API Policies
Start course

This course deals with how to deploy, configure, and manage some keys aspects of Azure API management (APIM). In particular, we focus on the authentication mechanism and go into depth about how to set up OAuth 2.0, including creating the Azure AD required application registrations. To help with understanding and troubleshooting the OAuth flow, we utilize Postman to check and validate our configuration.

Next, we take a look at how we can alter API requests at various scopes using API policies. Finally, we look at how to view effective API policies that span multiple scopes and also how to trace API policies during runtime.

Learning Objectives

  • Deploy Azure API Management and import an existing API
  • Gain an understanding of how the configure authentication against APIM using OAuth 2.0
  • Implement API policies against the imported API to alter the API request
  • Use Postman to make API requests against APIM and request and use OAuth authorization tokens
  • Secure the imported API by requiring a valid Azure AD token

Intended Audience



A key strength of APIM is that it allows you to apply policies to change the behavior of the API. The policies can be applied on different attributes, like the subscription or data types returned and much more. The policies allow publishers to control or manipulate the requests or the various data at different stages. This screenshot is from the Azure Portal and shows us where we can add policies. The Frontend, Inbound, Backend, or Outbound again. 

The policy definition is a simple XML document that describes the order that the policies are executed in. This policy can be added directly in the Azure Portal. The portal offers a range of code snippets that you can add to each area to perform a range of functions to a request. Here we can see the XML document with the inbound, backend, outbound, and on-error sections.

Some examples of policies are securing your API by requiring an OAuth token, converting XML to JSON or JSON to XML, rate limiting the number of requests based on the specific subscription, or simply changing header values and callback URLs. Many of these policies can be applied through the UI experience by filling in the form and applying the policy in the right area. You can also code these policies by hand. The solution is very extensible. 

Policies can be configured at different levels. You can set an API policy globally or at the scope of a product, a specific API, or individual operation. Before creating a policy, you should decide at what level you want to apply the policy. Policy scopes are evaluated in the following order: Global scope, which is all APIs, product scopes, like starter, API scope, which is like the Demo Conference API or all operations, and operation scope, which is an individual operation. 

The statements within the policies are evaluated according to the placement of the base element if it is present. Global policy has no parent and using the base has no effect. We will take a look at what tools we can use to help us understand effective policies and troubleshooting policies during execution.

About the Author

Matthew Quickenden is a motivated Infrastructure Consultant with over 20 years of industry experience supporting Microsoft systems and other Microsoft products and solutions. He works as a technical delivery lead managing resources, understanding and translating customer requirements and expectations into architecture, and building technical solutions. In recent years, Matthew has been focused on helping businesses consume and utilize cloud technologies with a focus on leveraging automation to rapidly deploy and manage cloud resources at scale.