,175 Reputation points

2023-09-18T14:13:41.9166667+00:00

Thanks again Thomas, you've really been a great help to me the past 1-2 weeks on my multiple questions :)

Share via

Integrating Azure AD B2C Users with Azure API Management for Access Control

0 additional answers

Your answer