Authentication and Authorization using Entra ID

Azure API Management

Fiodar Sazanavets

Senior Software Engineer at Microsoft

Fundamental OAuth concepts

Entra ID - APIM integration

Car valet analogy

You can think of an IdP as a car valet
Your car has valuables in the glovebox (secure data)
You give the valet a special valet key
- only lets them park, not access valuables
Similarly, IdP manages app security but cannot access secure data inside apps
Example: Entra ID acts as the IdP, and API Manager acts as the client

Entra ID app registration

Entra ID client information

Client ID and Tenant ID
- Form the application's public address
- Used by code to tell Entra ID "who" the app is
Client Secret
- Acts as the application's password
- Code presents it to prove identity
- Must always be stored securely and never exposed in client-side code

Obtain IdP endpoint URLs before connecting client to IdP
- In Entra ID, click Endpoints on the app registration Overview page
- Capture OAuth 2.0 authorization and token endpoints
Authorization Endpoint
- Where code redirects users to sign in
Token Endpoint
- Backend exchanges authorization code for access token

Entra ID authentication flow

OAuth and OIDC connection in APIM

In APIM, open OAuth 2.0 + OpenID Connect under APIs
- Define a new authorization server
Configure the server with:
- Authorization and token endpoints
- Client ID and Client Secret
- Scopes exposed by your API

Azure API Management