Forum Discussion

curious7's avatar
curious7
Brass Contributor
Jun 23, 2026

Developer SKU of Azure APIM deployed in a VNET not sending welcome email on user signup

I am deploying a internal APIM in a subnet with Application gateway in front of it with listeners for portal.domain.com, management.domain.com and api.domain.com(gateway) configured on the application gateway. I am then able to successfully browser the developer portal and publish it. But then if I try to sign up to the developer portal with test email address, the signup succeeds and I can see the user in the user list on APIM (inactive status) but the welcome email does not arrive in the test mailbox.

APIM and Application gateway are in 2 different subnets but n same VNet and have their own NSGs.

I setup a log analytics workspace and setup diagnostic settings on the APIM instance to send all logs to Log analytics workspace. But seems like no logs from APIM get sent to Log analytics workspace and it only receives app gateway logs as it is also configured to send logs to Log Analytics Workspace.

I am using the Bicep mentioned in this article to deploy these resources:-

https://learn.microsoft.com/en-us/samples/azure/azure-quickstart-templates/private-webapp-with-app-gateway-and-apim/

What could be the cause and how can I troubleshoot it.

2 Replies

  • Since the user is being created but remains inactive, I would first separate the sign-up flow from the Application Gateway path. The welcome or confirmation email is generated by API Management notification behavior; it is not normally something the Application Gateway listener sends.

     

    Check the APIM notification templates, sender settings, spam/quarantine, and whether the developer portal sign-up flow requires approval or email confirmation before the account becomes active. Also make sure the portal host name used in the email is the same custom domain users can reach. Diagnostic settings are useful for gateway traffic, but they may not show every management-side notification action, so Activity Log entries and a support correlation ID are often more useful if the notification service is not sending anything.

  • There are two separate things to check here: email delivery from the developer portal and APIM resource logs.

     

    For the welcome email, first confirm that the built-in notification is enabled and that the email template is valid. In APIM, go to Developer portal > Notifications and verify the user-signup or account-confirmation notification path. If you use custom SMTP or your APIM is locked down by NSGs/UDRs/firewall, make sure outbound SMTP/email-provider traffic is allowed. The user being created as inactive usually means the signup path ran, but the activation email path failed or was blocked.

     

    For Log Analytics, do not expect traffic until a diagnostic setting is configured on the APIM resource and a log category is selected. After enabling it, query the resource-specific table such as `ApiManagementGatewayLogs` and allow a few minutes for ingestion. Also check that you are configuring diagnostics on the APIM instance, not only on Application Gateway.

     

    Useful docs:

    https://learn.microsoft.com/azure/api-management/api-management-howto-configure-notifications

    https://learn.microsoft.com/azure/api-management/monitor-api-management

    https://learn.microsoft.com/azure/api-management/api-management-using-with-internal-vnet