Navigating Running Containers in Azure
May 21, 2025Using OSConfig to manage Windows Server 2025 security baselines
May 21, 2025
API Management now supports built-in OAuth 2.0 application-based access to product APIs using the client credentials flow. This feature allows API managers to register Microsoft Entra ID applications, streamlining secure API access for developers through OAuth 2.0 authorization.
API publishers and developers can now more effectively manage client identity, access, and authorization flows.
With this feature:
- API managers can identify which products require OAuth authorization by setting a product property to enable application-based access
- API managers can create and manage client applications and assign them access to specific products.
- Developers can see their registered applications in API management developer portal and use OAuth tokens to securely call APIs and products
- OAuth tokens presented in API requests are validated by the API Management gateway to authorize access to the product’s APIs.
This feature simplifies identity and access management in API programs, enabling a more secure and scalable approach to API consumption.
Enable OAuth authorization
API managers can now identify specific products which are protected by Microsoft Entra identity by enabling “Application based access”. This ensures that only valid client applications which have a secure OAuth token from Microsoft Entra identity can access the APIs associated with this product. An application is created in Microsoft Entra corresponding to the product, with appropriate app role.
Register client applications and assign products
API managers can register client applications, identify specific developers as owners of these applications and assign products to these applications. This creates a new application in Microsoft Entra and assigns API permissions to access the product.
Securely access the API using client applications
Developers can login into API management developer portal and see the appropriate applications assigned to them. They can retrieve the application credentials and call Microsoft Entra to get an OAuth token, use this token to call APIM gateway and securely access the product/API.
Preview limitations
The public preview of the Applications is a limited-access feature. To participate in the preview and enable Applications in your APIM service instance, you must complete a request form. The Azure API Management team will review your request and respond via email within five business days.
Learn more