How to give granular permission for the APIs (created in APIM) in the Apps Registered in Azure AD-OAuth implementation

rahul b 20 Reputation points

Hi Team,

I have created a API in Azure APIM and wanted to implement OAuth Security to protect this.

So in most of the articles where I searched for have recommended to register two apps in Azure AD. one is for backend app(to protect API resource) and another for Client app(where actual client will use this app).

My doubt is there a way to give granular access to each APIs in Azure APIM(like a particular APIs).

and is it a mandatory to register two apps? cant we use a single APP for using OAuth Security.

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,536 questions
{count} votes

1 answer

Sort by: Most helpful
  1. MuthuKumaranMurugaachari-MSFT 18,341 Reputation points

    rahul b Thanks for posting your question in Microsoft Q&A. From the description above, you are looking to protect API in APIM using Microsoft Entra ID (previously Azure AD). Here is the doc reference: Protect an API in Azure API Management using OAuth 2.0 authorization with Microsoft Entra ID with a detailed step by step guide and implementation details.

    Summarizing the doc with a few details that might help in answering your questions:

    1. You will register an application in Microsoft Entra ID which represents the APIM application (name in the doc: backend-app) and create different scopes (scope name like api1scope, api2scope etc.) that you like to expose.
    2. You would need to configure validate-jwt policy in API Management and you can define this policy at whatever policy scope you like. For example, you can define this policy at an API level (instead of product or global) and that validation occurs only for that API.

    From the scenario described above, you want to provide granular access to each API. In this case, you define a policy at API1 to validate claim scope api1scope and another policy at API2 to validate claim scope api2scope. SO thread discussion will give an example of how to validate a scope in the validate-jwt policy. Note, this is just one example and with validate-jwt policy, you can perform different validations including audience, issuers, different claims etc. and refer to the doc for more info.

    The app registration for the client is not mandatory and you can use different flows such as authorization flow, device code flow (or client credentials) etc. to acquire a token from Microsoft Entra ID. Make sure the token has permissions to access to backend-app (App registration that represents APIM) with different scopes. As described in Authorization workflow, we simply validate Microsoft Entra ID token in API Management via validate-jwt policy.

    Also, the process of obtaining the token in the client app (user or application) is not covered in the doc and refer to Code samples based on your scenario.

    I hope this helps and let me know if you have any questions.

    If you found the answer to your question helpful, please take a moment to mark it as Yes for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.

    0 comments No comments