Configure credential manager - Microsoft Graph API

This article guides you through the steps required to create a managed connection to the Microsoft Graph API within Azure API Management. The authorization code grant type is used in this example.

You learn how to:

  • Create a Microsoft Entra application
  • Create and configure a credential provider in API Management
  • Configure a connection
  • Create a Microsoft Graph API in API Management and configure a policy
  • Test your Microsoft Graph API in API Management

Prerequisites

Step 1: Create a Microsoft Entra application

Create a Microsoft Entra application for the API and give it the appropriate permissions for the requests that you want to call.

  1. Sign in to the Azure portal with an account with sufficient permissions in the tenant.

  2. Under Azure Services, search for Microsoft Entra ID.

  3. On the left menu, select App registrations, and then select + New registration.

  4. On the Register an application page, enter your application registration settings:

    1. In Name, enter a meaningful name that will be displayed to users of the app, such as MicrosoftGraphAuth.

    2. In Supported account types, select an option that suits your scenario, for example, Accounts in this organizational directory only (Single tenant).

    3. Set the Redirect URI to Web, and enter https://authorization-manager.consent.azure-apim.net/redirect/apim/<YOUR-APIM-SERVICENAME>, substituting the name of the API Management service where you will configure the credential provider.

    4. Select Register.

      Screenshot of creating a Microsoft Entra app registration in the portal.

  5. On the left menu, select API permissions, and then select + Add a permission. Screenshot of adding an API permission in the portal.

    1. Select Microsoft Graph, and then select Delegated permissions.

      Note

      Make sure the permission User.Read with the type Delegated has already been added.

    2. Type Team, expand the Team options, and then select Team.ReadBasic.All. Select Add permissions.
    3. Next, select Grant admin consent for Default Directory. The status of the permissions changes to Granted for Default Directory.
  6. On the left menu, select Overview. On the Overview page, find the Application (client) ID value and record it for use in Step 2.

  7. On the left menu, select Certificates & secrets, and then select + New client secret.
    Screenshot of creating an app secret in the portal.

    1. Enter a Description.
    2. Select an option for Expires.
    3. Select Add.
    4. Copy the client secret's Value before leaving the page. You will need it in Step 2.

Step 2: Configure a credential provider in API Management

  1. Sign into the portal and go to your API Management instance.

  2. On the left menu, select Credential manager, and then select + Create.
    Screenshot of creating an API credential in the portal.

  3. On the Create credential provider page, enter the following settings, and select Create:

    Settings Value
    Credential provider name A name of your choice, such as MicrosoftEntraID-01
    Identity provider Select Azure Active Directory v1
    Grant type Select Authorization code
    Authorization URL Optional for Microsoft Entra identity provider. Default is https://login.microsoftonline.com.
    Client ID Paste the value you copied earlier from the app registration
    Client secret Paste the value you copied earlier from the app registration
    Resource URL https://graph.microsoft.com
    Tenant ID Optional for Microsoft Entra identity provider. Default is Common.
    Scopes Optional for Microsoft Entra identity provider. Automatically configured from Microsoft Entra app's API permissions.

Step 3: Configure a connection

On the Connection tab, complete the steps for your connection to the provider.

Note

When you configure a connection, API Management by default sets up an access policy that enables access by the instance's systems-assigned managed identity. This access is sufficient for this example. You can add additional access policies as needed.

  1. Enter a Connection name, then select Save.
  2. Under Step 2: Login to your connection (for authorization code grant type), select the link to login to the credential provider. Complete steps there to authorize access, and return to API Management.
  3. Under Step 3: Determine who will have access to this connection (Access policy), the managed identity member is listed. Adding other members is optional, depending on your scenario.
  4. Select Complete.

The new connection appears in the list of connections, and shows a status of Connected. If you want to create another connection for the credential provider, complete the preceding steps.

Tip

Use the portal to add, update, or delete connections to a credential provider at any time. For more information, see Configure multiple connections.

Note

If you update your Microsoft Graph permissions after this step, you will have to repeat Steps 2 and 3.

Step 4: Create a Microsoft Graph API in API Management and configure a policy

  1. Sign into the portal and go to your API Management instance.

  2. On the left menu, select APIs > + Add API.

  3. Select HTTP and enter the following settings. Then select Create.

    Setting Value
    Display name msgraph
    Web service URL https://graph.microsoft.com/v1.0
    API URL suffix msgraph
  4. Navigate to the newly created API and select Add Operation. Enter the following settings and select Save.

    Setting Value
    Display name getprofile
    URL for GET /me
  5. Follow the preceding steps to add another operation with the following settings.

    Setting Value
    Display name getJoinedTeams
    URL for GET /me/joinedTeams
  6. Select All operations. In the Inbound processing section, select the (</>) (code editor) icon.

  7. Make sure the provider-id and authorization-id values in the get-authorization-context policy correspond to the names of the credential provider and connection, respectively, that you configured in the preceding steps. Select Save.

    <policies>
        <inbound>
            <base />
            <get-authorization-context provider-id="MicrosoftEntraID-01" authorization-id="first-connection" context-variable-name="auth-context" identity-type="managed" ignore-error="false" />
           <set-header name="Authorization" exists-action="override">
               <value>@("Bearer " + ((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</value>
           </set-header>
        </inbound>
        <backend>
            <base />
        </backend>
        <outbound>
            <base />
        </outbound>
        <on-error>
            <base />
        </on-error>
    </policies>
    

The preceding policy definition consists of two parts:

  • The get-authorization-context policy fetches an authorization token by referencing the credential provider and connection that were created earlier.
  • The set-header policy creates an HTTP header with the fetched access token.

Step 5: Test the API

  1. On the Test tab, select one operation that you configured.

  2. Select Send.

    Screenshot of testing the Graph API in the portal.

    A successful response returns user data from the Microsoft Graph.