Introducing a better way to integrate Azure AD with API Management
Published Nov 18 2022 09:00 AM 3,456 Views
Microsoft
Since, well, the beginning of Azure API Management, you've been able to validate that the Json Web Token (JWT) coming into your Azure API Management service is valid before passing it onto the backend service. The validate-jwt policy is one of the most used policies within Azure API Management, will happily ensure your client applications are using the right client IDs, and have the right audiences and claims. Meanwhile, Azure Active Directory (AAD) is a mainstay of enterprise APIs, providing authentication and authorization controls for a wide variety of APIs from M365 APIs to custom-built APIs.  It's generally the center piece of your enterprise API security infrastructure.

 

Wouldn't it be wonderful if they worked better together.
 

Introducing validate-azure-ad-token policy

This week we introduced a new policy for working with AAD in Azure API Management - the validate-azure-ad-token policy. It's a direct replacement for validate-jwt that you can use when you are targeting AAD.

 

Here is the general form of the policy:
<validate-azure-ad-token tenant-id="{{aad-tenant}}">
    <client-application-ids>
        <application-id>{{aad-android-client-id}}</application-id>
        <application-id>{{add-ios-client-id}}</application-id>
        <application-id>{{aad-web-client-id}}</application-id>
    </client-application-ids>
    <audiences>
        <audience>@(context.Request.OriginalUrl.Host)</audience>
    </audiences>
    <required-claims>
        <claim name="ctry" match="any">
            <value>US</value>
        </claim>
    </required-claims>
</validate-azure-ad-token>
 
This version ensures that the audience is the API Management host and that the optional claim ctry (the country) is provided and has a specific value. This is actually a more complex example than is necessary.  You can get minimal validation by just specifying the `tenant-id` and the client application-id values you expect:
<validate-azure-ad-token tenant-id="{{aad-tenant}}">
    <client-application-ids>
        <application-id>{{aad-client-id}}</application-id>
    </client-application-ids>
</validate-azure-ad-token>

 

More information about the specifics of the policy can be found in the documentation.

 

Since we know that Azure API Management works wonderfully with AAD, it makes sense that we make it easier to configure and easier to take advantage of value-added services provided by the AAD service. Features like continuous access evaluation improve your security posture by removing the lag between when a token is issued and when it can be revoked. This allows you to issue tokens for longer periods without a loss in security which, in turn, improves the performance of the client application. You can expect to see these features being added to our new validate-azure-ad-token policy in the future.

 

We're really excited by this new policy because it provides an anchor for AAD specific functionality in the future.  It's easier to configure and sets you up for adopting future security enhancements at the gateway.  This will allow your API service to adopt the security enhancements provided by AAD without any code changes.

 

The validate-azure-ad-token policy is recommended for protecting your API with Azure Active Directory identities and Azure API Management.
6 Comments
Co-Authors
Version history
Last update:
‎Nov 21 2022 12:54 PM
Updated by: