API Management
79 TopicsUpdate App Registration Client Secret Using Microsoft Graph REST API v1.0
Hello, I have a customer who wants to set the App registration Client Secret to 1 year. Here are the customer's requirements: For existing application registrations under ‘Certificates & Secrets’ pane, any new secrets added by owners should have the duration limited to one year. If the owner tries to set the duration greater than one year and clicks ‘Add’ button, the action should not be allowed with proper error displayed. The same behavior should also be applicable to new application registration specific secrets. It should not impact any existing secret that is present (greater or less than one year) for current application registrations. We need a way to enable and disable the global policy in case we want to disable it if something doesn’t work as expected. We don’t want to impact anything else wrt application registrations or anything in service principles. Based on the article you shared; Microsoft Entra application management policy API overview - Microsoft Graph v1.0 | Microsoft Learn Below is the script we are trying to use to add the global policy and set as default policy with isEnabled = true. As we cannot test in a different tenant, can you please confirm the snippet below will work for the above requirements? MgPolicyAppManagementPolicy|select* $policy=@{ "displayName"="Enforce Max Lifetime for Secrets" "description"="Policy to enforce a maximum lifetime of 1 year for any new secrets." "applicationRestrictions"=@{ "passwordCredentials"=@{ "maxLifetime"="P365D"# ISO 8601 duration format for 1 year } } } New-MgPolicyAppManagementPolicy-BodyParameter$policy Update-MgPolicyDefaultAppManagementPolicy -id <ABOVE_POLICY_ID -IsEnabled $true I tried to test it in my own tenant, but I ran to a permission issue. Can someone please confirm if this snippet works against the customer's requirements? Thanks.63Views0likes4CommentsAPI Management service secure configuration for Standard v2 SKU
Hi all, I am transitioning an API Managment gateway from the Developer SKU to something Production ready. The Standard V2 SKU is the first tier that supports vnet integration which we require. The OWASP API security framework used by MS recommends that external connectivity to service configuration endpoints is disabled However, Direct Management API access is not supported in this tier (and the ps cmdlets are just wrappers for API calls) So it seem it is not possible to disable public access to these endpoints in this sku. Is this the case? and if so, how is it possible to safely configure an APIMG using this sku? any pointers appreciated... Chris63Views0likes5CommentsHow to Generate JWT in Azure API Management
Hello Members, I'm trying to secure a backend external API through Azure API Management platform. The backend API needs and validates the request using a JWT(JSON Web Token). I have spent quite some time in searching and trying different option on how to generate a JWT token in APIM before calling the backend API, but yet to get it working. I have working JavaScript code which can generate JWT for backend, but JavaScript is not supported in APIM. Have anyone tried/implemented this before? PS: The JWT generation just require UserId, Secret and key. No calls to backend. Similar to one here:https://jwt.io/3.2KViews0likes1CommentFormer Employer Abuse
My former employer, Albert Williams, president of American Security Force Inc., keeps adding my outlook accounts, computers and mobile devices to the company's azure cloud even though I left the company more than a year ago. What can I do to remove myself from his grip? Does Microsoft have a solution against abusive employers?28Views0likes0CommentsHow to Protect ...azure-api.net Subdomain from DDoS Attacks when using API Management Basic
Dear Tech Community , I am usingAzure API Management (APIM Basic)inexternal modeand without VNet integration, meaning my API instance is publicly accessible through the default...azure-api.netsubdomain. I'm also using a custom domain but the default domain still remains aktive. I am concerned about potentialDDoS attacksand want to secure this subdomain. I am considering usingAzure Front Doorto filter the traffic and leverage itsWeb Application Firewall (WAF)for enhanced protection. Could you please clarify the following: Is it possible to fully protect the API subdomain (...azure-api.net) via Azure Front Door or other products, ensuring no traffic bypasses Front Door and directly reaches the original APIM domain? What additional configurations, such asIP filtering or header validation, are required to restrict access so that only traffic routed through Azure Front Door reaches the APIM domain? Given thatAPI Management without VNet integrationdoesn’t support DDoS Protection Standard, what are the best practices forDDoS protectionin this scenario? Could you recommend any additional steps or configurations to ensure that allDDoS and security measuresare effectively implemented? Thank you for your support. Best regards MichaelSolved261Views0likes3CommentsSetting up Azure for Adobe Analytics File Retrieval
I'm not sure if this is the right forum for this or if I am going to word this correctly but I will give it a try. Adobe Analytics has a feature where you can import what they call Classification files. It's basically additional data you can import to augment your analytics data. To do this you need to set up an account in their interface. We are looking to use Azure SAS. Below is the information this account setup asks for Once this account is created you set up a Location in Adobe Analytics The Location Account is the one set up in the previous step. This is all fine, but you will notice that you don't tell Adobe where the file is. At least I don't think you do. Adobe doesn't provide any guidance as what needs to be done on the Azure side. They provide links to Azure documentation, but I am told that the documentation is not great. Or maybe we are just overlooking something. I am wondering how you would set up Azure to be able to store the file and allow Adobe to access it? I hope this makes sense. If you need additional details, I'll be happy to get them.323Views0likes3CommentsHow to grant permissions on behalf of the organization Script
Hello everyone! We generated a necessary Script to create the API/APP/Service Principal in Entra ID, and assign some delegated and application permissions. However, I need to grant permission on behalf of the organization for these permissions, during the Script itself. I have tried several times, in different ways, but all without success. Does anyone know how this can be done? If it can be done? And could you help me with this? Thank you all. Best regards234Views0likes1CommentGet ClientIp in backend service (behind FrontDoor and APIM)
Context: Azure Front Door connects to APIM (external mode) that forwards the requests to services inside AKS. Services are monitored with Application Insights. The target is to be able to retrieve client IP in our backend service thanks to an Header. Situation: We have tested multiple ways to do so: - via the header X-Forwarded-For - via the header X-Azure-ClientIP - via a policy in APIM with the following field: "<value>@(context.Request.IpAddress)</value>" None of these methods works to retrieve the clientIP, we get Microsoft datacenters IPs instead. Do you have an idea to be able to get this clientIP in backend service? Thank you for any tips!1.7KViews0likes1Comment