How to secure a Rest API with OAuth 2.0 using APIM

Question

So according to the documents of apim we can secure a mcp server/rest api via apim using Azure OAuth 2.0.
https://learn.microsoft.com/en-us/azure/api-management/secure-mcp-servers#:~:text=Token%2Dbased%20authentication%20(OAuth%202.1%20with%20Microsoft%20Entra%20ID)

Though when we try things like Vscode etc redirect to <apim-url>/authorize?client_id=<Clientid that vs code ask> , as these url are not configured or guided to be configured in documents it results in 404 and no mcp server working.

Can some one help to Guide how to protect as we want to achieve

1. Client based authentication ie MCP Client Generate a AD token and Send to APIM to Validate
2. User Based Authentication where MCP Client like vs code or copilot uses user credentials to validate and use the tools in mcp server

Answer 1

Hi @Naman Jain

Thank you for reaching out to Microsoft Q&A.

The issue you are facing occurs because Azure API Management (APIM) is not designed to act as an OAuth 2.0 authorization server. APIM does not host or expose OAuth endpoints such as /authorize or /token. Instead, APIM functions as a gateway or resource server that validates access tokens issued by a trusted identity provider like Microsoft Entra ID (Azure Active Directory). When MCP clients such as VS Code or Copilot attempt to redirect authentication requests to <apim-url>/authorize, the request fails with a 404 error because those endpoints are not present by design. OAuth authorization, including user sign-in and consent, must always be handled by Microsoft Entra ID, and APIM’s role begins only after a valid access token has already been obtained and is presented to it.

Refer below points to resolve this issue or consider these as the recommended workaround:

Use Microsoft Entra ID as the OAuth Authorization Server

All OAuth 2.0 flows must be configured against Microsoft Entra ID. MCP clients should request access tokens from Entra ID’s OAuth endpoints and then call APIM by passing the token in the Authorization: Bearer <token> header. APIM should never be used as an authorization or redirect endpoint.

Client-based authentication (application-to-application access)

For scenarios where an MCP client or agent needs to access the MCP server without user interaction, use the client credentials flow (client ID and secret or managed identity) against Microsoft Entra ID. Configure APIM with the validate-azure-ad-token policy to ensure that only tokens issued to the trusted client application are accepted.

User-based authentication (VS Code / Copilot scenarios)

For interactive clients, user authentication is handled directly by Microsoft Entra ID. Tools like VS Code or Copilot prompt the user to sign in, obtain a user-based access token, and then forward that token to APIM. APIM validates the token using the same validate-azure-ad-token policy and authorizes access to the MCP server based on the token’s claims. No authentication UI, redirects, or OAuth endpoints are required or expected on APIM.

By configuring OAuth flows exclusively in Microsoft Entra ID and using APIM strictly for token validation and access enforcement, both client-based and user-based authentication scenarios will function correctly without encountering 404 errors on APIM endpoints. If the resolution was helpful, kindly take a moment to click on and click on Yes for was this answer helpful. And, if you have any further query do let us know.