credentials-how-to-azure-ad.md

title	description	services	author	ms.service	ms.topic	ms.date	ms.author
Create connection to Microsoft Graph API - Azure API Management | Microsoft Docs	Learn how to create and use a managed connection to a backend Microsoft Graph API using the Azure API Management credential manager.	api-management	dlepow	azure-api-management	how-to	11/14/2023	danlep

Configure credential manager - Microsoft Graph API

[!INCLUDE api-management-availability-all-tiers]

This article guides you through the steps required to create a managed connection to the Microsoft Graph API within Azure API Management. The authorization code grant type is used in this example.

You learn how to:

[!div class="checklist"]

• Create a Microsoft Entra application
• Create and configure a credential provider in API Management
• Configure a connection
• Create a Microsoft Graph API in API Management and configure a policy
• Test your Microsoft Graph API in API Management

Prerequisites

• Access to a Microsoft Entra tenant where you have permissions to create an app registration and to grant admin consent for the app's permissions. Learn more

  If you want to create your own developer tenant, you can sign up for the Microsoft 365 Developer Program.

• A running API Management instance. If you need to, create an Azure API Management instance.

• Enable a system-assigned managed identity for API Management in the API Management instance.

Step 1: Create a Microsoft Entra application

Create a Microsoft Entra application for the API and give it the appropriate permissions for the requests that you want to call.

1. Sign in to the Azure portal with an account with sufficient permissions in the tenant.

2. Under Azure Services, search for Microsoft Entra ID.

3. On the left menu, select App registrations, and then select + New registration.

4. On the Register an application page, enter your application registration settings:

   1. In Name, enter a meaningful name that will be displayed to users of the app, such as MicrosoftGraphAuth.

   2. In Supported account types, select an option that suits your scenario, for example, Accounts in this organizational directory only (Single tenant).

   3. Set the Redirect URI to Web, and enter https://authorization-manager.consent.azure-apim.net/redirect/apim/<YOUR-APIM-SERVICENAME>, substituting the name of the API Management service where you will configure the credential provider.

   4. Select Register.

      :::image type="content" source="media/credentials-how-to-azure-ad/create-registration.png" alt-text="Screenshot of creating a Microsoft Entra app registration in the portal.":::

5. On the left menu, select API permissions, and then select + Add a permission. :::image type="content" source="./media/credentials-how-to-azure-ad/add-permission.png" alt-text="Screenshot of adding an API permission in the portal.":::

   1. Select Microsoft Graph, and then select Delegated permissions.

      [!NOTE] Make sure the permission User.Read with the type Delegated has already been added.

   2. Type Team, expand the Team options, and then select Team.ReadBasic.All. Select Add permissions.
   3. Next, select Grant admin consent for Default Directory. The status of the permissions changes to Granted for Default Directory.

6. On the left menu, select Overview. On the Overview page, find the Application (client) ID value and record it for use in Step 2.

7. On the left menu, select Certificates & secrets, and then select + New client secret.
   :::image type="content" source="media/credentials-how-to-azure-ad/create-secret.png" alt-text="Screenshot of creating an app secret in the portal.":::

   1. Enter a Description.
   2. Select an option for Expires.
   3. Select Add.
   4. Copy the client secret's Value before leaving the page. You will need it in Step 2.

Step 2: Configure a credential provider in API Management

1. Sign into the portal and go to your API Management instance.

2. On the left menu, select Credential manager, and then select + Create.
   :::image type="content" source="media/credentials-how-to-azure-ad/create-credential.png" alt-text="Screenshot of creating an API credential in the portal.":::

3. On the Create credential provider page, enter the following settings, and select Create:

   Settings	Value
   Credential provider name	A name of your choice, such as MicrosoftEntraID-01
   Identity provider	Select Azure Active Directory v1
   Grant type	Select Authorization code
   Authorization URL	Optional for Microsoft Entra identity provider. Default is https://login.microsoftonline.com.
   Client ID	Paste the value you copied earlier from the app registration
   Client secret	Paste the value you copied earlier from the app registration
   Resource URL	https://graph.microsoft.com
   Tenant ID	Optional for Microsoft Entra identity provider. Default is Common.
   Scopes	Optional for Microsoft Entra identity provider. Automatically configured from Microsoft Entra app's API permissions.

Step 3: Configure a connection

On the Connection tab, complete the steps for your connection to the provider.

Note

When you configure a connection, API Management by default sets up an access policy that enables access by the instance's systems-assigned managed identity. This access is sufficient for this example. You can add additional access policies as needed.

[!INCLUDE api-management-credential-create-connection]

Tip

Use the portal to add, update, or delete connections to a credential provider at any time. For more information, see Configure multiple connections.

Note

If you update your Microsoft Graph permissions after this step, you will have to repeat Steps 2 and 3.

Step 4: Create a Microsoft Graph API in API Management and configure a policy

1. Sign into the portal and go to your API Management instance.

2. On the left menu, select APIs > + Add API.

3. Select HTTP and enter the following settings. Then select Create.

   Setting	Value
   Display name	msgraph
   Web service URL	https://graph.microsoft.com/v1.0
   API URL suffix	msgraph

4. Navigate to the newly created API and select Add Operation. Enter the following settings and select Save.

   Setting	Value
   Display name	getprofile
   URL for GET	/me

5. Follow the preceding steps to add another operation with the following settings.

   Setting	Value
   Display name	getJoinedTeams
   URL for GET	/me/joinedTeams

6. Select All operations. In the Inbound processing section, select the (</>) (code editor) icon.

7. Copy and paste the following snippet. Update the get-authorization-context policy with the names of the credential provider and connection that you configured in the preceding steps, and select Save.

   • Substitute your credential provider name as the value of provider-id
   • Substitute your connection name as the value of authorization-id

   <policies> <inbound> <base /> <get-authorization-contextprovider-id="MicrosoftEntraID-01"authorization-id="first-connection"context-variable-name="auth-context"identity-type="managed"ignore-error="false" /> <set-headername="Authorization"exists-action="override"> <value>@("Bearer " + ((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</value> </set-header> </inbound> <backend> <base /> </backend> <outbound> <base /> </outbound> <on-error> <base /> </on-error> </policies>

The preceding policy definition consists of two parts:

• The get-authorization-context policy fetches an authorization token by referencing the credential provider and connection that were created earlier.
• The set-header policy creates an HTTP header with the fetched access token.

Step 5: Test the API

1. On the Test tab, select one operation that you configured.

2. Select Send.

   :::image type="content" source="media/credentials-how-to-azure-ad/graph-api-response.png" alt-text="Screenshot of testing the Graph API in the portal.":::

   A successful response returns user data from the Microsoft Graph.

Related content

• Learn more about authentication and authorization policies in Azure API Management.
• Learn more about scopes and permissions in Microsoft Entra ID.