Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
APPLIES TO: Developer | Basic v2 | Standard | Standard v2 | Premium | Premium v2
Microsoft Entra External ID is a cloud identity management solution that allows external identities to securely access your apps and resources. You can use it to manage access to your API Management developer portal by external identities.
In this article, you learn the configuration of the Microsoft Entra ID identity provider for the following scenarios that are supported by the API Management developer portal:
- Integration with Microsoft Entra External ID in your workforce tenant. For example, if your workforce tenant is for the Contoso organization, you might want to configure Google or Facebook as an external identity provider so that these external users can also sign in using their accounts.
- Integration with Microsoft Entra External ID in a separate external tenant. This configuration only allows external users from that tenant to sign in to the developer portal.
Note
Currently, you can't configure more than one Microsoft Entra ID identity provider for the developer portal.
For an overview of options to secure access to the developer portal, see Secure access to the API Management developer portal.
Note
API Management provides legacy support for Azure Active Directory B2C as an external identity provider. However, we recommend that you use Microsoft Entra External ID as an identity provider instead of Azure Active Directory B2C for new deployments of the API Management developer portal.
Important
Effective May 1, 2025, Azure AD B2C will no longer be available to purchase for new customers. Learn more in our FAQ.
Prerequisites
- A Microsoft Entra ID tenant (workforce tenant) in which to enable external access, or a separate external tenant
- Permissions to create an application and configure user flows in the workforce tenant.
- An API Management instance. If you don't already have one, create an Azure API Management instance.
- If you created your instance in a v2 tier, enable the developer portal. For more information, see Tutorial: Access and customize the developer portal.
Add external identity provider to your tenant
If you're using a workforce tenant, an external identity provider must be enabled in your workforce tenant. Configuring the external identity provider is outside the scope of this article. For more information, see Identity providers for External ID in workforce tenant.
Create Microsoft Entra app registration
Create an app registration in your Microsoft Entra ID tenant. The app registration represents the developer portal application in Microsoft Entra and enables the portal to sign in users by using Microsoft Entra ID.
- In the Azure portal, go to Microsoft Entra ID.
- In the sidebar menu, under Manage, select App registrations > + New registration.
- In the Register an application page, enter your application's registration information.
- In the Name section, enter an application name of your choosing.
- In the Supported account types section, select Accounts in this organizational directory only.
- In Redirect URI, select Single-page application (SPA) and enter the following URL:
https://{your-api-management-service-name}.developer.azure-api.net/signin, where{your-api-management-service-name}is the name of your API Management instance. - Select Register to create the application. 1.On the app Overview page, find the Application (client) ID and Directory (tenant) ID and copy theses values to a safe location. You need them later.
- In the sidebar menu, under Manage, select Certificates & secrets.
- From the Certificates & secrets page, on the Client secrets tab, select + New client secret.
- Enter a Description.
- Select any option for Expires.
- Choose Add.
- Copy the client Secret value to a safe location before leaving the page. You need it later.
- In the sidebar menu, under Manage, select Token configuration > + Add optional claim.
- In Token type, select ID.
- Select (check) the following claims: email, family_name, given_name.
- Select Add. If prompted, select Turn on the Microsoft Graph email, profile permission.
Enable self-service sign-up for your tenant
For external users to sign up for access to the developer portal, you must complete these steps:
- Enable self-service sign-up for your tenant.
- Add your app to the self-service sign-up user flow.
For more information and detailed steps, see the following articles, depending on whether you're using a workforce or an external tenant:
- Workforce tenant: Add self-service sign-up user flows for B2B collaboration
- External tenant: Create a sign-up and sign-in user flow for an external tenant app and Add an app to the user flow
Configure Microsoft Entra ID as an identity provider for developer portal
In your API Management instance, configure the Microsoft Entra ID identity provider. You need the values you copied from your app registration in a previous section.
In the Azure portal tab, navigate to your API Management instance.
In the sidebar menu, under Developer portal, select Identities > + Add.
In the Add identity provider page, select Microsoft Entra ID. Once selected, you're able to enter other necessary information.
- In client id, enter the Application (client) ID from your app registration.
- In Client secret, enter the Secret value from your app registration.
- In Signin tenant, enter the Directory (tenant) ID from your app registration.
- In the Client library dropdown, select MSAL.
Select Add.
Republish the developer portal for the Microsoft Entra configuration to take effect. In the sidebar menu, under Developer portal, select Portal overview > Publish.
Important
You need to republish the developer portal when you create or update the identity provider's configuration settings for the changes to take effect.
Sign in to developer portal with Microsoft Entra External ID
In the developer portal, sign-in with Microsoft Entra External ID is possible with the Sign-in button: OAuth widget. The widget is already included on the sign-in page of the default developer portal content.
To sign in by using Microsoft Entra External ID, open a new browser window and go to the developer portal. Select Sign in.
On the Sign in page, select Azure Active Directory.
In the sign-in window for your Microsoft Entra tenant, select Sign-in options. Select the identity provider you configured in your Microsoft Entra tenant to sign in. For example, if you configured Google as an identity provider, select Sign in with Google.
To continue sign-in, respond to the prompts. After sign-in is complete, you're redirected back to the developer portal.
You're now signed in to the developer portal for your API Management service instance. You're added as a new API Management user identity in Users, and a new external tenant user in Microsoft Entra ID.