Azure Directory and API Management Service Communication

Introduction

In this article, we will focus on how to generate the token using the Azure active directory with role-based permission and then validate the Azure management service using this token.

Azure Active Directory (AAD): Active Directory (AD) is Microsoft's proprietary directory service. It runs on Windows Server and enables administrators to manage permissions and access to network resources. Active Directory stores data as objects. An object is a single element, such as a user, group, application, or device such as a printer. Objects are normally defined as either resources, such as printers or computers, or security principals, such as users or groups.

API Management Services (APIM): Deploy API gateways side-by-side with the APIs hosted in Azure, other clouds, and on-premises, optimizing API traffic flow. Meet security and compliance requirements while enjoying a unified management experience and full observability across all internal and external APIs.

Topics Covered

This article demonstrates how to build the following,

  1. Create and configure AAD.
  2. Create and configure APIM and Resource Group.
  3. Testing using Postman.
  4. Clean up resources.

Pre-requisites

  1. An Active Azure Account.
  2. User with sufficient access to create Azure resources group, Azure directory, and APIM for this article.

Task 1. Create and configure an APIM and Resource group.

Consider this Azure API Management and Resource Group Setup

Task 2. Create and configure the Azure active directory.

  1. Sign in to the Azure portal.
  2. From the Azure portal menu, select Azure Active Directory.
  3. On the overview page, select Manage Tenants.
  4. Select Create.
    Create
  5. On the Basics tab, select the type of tenant you want to create, either Azure Active Directory or Azure Active Directory (B2C).
  6. Select Next: Configuration to move on to the Configuration tab.
  7. On the Configuration tab, enter the following information:
    Create a Tenant
  8. Type your desired Organization name (for example Contoso Organization) into the Organization name box.
  9. Type your desired Initial domain name (for example Contosoorg) into the Initial domain name box.
  10. Select your desired Country/Region or leave the United States option in the Country or region box.
  11. Select Next: Review + Create. Review the information you entered and if the information is correct, select Create.

Task 3. Configure API in APIM.

API Management services

  1. On the API Management services page, select your API Management instance
  2. Import and publish a backend API
    1. In the left navigation of your API Management instance, select APIs.
    2. Select the OpenAPI tile.
    3. In the Create from OpenAPI specification window, select Full.
    4. Enter the values from the following table.
    5. You can set API values during creation or later by going to the Settings tab.
      OpenAPI Specification

Task 4. Configure OAuth in APIM.

  1. Choose the APIM and the below option to create OAuth.
    APIMSample
  2. Choose the APIM and the below option to create OAuth.
    Add OAuth2 Service

Enter the name as per your naming convention standard.

Client registration Url: Which will be your website URL like ‘https://sample.com’

  • Authorization endpoint URL
  • Token endpoint URL

Endpoints

  • Authorization request method: In the body
  • Access Token: Authorization header
  • Default scope: Authorization server default scope

Client-Id and Client-Secret id you must generate. If you don’t have. Consider the below image.

Client secrets

  1. Configure OAuth with API
    Configure OAuth with API

Choose your APIM à API à Api Nameà settings and then select the OAuth2.0. i

In your dropdown choose your Auth name which we created in the above steps.

Task 5. Configure Policy.

To validate the request and response based on some custom conditions. Azure provides us with different policies for example CORS, Validate token, etc.

APIs

Go inside the APIM à Apis à Choose API Name à Design and it will open above screen.

Operations

Now consider the above policy to validate the audience and you have other policies also, if you want to include them as per your requirement.

Task 6. Configure Permission.

  1. API Permissions and expose endpoint for the outer world.
    Configure permission
    Client AppMy APIsExpose API

Provide respective permission. Choose your app à Api permission. Kindly consider the above images.

Task 7. Configure Postman to get the token.

Consider the below parameters.

Parameters

Authorization

Access token

Now with the above token, you can hit your Api endpoint and grab the data.

Note. Using the above postman configuration system grab the token first from the Azure active directory (AAD) and then we use this token for the API endpoint to get the data. Api OAuth configuration first validates the token from AAD. If the token is not validated based on policy configuration, we get an error message else we get the response based on API functionality.

Task 8. Clean up resources.

Delete all the resources to ensure you're not charged for any services you aren't using.