In today’s digital landscape, securing your APIs (Application Programming Interfaces) is essential to protect data and maintain the integrity of your systems. This guide will walk you through the process of securing your APIs using Azure Active Directory (Azure AD) and Azure API Management. Follow these steps to ensure your APIs are robust and secure.
Step 1: Create an App Registration for the Caller System
To represent the caller system, you need to create an application in Azure AD. This application will use a secret or certificate to generate a token for authenticating requests to the API.
- Navigate to Microsoft Entra ID: Go to the Azure portal and open Microsoft Entra ID.
- Register a New App: Select App registrations and click on New registration.
- App Details:
- Enter a name for the app (e.g., “App-SystemA-Dev”).
- Click Register.
- Generate a Secret or Certificate:
- Navigate to Certificates & secrets in the newly created app registration.
- Choose to create either a client secret or upload a certificate. This will be used by the application to authenticate and generate tokens.
- Note IDs: After registration, take note of the Application (client) ID, Client Secret, and Directory (tenant) ID. These will be needed later.
Step 2: Create an App Registration for the API
- Register a New App: In Azure Active Directory, go to App registrations and create a new registration.
- App Details:
- Enter a name (e.g., “API-Order-Dev”).
- Click Register.
Step 3: Expose an API
- Open API Settings: In the API-Order-Dev registration, go to Expose an API.
- Set Application ID URI: Configure the Application ID URI (e.g.,
api://{client-id}/api/dev/order
). - Add Scope: Click on Add a scope.
- Scope Details: Enter a Scope name (e.g.,
access_as_user
), an Admin consent display name, and a Description. Set the scope to Enabled. - Add Scope: Click Add scope to finalize.
- Scope Details: Enter a Scope name (e.g.,
Step 4: Define Roles in the API App
- Create App Roles: In the MyAPIApp registration, go to App roles.
- Define a Role: Click Create app role.
- Role Details: Provide a Display name (e.g.,
API.Read
), a Description, and set the Value (e.g.,API.Read
). Choose Allowed member types (“Users/Groups” and “Applications”). - Apply Role: Click Apply to save.
- Role Details: Provide a Display name (e.g.,
- Repeat: Define additional roles as needed.
Step 5: Give Permissions to the Caller System App
- API Permissions: In the CallerSystemApp registration, go to API permissions.
- Add Permission: Click Add a permission, select APIs my organization uses, and find MyAPIApp.
- Select Scopes: Choose the scopes you defined (e.g.,
access_as_user
) and add them. - Grant Admin Consent: Click Grant admin consent for your organization to apply the permissions.
Step 6: Validate the JWT Token in API Management
- API Management: Navigate to your API Management service in the Azure portal.
- Select API: Go to APIs and select the API you want to secure.
- Inbound Processing: In the Design tab, select Inbound processing and add a policy.
- Add Validate JWT Policy: Configure the policy with the necessary details:
- Issuer: The URL of your Azure AD tenant (e.g.,
https://login.microsoftonline.com/{tenant-id}/v2.0
). - Audience: The Application ID URI of your API (e.g.,
api://{client-id}
). - OpenID Configuration URL:
https://login.microsoftonline.com/{tenant-id}/.well-known/openid-configuration
. - Required Claims: Add required claims like
roles
.
- Issuer: The URL of your Azure AD tenant (e.g.,
Example policy snippet:
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Token validation failed." require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">
<openid-config url="https://login.microsoftonline.com/{tenant-id}/.well-known/openid-configuration" />
<required-claims>
<claim name="aud" match="all">
<value>api://{client-id}</value>
</claim>
<claim name="roles" match="any">
<value>API.Read</value>
<value>API.Write</value>
</claim>
</required-claims>
</validate-jwt>
Replace {tenant-id}
and {client-id}
with your actual values.
Conclusion
By following these steps, you can secure your APIs using Azure AD and Azure API Management. This approach ensures robust authentication, role-based access control, and token validation, protecting your data and services from unauthorized access. Implementing these best practices is crucial for maintaining the security and integrity of your APIs in today’s interconnected world.
Stay secure and happy coding! For more detailed guides and updates, keep following our blog. If you have any questions or need further assistance, feel free to reach out in the comments below.