Enabled OAuth2 in API Management but still can access the API without providing Authorization header

San Chea 1 Reputation point
2021-09-13T09:07:36.943+00:00

Hi everyone, I am working on protecting API in APIM by using OAuth2 with AAD following this official doc, https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad.

End result is that I can generate the token in both normal API & in Developer Portal fine. However, I can still access the API even without providing the Authorization Header.

I wonder if this is expected or I have not given the correct configuration.

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,872 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,170 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Pramod Valavala 20,606 Reputation points Microsoft Employee
    2021-09-16T07:24:37.383+00:00

    @San Chea The main section of the doc that you've shared which is required for APIM to validate tokens is the one about the validate-jwt policy. This likely what you are missing or you added it in the wrong scope.

    The rest of the doc covers steps to create the relevant Azure AD artifacts and support OAuth2.0 based logins when testing APIs on the Developer Portal.

    0 comments No comments