This is a follow on question to https://learn.microsoft.com/en-us/answers/questions/1381782/how-to-add-subscription-to-consumption-mode-azure. I see that when I use the portal to create an APIM & API I get an all-access-subscription (as described here: https://learn.microsoft.com/en-us/azure/api-management/api-management-subscriptions#all-access-subscription ) and when I use
az apim create --name $serviceName --resource-group $rg --publisher-name $pub --publisher-email $email
- Since I'm already using <validate-jwt> in the APIM policies as per https://learn.microsoft.com/en-us/azure/api-management/howto-protect-backend-frontend-azure-ad-b2c, how could I add an APIM policy that would expand the claims and determine if current REST call is coming from a paying customer? I could create and store a GUID in an AzureAD extension claim or use a standard claim (mabye the [http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier] claim -- is this unqiue?) and have the APIM policy search a list of paid customers in a cosmos db for his/her unique claim and reject non-paying customers? Is there an example of how to do this somewhere? I think this would solve the problem and give me the benefit of the APIM's ability to shield my azure functions from DOS attacks (for example).
Thanks again for your help!