How to add Entra External ID as an Identity Provider for API Management Developer Portal

Question

How to add Entra External ID as an Identity Provider for API Management Developer Portal

EMS 20

Azure API Management does not have an option to add Entra External ID as an Identity Provider.

The next closest option in the dropdown is Azure AD B2C.

When I try to add the app (that represents the dev portal) and userflows I generated in my test Entra External Domain I get the following happens:

The form asks for sign-in policy and sign-up policy. I have the same policy called SignUpAndLoginTestFlow. When I fill that name I get the error: Azure Active Directory B2C policy name invalid.

Searching and asking AIs etc says just put B2C_1_ in the beginning of the policy name. Which results in the next error: Azure Active Directory B2C tenant 'xyz.onmicrosoft.com' or policy 'B2C_1_SignUpAndLoginTestFlow' does not exist.

Is there a way to use Entra External ID with API Management Developer Portal? If yes, how?

Loknathsatyasaivarma Mahali 2,665 Reputation points Microsoft External Staff Moderator

2025-05-20T15:29:40.89+00:00

Hello EMS,

Thank you for reaching out. Could you kindly follow the steps below and share an update? I have tried them on my end, and they were successful.

To integrate Microsoft Entra ID with the Azure API Management (APIM) Developer Portal, you first need to register an application in Microsoft Entra ID via the Azure portal. After registration, copy the Application (client) ID from the app’s overview and generate a Client Secret under Certificates & secrets, making sure to save it immediately. In the APIM Developer Portal, navigate to Identities, add a new identity provider, and select Microsoft Entra ID. Paste the client ID and secret into the respective fields. For the Sign-in tenant, use your verified tenant domain (e.g., yourcompany.onmicrosoft.com) as shown in the Entra ID overview. Avoid using unverified or incorrect names, which will result in errors. Once configured correctly, the integration will enable secure authentication for your developer portal users.

Check the below screenshot for your reference:
EMS 20 Reputation points

2025-05-20T20:07:32.3033333+00:00

Dear @Loknathsatyasaivarma Mahali , Entra ID works indeed but my question us about Entra External ID. I need any user to be able to register and use the APIM Developer Portal. So, gmail, xyz.com, anyone not just my Entra ID users or other Entra IDs. How can I do that?
Loknathsatyasaivarma Mahali 2,665 Reputation points Microsoft External Staff Moderator

2025-05-21T10:27:22.32+00:00
Hello EMS,

Sorry for the misunderstanding, please follow the below steps and please let us know the update on the issue.

Below is a step-by-step guide to integrate Entra External ID via Azure AD B2C, so that external users (e.g., guest users from other tenants) can sign in to your API Management Developer Portal, using Azure Portal.

Step 1: Create an Azure AD B2C Tenant

Go to the Azure Portal and search for Azure AD B2C then click create a B2C tenant.

Fill in:

Organization name (e.g., myb2ctenant)

Domain name (e.g., myb2ctenant.onmicrosoft.com)

Country/Region

Click Review + Create, then Create.

Step 2: Link the B2C Tenant to Your Azure Subscription

After creating, go to Azure AD B2C again and click “Link an existing tenant to your subscription” and select your new B2C tenant and link it.

Step 3: Register the Developer Portal App in B2C

Switch to your B2C tenant (top-right corner → “Switch directory”).

Go to Azure AD B2C > App registrations > New registration.

Enter:

Name: APIM Developer Portal

Redirect URI: Select Web and use the URI:

https://<your-apim-name>.developer.azure-api.net/signin-oauth

Click Register.

Go to Certificates & secrets > New client secret, and save the generated value.

Step 4: Create a User Flow (Sign-up/Sign-in)

Go to User Flows > New user flow and select Sign up and sign in.

Give it a name: e.g., SignUpSignIn and click Create, after creation, open it and note the name. It will appear as B2C_1_SignUpSignIn

Step 5: Add Entra External ID (OpenID Provider) to B2C

This allows your B2C user flow to accept Entra External ID users.

Go to Identity providers > OpenID Connect and click + Add.

Fill in:

Name: EntraExternalID

Client ID: (from the Entra External ID app registration)

Client secret: (from Entra External ID)

Discovery endpoint:

https://login.microsoftonline.com/<external-tenant-id>/v2.0/.well-known/openid-configuration

Response type: code

Save the provider.

Now edit your user flow (B2C_1_SignUpSignIn) → Identity providers → check EntraExternalID

Step 6: Configure APIM Developer Portal to Use Azure AD B2C

Go to API Management service in Azure, under Developer Portal > Identities, click + Add and choose Azure Active Directory B2C.

Fill in:

Client ID: (from B2C app)

Client Secret: (from B2C app)

Tenant: myb2ctenant.onmicrosoft.com

Signup Policy: B2C_1_SignUpSignIn

Signin Policy: B2C_1_SignUpSignIn

Profile Editing Policy: (optional)

Click Save.

After doing the above Your API Management Developer Portal now uses Azure AD B2C for identity, and through that, supports Entra External ID sign-ins via the OpenID Connect provider.

Please refer to the below screenshot which we have added successfully

Also in API Management we are able to successfully add refer the below image
EMS 20 Reputation points

2025-05-21T14:47:46.33+00:00

@Loknathsatyasaivarma Mahali , thanks a lot for this response. This is an interesting solution.

But the main reason I never followed an Azure AD B2C path is that I saw this announcement about Azure AD B2C: https://learn.microsoft.com/en-us/entra/external-id/customers/faq-customers#whats-happening-to-azure-ad-b2c-and-azure-ad-external-identities

Doesn't this mean we can't create new Azure AD B2C tenants?
Loknathsatyasaivarma Mahali 2,665 Reputation points Microsoft External Staff Moderator

2025-05-21T15:03:26.44+00:00
Hello EMS,

You can create the Azure AD B2C, apologies for not providing this initially please follow the below steps:

First navigate to the Microsoft Entra ID in the portal.

Then in the overview page you will find the Manage Tenant click on that as shown below:

After navigating to the Manage Tenant click on create button at the top and there you will find Azure B2C so from then continue your configuration as shown below:
EMS 20 Reputation points

2025-05-21T20:07:22.11+00:00

Thanks @Loknathsatyasaivarma Mahali , the last screenshot you pasted has a message: "As of May 1, 2025, Azure AD B2C is no longer available for new sales ..."

That was exactly my concern. This is a new project I’m working on, so it qualifies as a “new sale,” and we’re already past May 1. As far as I understand, for new projects, Entra External ID is now the recommended path.

From the solution you suggested, it’s clear that the APIM Developer Portal supports Azure AD B2C but not Entra External ID. Since I can’t create an Azure AD B2C tenant anymore, my question is essentially answered:

There is currently no fully managed, clean (non-hacky) solution for this specific scenario.

Would you agree with that?
Loknathsatyasaivarma Mahali 2,665 Reputation points Microsoft External Staff Moderator

2025-05-22T15:37:05.9066667+00:00

Hello EMS

You're correct in your understanding. As outlined in our documentation, Azure AD B2C is no longer available for new configurations or purchases as of May 1, 2025. Microsoft is transitioning to Entra External ID as the modern, recommended solution for new projects.

While you might still observe limited functionality in some areas of Azure AD B2C due to the gradual deprecation process, this is not guaranteed and may lead to unpredictable behavior or errors. Therefore, relying on B2C for new implementations is no longer advised.

Unfortunately, as of now, the APIM Developer Portal does not have native support for Entra External ID, which does indeed limit options for a fully managed, seamless integration in your scenario.

You can find more details in the official Microsoft FAQ here: Azure AD B2C end of sale
Loknathsatyasaivarma Mahali 2,665 Reputation points Microsoft External Staff Moderator

2025-05-26T16:04:36.51+00:00

Hello EMS,

Currently, the Azure API Management (APIM) Developer Portal does not support direct integration with Entra External ID. A previous workaround involved using Azure AD B2C as a bridge, but this is no longer viable since B2C has been deprecated for new configurations. As a result, there is no official method to connect Entra External ID with APIM at this time.
EMS 20 Reputation points

2025-05-27T09:22:30.5666667+00:00

Thanks a lot @Loknathsatyasaivarma Mahali for looking into this - clear - in that case I'll look into alternative solutions.

Accepted answer

0 additional answers

Your answer

Loknathsatyasaivarma Mahali 2,665 Reputation points Microsoft External Staff Moderator

2025-05-20T15:29:40.89+00:00

Hello EMS,

Thank you for reaching out. Could you kindly follow the steps below and share an update? I have tried them on my end, and they were successful.

To integrate Microsoft Entra ID with the Azure API Management (APIM) Developer Portal, you first need to register an application in Microsoft Entra ID via the Azure portal. After registration, copy the Application (client) ID from the app’s overview and generate a Client Secret under Certificates & secrets, making sure to save it immediately. In the APIM Developer Portal, navigate to Identities, add a new identity provider, and select Microsoft Entra ID. Paste the client ID and secret into the respective fields. For the Sign-in tenant, use your verified tenant domain (e.g., yourcompany.onmicrosoft.com) as shown in the Entra ID overview. Avoid using unverified or incorrect names, which will result in errors. Once configured correctly, the integration will enable secure authentication for your developer portal users.

Check the below screenshot for your reference:
EMS 20 Reputation points

2025-05-20T20:07:32.3033333+00:00

Dear @Loknathsatyasaivarma Mahali , Entra ID works indeed but my question us about Entra External ID. I need any user to be able to register and use the APIM Developer Portal. So, gmail, xyz.com, anyone not just my Entra ID users or other Entra IDs. How can I do that?
EMS 20 Reputation points

2025-05-21T14:47:46.33+00:00

@Loknathsatyasaivarma Mahali , thanks a lot for this response. This is an interesting solution.

But the main reason I never followed an Azure AD B2C path is that I saw this announcement about Azure AD B2C: https://learn.microsoft.com/en-us/entra/external-id/customers/faq-customers#whats-happening-to-azure-ad-b2c-and-azure-ad-external-identities

Doesn't this mean we can't create new Azure AD B2C tenants?
Loknathsatyasaivarma Mahali 2,665 Reputation points Microsoft External Staff Moderator

2025-05-21T15:03:26.44+00:00

Hello EMS,

You can create the Azure AD B2C, apologies for not providing this initially please follow the below steps:

First navigate to the Microsoft Entra ID in the portal.

Then in the overview page you will find the Manage Tenant click on that as shown below:

After navigating to the Manage Tenant click on create button at the top and there you will find Azure B2C so from then continue your configuration as shown below:
EMS 20 Reputation points

2025-05-21T20:07:22.11+00:00

Thanks @Loknathsatyasaivarma Mahali , the last screenshot you pasted has a message: "As of May 1, 2025, Azure AD B2C is no longer available for new sales ..."

That was exactly my concern. This is a new project I’m working on, so it qualifies as a “new sale,” and we’re already past May 1. As far as I understand, for new projects, Entra External ID is now the recommended path.

From the solution you suggested, it’s clear that the APIM Developer Portal supports Azure AD B2C but not Entra External ID. Since I can’t create an Azure AD B2C tenant anymore, my question is essentially answered:

There is currently no fully managed, clean (non-hacky) solution for this specific scenario.

Would you agree with that?
Loknathsatyasaivarma Mahali 2,665 Reputation points Microsoft External Staff Moderator

2025-05-22T15:37:05.9066667+00:00

Hello EMS

You're correct in your understanding. As outlined in our documentation, Azure AD B2C is no longer available for new configurations or purchases as of May 1, 2025. Microsoft is transitioning to Entra External ID as the modern, recommended solution for new projects.

While you might still observe limited functionality in some areas of Azure AD B2C due to the gradual deprecation process, this is not guaranteed and may lead to unpredictable behavior or errors. Therefore, relying on B2C for new implementations is no longer advised.

Unfortunately, as of now, the APIM Developer Portal does not have native support for Entra External ID, which does indeed limit options for a fully managed, seamless integration in your scenario.

You can find more details in the official Microsoft FAQ here: Azure AD B2C end of sale
Loknathsatyasaivarma Mahali 2,665 Reputation points Microsoft External Staff Moderator

2025-05-26T16:04:36.51+00:00

Hello EMS,

Currently, the Azure API Management (APIM) Developer Portal does not support direct integration with Entra External ID. A previous workaround involved using Azure AD B2C as a bridge, but this is no longer viable since B2C has been deprecated for new configurations. As a result, there is no official method to connect Entra External ID with APIM at this time.
EMS 20 Reputation points

2025-05-27T09:22:30.5666667+00:00

Thanks a lot @Loknathsatyasaivarma Mahali for looking into this - clear - in that case I'll look into alternative solutions.

Answer 1

Hello EMS,

Summary of Our Conversation:

This is a summarization of our conversation regarding integrating Entra External ID with the API Management (APIM) Developer Portal.

A detailed step-by-step guide was provided to integrate Entra External ID via Azure AD B2C. The approach involves creating a B2C tenant, registering the Developer Portal as an app, configuring user flows, adding Entra External ID as an OpenID provider, and linking everything in the APIM Developer Portal to enable external sign-ins.

However, it’s important to highlight that Azure AD B2C is no longer available for new configurations or purchases as of May 1, 2025, as Microsoft is transitioning to Entra External ID as the preferred identity solution. While some B2C features may still appear functional, relying on them for new implementations is not recommended due to potential instability and lack of future support.

Currently, the APIM Developer Portal does not offer native support for Entra External ID, which limits fully managed, seamless integration without using B2C as a bridge.

For more information, please refer to Microsoft’s official documentation on the Azure AD B2C end-of-sale.

Please accept as Yes if the answer is helpful so that it can help others in the community.

Share via

How to add Entra External ID as an Identity Provider for API Management Developer Portal

0 additional answers

Your answer