I am designing the architecture of a cloud service. I am reviewing Azure API Management and Azure AD B2C. I can't seem to find any good answer to wether it is possible to use Azure AD B2C with all its features (signup, sign in etc.) as a provider for Azure API Management security - is this possible?
Azure API Management supports out of the box integration with Azure AD B2C.
For instructions on how to integrate Azure AD B2C with the API Management developer portal, check out this document.
For instructions on how to validate JWT issued by Azure AD B2C in an API Management policy, check out this document.
Note that Azure API Management supports integration with Azure AD and Azure AD B2C in both their Developer and Premium tiers. Check out the pricing page for more details.
Azure AD B2C integration is supported if you are using the premium tier of API Management service
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-aad-b2c
Related
We have an Azure APIM provision in a VNet internal mode as described in this article: Connect to an internal virtual network using Azure API Management | Microsoft Docs. We can successfully consume APIs in APIM with Postman and via the Developer Portal, from within the corporate network. However, we don’t have any connectivity between Power Platform and APIM; error message while testing a Custom Connector from Power Apps:
Can someone please point me in the right direction on how to enable comms between Power Platform and Azure APIM in VNet Internal mode. Any links and reference material are highly appreciated.
We decide on provisioning of Applcation Gateway with WAF applied in front of APIM that only allows traffic in from Power Platform. Reference blog post here: https://techcommunity.microsoft.com/t5/azure-paas-blog/apim-with-application-gateway-v1/ba-p/1795180.
I'm doing some tests with Azure APIM and have already published an API on the developer portal. I have the docs, have it secured using OAuth2 with Azure AD with client_credentials flow. I can invoke this API from Postman and from the developer portal.
Unfortunatelly, the client_id and secret are set on the configuration and the developer cannot self service them. Is there a way to do so instead of having to add it manually to each developer?
I was looking for something like this: https://tyk.io/docs/tyk-stack/tyk-developer-portal/portal-oauth-clients/
Azure APIM itself doesn't act as an identity provider like tyk but instead uses Azure AD (or rather any OAuth 2.0 provider).
The configuration in the docs is primarily to get the Developer Portal Console (the one used to test APIs) to work. For the actual API calls, there is no configuration required.
The validate-jwt policy is what takes care of preauthorization of requests.
Since you are looking for the client credentials flow alone, you could simply expose a portal that can create the required app registrations on your Azure AD using the Microsoft Graph API and expose the client id/secret to your users.
The current developer portal doesn't support this as of today but is something you could contribute to if you wish.
How to access APIM developer portal from internet when APIM is kept internal?
I checked some Microsoft document but did not get it how to do it.
You can Integrate API Management in an internal VNET with Application Gateway.
Combining API Management provisioned in an internal VNET with the Application Gateway frontend enables the following scenarios:
Use the same API Management resource for consumption by both internal
consumers and external consumers.
Use a single API Management resource and have a subset of APIs
defined in API Management available for external consumers.
Provide a turn-key way to switch access to API Management from the
public Internet on and off.
Follow this link for more information : https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway
I could find that Azure AD can be configured to to Azure API manager.
My question is, is there a way to configure an on-premise LDAP to it?
A side question: can I configure SSO for the developer portal?
Does anyone have any experience using the REST API reference for Windows Store for Business (https://msdn.microsoft.com/en-us/library/windows/hardware/mt608306(v=vs.85).aspx)?
I'm trying to use it to but having authorization issues. Does anyone know what needs to be passed over for authorization when using the api?
Then Store for Business service reply on Azure Directory for authentication. The management toll must be registered as an Azure AD application within an organization tenant to authenticate against the Store for business. About configuring your Azure AD application you could refer to this document.
To learn more about Azure Ad and how to register your application within Azure Ad, here are some topics to get your started:
• Adding an application to Azure Active Directory - Azure Active Directory integration with MDM
• Accessing other Web applications and configuring your application to access other APIs - Integrating Applications with Azure Active Directory
• Authenticating to the Store for Business services via Azure AD - Authentication Scenarios for Azure Active Directory