rahul b Thanks for posting your question in Microsoft Q&A. From the description above, you are looking to protect API in APIM using Microsoft Entra ID (previously Azure AD). Here is the doc reference: Protect an API in Azure API Management using OAuth 2.0 authorization with Microsoft Entra ID with a detailed step by step guide and implementation details.
Summarizing the doc with a few details that might help in answering your questions:
- You will register an application in Microsoft Entra ID which represents the APIM application (name in the doc: backend-app) and create different scopes (scope name like api1scope, api2scope etc.) that you like to expose.
- You would need to configure validate-jwt policy in API Management and you can define this policy at whatever policy scope you like. For example, you can define this policy at an API level (instead of product or global) and that validation occurs only for that API.
From the scenario described above, you want to provide granular access to each API. In this case, you define a policy at API1 to validate claim scope api1scope
and another policy at API2 to validate claim scope api2scope
. SO thread discussion will give an example of how to validate a scope in the validate-jwt
policy. Note, this is just one example and with validate-jwt policy, you can perform different validations including audience, issuers, different claims etc. and refer to the doc for more info.
The app registration for the client is not mandatory and you can use different flows such as authorization flow, device code flow (or client credentials) etc. to acquire a token from Microsoft Entra ID. Make sure the token has permissions to access to backend-app (App registration that represents APIM) with different scopes. As described in Authorization workflow, we simply validate Microsoft Entra ID token in API Management via validate-jwt
policy.
Also, the process of obtaining the token in the client app (user or application) is not covered in the doc and refer to Code samples based on your scenario.
I hope this helps and let me know if you have any questions.
If you found the answer to your question helpful, please take a moment to mark it as Yes
for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.