Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,629 questions
Product level authentication (AAD) for Azure API Management
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 97%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERK%3C/text%3E%3C/svg%3E)
Ratheesh Kumar
1
Reputation point
We are managing more 400 APIs in Azure API Management. We are also having an approval flow for approving the API subscription request, where a permission would be assigned to the API client app registration for authentication.
Problem
Since we have lots of APIs we are having as many API client app registrations and app registrations for each users subscribing the application. Also these API app registrations are available in three environments (DEV, QA and PROD). It became very difficult to manage the App Registrations. Also all these API client app registration have distinguished roles.
We would like to reduce the number of app registrations and thinking to do a product level app registrations. Also instead of app registrations for each users, we want to have single app registration for each product subscription from a team .
Here we are not sure about how to manage roles for each APIs as each API has different Roles. And an API based app registration will have all roles, how do we assign these roles to each Users.
eg: We have a product ProductA , it has 10 APIs under it. We create one APP registration ApiAppA for this product and this app registration can be used for AAD authentication. It has two App Roles Api1.Read and Api2.Write for two APIs say Api1 and Api2. Now as a subscriber, we will have another app registration say ClientAppB. So when a User say John want to subscribe to an API under ProductA. He only wants Api1.Read for ApiAppA. Also another user Tom wants to subscribe to another API under Product A, where he need access to Api2.Write role. How do we assign it? We are using client credential flow.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Shweta Mathur 29,681 Reputation points Microsoft Employee2022-08-29T12:21:23.26+00:00 Hi @Ratheesh Kumar ,
Thanks for reaching out.
I understood you have registered multiple applications for each app roles and for each user calling different APIs based on user's requirements. Please let me know if my understanding is not correct.Based on my understanding, you can protect the API on behalf of users who have right roles and scopes as mentioned here. You don't require multiple registrations for each API based on user roles.
eg You can expose both the API1.Read and API2.Write roles in your single API which will allow user to call particular controller or action based on right scopes and roles. In ASP.net you can achieve this using [Authorize] attribute or reference with [RequiredScope] which will allow John to access API.read action and Tom to API. write operations.
Hope this is what you are looking for.
Thanks,
Shweta -
Shweta Mathur 29,681 Reputation points Microsoft Employee
2022-09-05T06:58:56.277+00:00 Hi @Ratheesh Kumar ,
Just wanted to check if above answer your question?
Sign in to comment