Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,750 questions
Protect an API with azure AD (without policy)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 74%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
lucileDFR
1
Reputation point
Hello eveyone,
I've created some API (azure function) in Azure API management, I would like to protect the access of these API with a JWT token.
I want to authorize identified clients applications to access to theses APIs.
My clients apllications are registered in my Azure AD with clients id and secrets. They all have access to my backend application, registered in the same AD with some scopes associated, that should represent my different APIs from my API managment. These steps are explained here :
https://learn.microsoft.com/fr-fr/azure/api-management/api-management-howto-protect-backend-with-aad
I don't want in this scenario to identify the user connected but just to know that the application calling my api is the application registered in my AD with client and secret, I don't want to get access to user informations so I don't need any consent of policy.
When I'm using my client application to get my token, I have a redirection to agree policy, there is a way to use my AD to protect my API without these consent ?
I think this is quite simple but I can't found an easy solution.
Thanks for your help.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 87%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMU%3C/text%3E%3C/svg%3E)
Mike Urnun 9,666 Reputation points Microsoft Employee2021-04-09T21:42:55.763+00:00 Hi @lucileDFR - Sorry for the long delay in our responses here. To confirm, during the JWT validation, you want to only check if the client ids match but you want to do it without the APIM policies?
Sign in to comment