Secure Azure API behind API management gateway from external systems

Hello,

I have few API's configured behind Azure API management. These API's will be called by external systems either legacy or from another tenant. I am using subscription key to validate the request but I am looking for additional ways of securing API's. Below is my analysis so far:

Oauth2: Uses client_credentials as grant type that means I will have to share client I'd, client secrets to the external systems. I think this will a problem over the time since managing bunch of app registrations will be a challenge for admins.

TLS/Client certificate: works with matching issuer, thumbprint, subject, certificate authority.

Basic authentication: provide username and password in inbound policy.

It would be great if someone shares their experience with this scenario. What is the best way to achieve this?

Regards,

Konild