Product level authentication (AAD) for Azure API Management

Ratheesh Kumar 1 Reputation point

We are managing more 400 APIs in Azure API Management. We are also having an approval flow for approving the API subscription request, where a permission would be assigned to the API client app registration for authentication.


Since we have lots of APIs we are having as many API client app registrations and app registrations for each users subscribing the application. Also these API app registrations are available in three environments (DEV, QA and PROD). It became very difficult to manage the App Registrations. Also all these API client app registration have distinguished roles.

We would like to reduce the number of app registrations and thinking to do a product level app registrations. Also instead of app registrations for each users, we want to have single app registration for each product subscription from a team .

Here we are not sure about how to manage roles for each APIs as each API has different Roles. And an API based app registration will have all roles, how do we assign these roles to each Users.

eg: We have a product ProductA , it has 10 APIs under it. We create one APP registration ApiAppA for this product and this app registration can be used for AAD authentication. It has two App Roles Api1.Read and Api2.Write for two APIs say Api1 and Api2. Now as a subscriber, we will have another app registration say ClientAppB. So when a User say John want to subscribe to an API under ProductA. He only wants Api1.Read for ApiAppA. Also another user Tom wants to subscribe to another API under Product A, where he need access to Api2.Write role. How do we assign it? We are using client credential flow.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,310 questions
{count} votes