Unable to send test requests to backend APIs using the Azure APIM interactive portal

Question

Using the Azure portal, I’m unable to send test requests to the Echo API (and all other backend APIs).

When sending a request, I’m getting the following error:

HTTP/1.1 401 Access Denied
cache-control: private, s-maxage=0
content-length: 152
content-type: application/json
date: Tue, 12 Apr 2022 05:13:28 GMT
request-context: appId=cid-v1:949e7a13-dcf9-44ae-978a-f48fb6333f1a
vary: Origin
www-authenticate: AzureApiManagementKey realm="https://AAAA.azure-api.net/echo",name="Ocp-Apim-Subscription-Key",type="header"
    {
    "statusCode": 401,
    "message": "Access denied due to missing subscription key. Make sure to include subscription key when making requests to an API."
}

The request works fine when I tick the “Bypass CORS proxy” checkbox and through Postman.

I have the following global inbound CORS policy:

<policies>
    <inbound>
        <cors allow-credentials="true">
            <allowed-origins>
                <origin>https://AAAA.developer.azure-api.net</origin>
                <origin>https://AAAA.azure-api.net</origin>
            </allowed-origins>
            <allowed-methods preflight-result-max-age="300">
                <method>*</method>
            </allowed-methods>
            <allowed-headers>
                <header>*</header>
            </allowed-headers>
            <expose-headers>
                <header>*</header>
            </expose-headers>
        </cors>
    </inbound>
    <backend>
        <forward-request />
    </backend>
    <outbound />
    <on-error />
</policies>

and the inbound base policy set on the Echo API.

I haven't expereinced this problem previously. Any ideas how I can bupass the CORS error while submitting test request in the APIM portal?

Answer 1

@Ershad Nozari Thanks for your offline discussion. The product team has investigated it further and as per initial investigation "Microsoft Defender for Cloud Apps" creates a Proxy that intercepts all requests going out of Azure portal. It looks like MCAS proxy is either removing or modifying headers from the outgoing request thus causing this behavior.
We can see the request the portal domain as portal.azure.com.mcas.ms in your case. For your reference sharing this document from defender cloud apps end.

Unfortunately, as of now we don't have any ETA for the fix as this is further investigated. I will update this thread once I have any further update from my team.

As the workaround you can check the Bypass CORS proxy option or pass the subscription key as the query string from the azure portal.

-----------------------------------------

@Ershad Nozari Thanks for reaching out. As per the error message the issue is not related to CORS, but the subscription key is not correctly passed when you are calling your APIM API's.
For CORS troubleshooting you can always refer to this document.
Access denied due to missing subscription key. Make sure to include subscription key when making requests to an API.

In case if the issue would be caused due to CORS when you are testing from developer portal: https://<<yourapiminstancename>>.developer.azure-api.net/ then CORS error will be as below.

Unable to complete the request
Since the browser initiates the request, it requires Cross-Origin Resource Sharing (CORS) enabled on the server. Learn more

**Error when CORS Policy is missing: **

**Error when CORS Policy was added but the Subscription Keys is missing from header: ** Same error that you have observed

If your API has enabled the Required Subscription Key then you need to pass the Ocp-Apim-Subscription-Key as the header and subscription key as the value to resolve the issue.

In case if you still observe the issue then I will suggest you to enable the OCP APIM trace to debug your API. In case if you need any help with reviewing the trace then please let me know and I will initiate a private comment so you can share the details.

Feel free to get back to me if you need any assistance.