How to protect an API in Azure APIM using Azure Active Directory.

This article is intended to summarize a very common scenario where we would like to authenticate an API using OAuth2.0 authentication using azure AD and Azure API Management. There exist a simple and easy way to do the same. Here’re the steps,

We need to make two applications inside Azure Active Directory. In this case I am naming these as EchoBackend (your Backend API which is a web application) and Testclientapp(The Client API which is a native app). I am mentioning the steps assuming you are familiar in making applications in azure AD and with the Publisher and Developer portal of azure APIM.

 

  1. Make EchoBackend application with the help of following information: [Type: Web Application]
    1. Name: EchoBackend
    2. Sign-On-Url: https://NormalAuth.onmicrosoft.com/echo
    3. Client ID: xxxxxxxx-50ad-4a34-a4ed-63f7ff4ae762 (assuming)
    4. App Id Uri: https://kalpitsinghtest.azure-api.net/
    5. Add permissions: 1- read directory data 2- sign in and read user profile.

 

  1. Make Testclientapp application with following parameters: [Type: Native App]
    1. Name: Testclientapp
    2. Client ID: yyyyyyyy-5659-4cf6-87bd-ad8d176521d2 (assuming)
    3. redirectURI: https://kalpitsinghtest.portal.azure-api.net/docs/services/57d0xxxxxxxxx208bce4386c/console/oauth2/authorizationcode/callback (can be taken from the publisher portal with respect to your API or for time being it can be anything)
    4. Add Permission: 1- Access echo backend 2-Check the last permission.

 

  1. Change the security to OAuth2.0 in developer portal:
    1. Make Authorization end point url: https://login.microsoftonline.com/374bxxxxxxx-4b92-a9c9-8bea4b16f35a/oauth2/authorize
    2. Add one Additional body parameters named resource with value web app Uri-  resource : https://kalpitsinghtest.azure-api.net/
    3. Client authentication method: basic
    4. Clinet ID: yyyyyyyy-5659-4cf6-87bd-ad8d176521d2
    5. Authorization endpoint url and Token endpoint URL: as per AD tenant.
    6. Use the redirect_uri as testclientapp.

Please refer following article documenting more details: https://azure.microsoft.com/en-in/documentation/articles/api-management-howto-protect-backend-with-aad/#configure-an-api-management-oauth-20-authorization-server

 

Hope this simplifies the understanding.

Happy Coding!