We’re excited to announce a new Azure Policy definition that lets you enforce or audit policy inheritance in Azure API Management. With this capability, platform and governance teams can ensure that API Management policies are always inherited across all policy scopes — operations, APIs, products, and workspaces — strengthening consistency, compliance, and security across your API estate.

Why this matters

In Azure API Management, the <base /> policy element plays a critical role: it ensures that a runtime policy inherits policies defined at a higher scope, such as product, workspace, or all APIs (global). Without <base />, developers can inadvertently (or intentionally) bypass important platform rules, for example:

• Security controls like authentication or IP restrictions
• Operational requirements such as logging, tracing, or rate-limiting
• Business policies such as quota enforcement

The result can be inconsistent behavior, compliance drift, and gaps in governance.

How the new policy helps

With the new Azure Policy definition, you can automatically ensure that <base /> is located at the start of each API Management policy section — <inbound>, <outbound>, <backend>, and <on-error> — across policies configured on operations, APIs, products, and workspaces.

You can set the effect parameter to:

• Audit: Identify operation, API, product, or workspace policies where <base /> is missing.
• Deny: Prevent deployment of policies that do not include <base />.

Get started

To enable this new Azure Policy definition:

1. Navigate to Azure Policy in the Azure portal.
2. Select “Definitions” from the menu and choose “API Management policies should inherit parent scope policies using <base />”.
3. In the policy definition view, select “Assign”.
4. Configure the policy assignment scope, parameter (audit or deny), and other details.

View built-in Azure Policy definitions for API Management.