Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,303 questions
Authentication Flow for API Management with Azure Entra ID and API Key Integration
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 81%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Alireza Mansoori
0
Reputation points
I need to understand how authentication for API Management works. I have an HRM Flex API, described in Swagger, which requires an API key for authentication. However, the client application and users must authenticate using Azure Entra ID.
The attached diagram illustrates the architecture.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 40%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKA%3C/text%3E%3C/svg%3E)
Khadeer Ali 3,670 Reputation points Microsoft Vendor2025-02-14T14:41:52.14+00:00 [Duplicate]
Sign in to comment
2 answers
Sort by: Most helpful
-
-
Khadeer Ali 3,670 Reputation points Microsoft Vendor
2025-02-14T14:37:29.4666667+00:00 Thanks for reaching out. Here is a generalized approach to integrate Azure Entra ID for authentication in your API Management setup while also requiring an API key for the HRM Flex API:
First, you'll need to register your application in Azure Entra ID. This application will be used to authenticate users and acquire tokens. Next, in Azure API Management, you'll set up policies to validate both the API key and the OAuth 2.0 token from Azure Entra ID. This involves using the validate-jwt policy to check the validity of the OAuth token presented in API requests and ensuring that the API key is also validated in the request.
The client application will authenticate users via Azure Entra ID, obtaining an access token that must be included in the API requests along with the API key. When the API request is received, API Management will validate both the API key and the OAuth token before allowing access to the backend API.
This approach ensures that both the API key and Azure Entra ID authentication mechanisms are enforced for secure access to your API. If you have any further questions or need additional assistance, feel free to ask!
Please check the below references:
- Protect an API in Azure API Management using OAuth 2.0 authorization with Microsoft Entra ID
- Authentication and authorization to APIs in Azure API Management
- Microsoft Entra identity configuration for Azure API for FHIR
Hope this helps. Do let us know if you have any further queries.
If this answers your query, do click Accept Answer and Yes for "Was this answer helpful." And if you have any further questions, let us know.
-
Alireza Mansoori 0 Reputation points
2025-02-17T08:32:04.81+00:00 We want to keep the API key secure and not expose it to applications or users. Instead, we will store the API key in a key vault. When an application calls the API, it will first be authenticated using Entra ID. Once authorized, the API key will be retrieved from the key vault, added to the request, and then forwarded to the backend.
Is there a solution that meets this specific requirement?
-
Khadeer Ali 3,670 Reputation points Microsoft Vendor
2025-02-17T14:42:00.3433333+00:00 Yes, there is a solution that meets your requirements for securely managing the API key while integrating with Azure Entra ID for authentication.
Instead of exposing the API key to applications or users, you can store it in Azure Key Vault and let Azure API Management (APIM) handle secure retrieval.
Here’s how the process works:
- Client Authentication: The application first authenticates with Azure Entra ID and obtains an access token. This token is included in the request to APIM.
- Token Validation in APIM: APIM uses the
validate-jwtpolicy to verify the token’s authenticity and ensure only authorized requests are processed. - Secure API Key Retrieval: APIM has a Managed Identity that allows it to securely access Azure Key Vault. Once the token is validated, APIM retrieves the API key from Key Vault and injects it into the request headers.
- Forwarding the Request to Backend: The modified request (now containing the API key) is forwarded to the HRM Flex API, ensuring the API key remains secure and never exposed to clients.
-
Alireza Mansoori 0 Reputation points
2025-02-17T15:14:30.21+00:00 Does it require an inbound policy to inject the API key into the request headers?
I'm asking because I haven't found any documentation that provides guidance on this.
-
Khadeer Ali 3,670 Reputation points Microsoft Vendor
2025-02-17T15:30:42.5433333+00:00 Yes, implementing an inbound policy in Azure API Management (APIM) is essential to securely inject the API key from Azure Key Vault into the request headers before forwarding it to your backend API. This approach ensures that the API key remains confidential and is not exposed to client applications.
While there isn't a single comprehensive document detailing this exact process, you can achieve this by combining guidance from multiple Azure documentation sources.
reference for your ask:
-
Khadeer Ali 3,670 Reputation points Microsoft Vendor
2025-02-19T14:21:20.26+00:00 I wanted to check in and see if my earlier response addressed your question. If you still need assistance or have additional questions, feel free to reach out.
Sign in to comment