Configuring the Service
Start course

This course deals with how to deploy, configure, and manage some keys aspects of Azure API management (APIM). In particular, we focus on the authentication mechanism and go into depth about how to set up OAuth 2.0, including creating the Azure AD required application registrations. To help with understanding and troubleshooting the OAuth flow, we utilize Postman to check and validate our configuration.

Next, we take a look at how we can alter API requests at various scopes using API policies. Finally, we look at how to view effective API policies that span multiple scopes and also how to trace API policies during runtime.

Learning Objectives

  • Deploy Azure API Management and import an existing API
  • Gain an understanding of how the configure authentication against APIM using OAuth 2.0
  • Implement API policies against the imported API to alter the API request
  • Use Postman to make API requests against APIM and request and use OAuth authorization tokens
  • Secure the imported API by requiring a valid Azure AD token

Intended Audience



If we go to our clouddemo API management service and we see the overview, we can see we have the We can see we've got a virtual IP address, the developer tier for this queue that we selected, and the region and the status is currently online. So, this is all the information we expected, which is great. If we go to the APIs, we can see the add API and the different types we looked at earlier. We need to find an API we can import. If you go to your favorite search engine and enter democonference api, you should be able to find the Import and publish your first API from Azure Management. We can see it's an OpenAPI Specification and it's conferenceapi on Azure websites in the format of JSON. So I'm gonna copy this URL. I'm also gonna record all these links in just a Notepad for my own reference. So, save that there. And if we actually open this in a browser, we can see the API definition here with the different operations. So this has the GetSessions, GetTopics.

If we return to the API Management service, if we go into the Add API and OpenAPI, we're gonna add here, and we paste in this URL, we can see that it recognizes the URL and calls it Demo Conference API. The products, and add the Starter and the Unlimited products, which are already defined when the service is created. And click Create. And now that's imported. So we can see we've got the Demo Conference API now in this portal, and we can see a number of operations. I'm just gonna minimize displayed so that we can see more real estate and look at one of these operations itself. 

So, can we actually get some sessions back from the Demo Conference API we've just imported? We're just gonna click Test and test it within the Azure portal, and click on the GetSessions. We can see here there's a number of parameters you can pass to it. We're not so interested in that at the moment. We just wanna see the Request URL gets us some data. So if we press Send, we can see we get the HTTP response back, 200 OK, which is good, it's green, green is good. And if we look down, we can see a collection of items. So there's a session here, 100, keynotes with Dan North. We can see another record, time slots. So, this looks correct. 

We wanna test this outside of the Azure portal 'cause we're likely gonna be building other applications or interacting this with another way. So I'm gonna grab this Request URL here for the sessions. I'm just gonna paste that into my Notepad over here. And we're gonna go to the Postman application. If you haven't used Postman before, it's a free app to download. There is a paid subscription which allows you to share your APIs with different team members. It's a very useful tool for orchestrating and creating API requests and troubleshooting problems with APIs. 

I'd like to go through and make sure that we can access our Azure API services that we're creating using Postman as well. We've just copied in the URL for these sessions. I've done nothing more here than create a workspace and a collection called demo. Again, paste that URL in and we'll just save that, and that's gonna be called sessions. Select the collection and Save. So now, if we click the Send button, we get an Access denied due to missing subscription key. Make sure you include a subscription key when you make an API request. If we go back to the portal, when we clicked this, we went okay, so we need to understand the difference between what's happened here and what we need to do to access this externally. 

So, what we did do when we first added the API, we added the product Starter and Unlimited. That's where we're gonna get our subscription keys from. We're gonna open up the Developer portal, so you see the link here on the API Management service. That will open another web browser for us. We can see there, it's Cloud Company. That was the name that we had entered in originally when we created the system. And we can see we've got an Administrator log in here. So this is the portal which was created by the API service. You don't have to create anything. You can customize this. 

This is supposed to be the Developer portal on how developers would interact with your API. We wanna create a user. We don't wanna use the Administrator. So, we're just gonna sign out. This will allow us to go through the sign up experience. Sign up right away. And I'm just gonna pause the video and enter in some details. 

I've entered an email, a password, first name, last name, and the characters we see here. And we click Sign up. We'll save that for ease of use. And we're told we get a verification email we need to go check. Got that email in my inbox. It's over here. We can see we've got the link, welcome to Cloud Company API account, and we just need to activate this. So, it's asking me for the password again. And sign up. Just gonna copy this out of that Chrome browser and put it in our Firefox browser here. There's the user we're gonna sign back in with. And we can see we have the Cloud Company API Developer portal. We have no subscriptions. So, we need to go to Products and in this case, we wanna sign up for the Starter subscription. Along with the Starter subscription, we can see we get access to the Echo API and the Demo Conference API. Just gonna click Subscribe. And we get to give that a name. Starter is fine. Confirm. 

We can see now for Matt Quickenden, we have a subscription for Starter and we started on this date. We have a primary and secondary key. I'm gonna just click Show here and see that key. We're gonna use this key a couple times, so I'm gonna bring this over to my Notepad and we're gonna call this MQ Starter Subscription Key, and save. From here, let's go back to the clouddemo API and we wanna go to the Settings for the Demo Conference API. These settings are around the import for this app, so we can see, here's the URL we put in. Both the URL scheme are allowed or required. Here are those products we selected. We can see we have Subscription, Subscription required. The header name is this, and the query parameter subscription key. Now that we have the subscription ID and we know what the header is we need to provide, we will go back to the Postman app and add in this information. So, let's copy out this header name here. This is Subscription Header. Bring up Postman. And we can see we have Headers over here, so let's click header. Let's add in the key name, which is the subscription key. And then we're gonna wanna add in the key itself. So, we take this number we copied, put it in the value, and Send. 

We've now actually created the appropriate headers to access the information for sessions using that key. We can now do in the Postman portal what we've seen happen in the Azure portal. So during this process, we created a subscription. Let's go back to the API and have a look at what this actually means. Expand displayed, click on Subscriptions. We can see here that this Administrator has access to each of these products. The built-in service has a product. And there's a Starter product subscribed to Matt Quickenden. If we wanna look at the different products, we have the Product displayed over here. By default, there's a Starter and an Unlimited, and the access control here for different groups. So, you can create your own subscriptions for different access controls, different levels of permission, different customers, different end users, different developers. They'll have different access and different levels and that very much depends on how you wanna utilize and segregate your APIs. We're gonna be just using the Starter for our demo. 

So, let's review what we've done. We've created the API Management service in the Azure portal. We have imported a Demo Conference API from Microsoft. We've created a user in the portal called Matt Quickenden, and we've captured our subscription key. We've tested a call for GetSessions in the Azure portal itself. And we've created a GetSessions request with our subscription key in Postman. We're gonna pause the demo session here and go back and look at some of the authentication theory.

About the Author

Matthew Quickenden is a motivated Infrastructure Consultant with over 20 years of industry experience supporting Microsoft systems and other Microsoft products and solutions. He works as a technical delivery lead managing resources, understanding and translating customer requirements and expectations into architecture, and building technical solutions. In recent years, Matthew has been focused on helping businesses consume and utilize cloud technologies with a focus on leveraging automation to rapidly deploy and manage cloud resources at scale.