Multiple users to manage the Subscription Key in Azure API Management 'Developer Portal'

Question

Multiple users to manage the Subscription Key in Azure API Management 'Developer Portal'

Ripin 11

Hi Team,

Requirement: A company has multiple users including two Admins. Admins can login to 'Developer Portal' and can regenerate the Subscription Key. They can also login and see the 'Subscription Key' and can share it with other users (non-admin) to test the APIs hosted using APIM.

If a user is added as an 'Owner' of the Subscription, he can act like an Admin. In below screen I have added 'Admin XYZ' as the Owner of 'XYZ Company Subscription'. If 'Admin XYZ' logins to Developer Portal, he will be able to manage the Subscription Key assigned for the 'XYZ Company'.

User's image

Challenge: APIM only support one user to be added as part of Owner for a specific Subscription. Our requirement is to add two users who can act like admins. Is there any workaround or alternative possible.

Thanks in advance!!

Ranashekar Guda 2,820 Reputation points Microsoft External Staff Moderator

2025-06-23T17:47:30.3933333+00:00

Hello @Ripin,
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Ripin 11 Reputation points

2025-06-24T12:31:19.92+00:00
Hi @Ranashekar Guda , thanks a lot for the quick prompt. Please correct me if my understanding is wrong. The shared logic will help assign RBAC rules to the users available in Azure Active Directory.

In our scenario, we have a company ABC Corporation with below users (Auth type: Basic) having access to Developer Portal:

Admin1 (admin user, can regenerate Key)

Admin2 (admin user, can regenerate Key)

Use1 (non-admin, can't generate Key, but can play around with APIs in Developer Portal)

For better manageability, these users are added to the Group named 'ABC Corporation Group'

The subscription is created with group access to 'ABC Corporation Group'.

The subscription is then added to the Product.

Requirement: We want to add two admins, Admin1 and Admin2 as part of the owners / admin for the company subscription. APIM allows one owner / admin using 'Subscription Owner'.
Ranashekar Guda 2,820 Reputation points Microsoft External Staff Moderator

2025-06-24T18:13:20.23+00:00

Hello @Ripin,
Thank you for the clarification. You're absolutely right the RBAC approach applies only when users are authenticated through Azure Active Directory (AAD). Since your users (Admin1, Admin2, and User1) are using Basic authentication to access the Developer Portal, RBAC roles won't apply in this scenario. Azure API Management currently allows only one user to be assigned as the subscription owner, which means only that user can regenerate or manage the subscription key directly through the Developer Portal. There's no built-in way to assign multiple owners to a single subscription.

As a workaround, you can assign one user (for example, Admin1) as the subscription owner, and they can manually share the regenerated subscription key with Admin2 when needed. If you're looking for a more scalable solution, one option is to switch Admin1 and Admin2 to use AAD authentication. This would allow them to manage subscriptions and keys via Azure Portal, CLI, or REST API using RBAC permissions, but note that the Developer Portal will still recognize only one official owner per subscription.
Ranashekar Guda 2,820 Reputation points Microsoft External Staff Moderator

2025-06-25T17:07:49.8533333+00:00

Hello @Ripin,
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Ranashekar Guda 2,820 Reputation points Microsoft External Staff Moderator

2025-06-26T17:29:43.37+00:00

Hello @Ripin,
We haven't heard back from you yet, and I wanted to ensure everything is on track and see if there's anything more, we can assist you with.

1 answer

Your answer

Ranashekar Guda 2,820 Reputation points Microsoft External Staff Moderator

2025-06-23T17:47:30.3933333+00:00

Hello @Ripin,
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Ripin 11 Reputation points

2025-06-24T12:31:19.92+00:00

Hi @Ranashekar Guda , thanks a lot for the quick prompt. Please correct me if my understanding is wrong. The shared logic will help assign RBAC rules to the users available in Azure Active Directory.

In our scenario, we have a company ABC Corporation with below users (Auth type: Basic) having access to Developer Portal:

Admin1 (admin user, can regenerate Key)

Admin2 (admin user, can regenerate Key)

Use1 (non-admin, can't generate Key, but can play around with APIs in Developer Portal)

For better manageability, these users are added to the Group named 'ABC Corporation Group'

The subscription is created with group access to 'ABC Corporation Group'.

The subscription is then added to the Product.

Requirement: We want to add two admins, Admin1 and Admin2 as part of the owners / admin for the company subscription. APIM allows one owner / admin using 'Subscription Owner'.
Ranashekar Guda 2,820 Reputation points Microsoft External Staff Moderator

2025-06-24T18:13:20.23+00:00

Hello @Ripin,
Thank you for the clarification. You're absolutely right the RBAC approach applies only when users are authenticated through Azure Active Directory (AAD). Since your users (Admin1, Admin2, and User1) are using Basic authentication to access the Developer Portal, RBAC roles won't apply in this scenario. Azure API Management currently allows only one user to be assigned as the subscription owner, which means only that user can regenerate or manage the subscription key directly through the Developer Portal. There's no built-in way to assign multiple owners to a single subscription.

As a workaround, you can assign one user (for example, Admin1) as the subscription owner, and they can manually share the regenerated subscription key with Admin2 when needed. If you're looking for a more scalable solution, one option is to switch Admin1 and Admin2 to use AAD authentication. This would allow them to manage subscriptions and keys via Azure Portal, CLI, or REST API using RBAC permissions, but note that the Developer Portal will still recognize only one official owner per subscription.
Ranashekar Guda 2,820 Reputation points Microsoft External Staff Moderator

2025-06-25T17:07:49.8533333+00:00

Hello @Ripin,
Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Ranashekar Guda 2,820 Reputation points Microsoft External Staff Moderator

2025-06-26T17:29:43.37+00:00

Hello @Ripin,
We haven't heard back from you yet, and I wanted to ensure everything is on track and see if there's anything more, we can assist you with.

Answer 1

Hello @Ripin,
Thank you for reaching out. You're correct that Azure API Management (APIM) currently allows only one user to be assigned as the "Owner" of a subscription, which limits the ability for multiple admins to manage the subscription key directly through the Developer Portal. There's a practical workaround using Azure role-based access control (RBAC). You can create a custom role that includes specific permissions, such as the ability to regenerate and manage subscription keys and assign this role to multiple users. This allows them to perform admin-like actions without being the official owner of the subscription.

To do this, you can use a PowerShell script that defines a new role (e.g., "APIM New Portal Admin") with the necessary permission (Microsoft.ApiManagement/service/users/token/action) and set the appropriate subscription scope. Once this custom role is assigned, the additional users will be able to log in to the Developer Portal and manage the subscription keys just like the primary owner. This approach provides the flexibility you need while working within APIM’s existing limitations.

Hope this helps. Do let us know if you any further queries.

Share via

Multiple users to manage the Subscription Key in Azure API Management 'Developer Portal'

1 answer

Your answer