Azure API Management - Developer Portal
How to create an Azure API Management Service with Developer Portal with CI/CD using Azure DevOps
In this blog post, we will walk through the steps to create an Azure API Management service and set up the Developer Portal. Azure API Management is a fully managed service that enables organizations to publish, secure, and manage APIs at scale. The Developer Portal is a customizable self-service portal where developers can discover, learn, and consume your APIs. Azure DevOps CI/CD pipeline will be used to automate the deployment of the API Management service and the Developer Portal. Bicep will be used to define the infrastructure as code for the API Management service and the Developer Portal.
The Azure DevOps pipeline uses three steps to complete the deployment:
The Developer Portal with Azure Active Directory authentication:
Prerequisites
Before we begin, make sure you have the following:
Azure DevOps service principal with the necessary permissions to create and manage resources in Azure.
this service principal should have at least the following permissions:
Step 1: Create an Azure API Management Service
The following Bicep code defines an Azure API Management service with the required configuration options, such as the publisher email and name. The apim resource creates an API Management service with the specified properties, including the pricing tier and location.
@description('The email address of the owner of the service')
@minLength(1)
param publisherEmail string
@description('The name of the owner of the service')
@minLength(1)
param publisherName string
@description('Location for all resources.')
param location string = resourceGroup().location
var apimName = 'apim-eval-mm-${uniqueString(resourceGroup().id)}'
resource apim 'Microsoft.ApiManagement/service@2023-05-01-preview' = {
name: apimName
location: location
sku: {
name: 'Developer'
capacity: 1
}
identity: {
type: 'SystemAssigned'
}
properties: {
publisherEmail: publisherEmail
publisherName: publisherName
}
}
Configure App Insights
App Insights is a monitoring and diagnostics service that helps you understand how your application is performing and how it's being used. You can use App Insights to monitor the performance and usage of your APIs in the API Management service. The following Bicep code creates an App Insights resource and configures it to send telemetry data to a Log Analytics workspace.
var logAnalyticsWorkspaceName = 'log-eval-mm-${uniqueString(resourceGroup().id)}'
resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' = {
name: logAnalyticsWorkspaceName
location: location
properties: any({
retentionInDays: 90
features: {
searchVersion: 1
}
sku: {
name: 'Standalone'
}
})
}
var appInsightsName = 'appi-eval-mm-${uniqueString(resourceGroup().id)}'
resource appInsights 'Microsoft.Insights/components@2020-02-02' = {
name: appInsightsName
location: location
kind: 'web'
properties: {
Application_Type: 'web'
WorkspaceResourceId: logAnalyticsWorkspace.id
publicNetworkAccessForIngestion: 'Enabled'
publicNetworkAccessForQuery: 'Enabled'
}
}
resource namedValueAppInsightsKey 'Microsoft.ApiManagement/service/namedValues@2023-05-01-preview' = {
parent: apim
name: 'instrumentationKey'
properties: {
tags: []
secret: false
displayName: 'instrumentationKey'
value: appInsights.properties.InstrumentationKey
}
}
resource apimLogger 'Microsoft.ApiManagement/service/loggers@2023-05-01-preview' = {
parent: apim
name: 'apimlogger'
properties: {
resourceId: appInsights.id
description: 'Application Insights for APIM'
loggerType: 'applicationInsights'
credentials: {
instrumentationKey: '{{instrumentationKey}}'
}
}
dependsOn: [
namedValueAppInsightsKey
]
}
Step 2: Set Up the App Registration for the Developer Portal
The Developer Portal will use Azure Active Directory (Azure AD / Microsoft Entra ID) for authentication and authorization. You can configure the Developer Portal to use Microsoft Entra ID by creating an app registration with Powershell and granting it the necessary permissions to access the API Management service.
Create App Registration
# Create the app registration. $appName is the same name as the API Management service.
$newApp = az ad app create --display-name $appName --sign-in-audience AzureADMyOrg
Create client secret
The app registration needs a client secret to authenticate with the API Management service. You can use the following command to create a client secret for the app registration.
# Create client secret
$clientSecret = az ad app credential reset --id $appId --years 42 --display-name eval-secret --append --output tsv --query "password"
Configure authentication
The app registration needs to be configured to enable implicit grant settings and redirect URIs for the Developer Portal. You can use the following commands to configure the app registration for the Developer Portal.
$webJson = @{
implicitGrantSettings = @{
enableIdTokenIssuance = $true
enableAccessTokenIssuance = $true
}
redirectUris = @()
} | ConvertTo-Json -d 4 -Compress
if ($IsWindows -eq $true) {
$webJson = $webJson | ConvertTo-Json -d 4
}
az ad app update --id $appId --set web=$webJson
$replyUrlSignInAad = "https://$appName.portal.azure-api.net/signin-aad"
$replyUrlSignIn = "https://$appName.developer.azure-api.net/signin"
$spaJson = @{
redirectUris = @(
"$replyUrlSignInAad"
"$replyUrlSignIn"
)
} | ConvertTo-Json -d 4 -Compress
if ($IsWindows -eq $true) {
$spaJson = $spaJson | ConvertTo-Json -d 4
}
az ad app update --id $appId --set spa=$spaJson
Grant permissions
The app registration needs to be granted the necessary permissions to access the API Management service. You can use the following commands to grant the app registration the necessary permissions to access the API Management service.
Azure Active Directory Graph
Directory.Read.All
User.Read
Microsoft Graph
Directory.Read.All
User.Read
az ad app permission add --id $appId --api 00000003-0000-0000-c000-000000000000 --api-permissions 7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role
az ad app permission add --id $appId --api 00000003-0000-0000-c000-000000000000 --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope
az ad app permission add --id $appId --api 00000002-0000-0000-c000-000000000000 --api-permissions 5778995a-e1bf-45b8-affa-663a9f3f4d04=Role
az ad app permission add --id $appId --api 00000002-0000-0000-c000-000000000000 --api-permissions 311a71cc-e848-46a1-bdf8-97ff7156d8e6=Scope
To finalize the configuration, you need to grant admin consent to the app registration.
Note: As mentioned in the screenshot, Azure Active Directory Graph is obsolete. If you enabling the Developer Portal in the Azure Portal, the same permissions will be used.
Step 3: Register the app registration with the API Management service
The app registration needs to be registered with the API Management service to enable the Developer Portal. This can be done using the following Bicep code to add the Aad identity provider to the API Management service.
var tenantId = subscription().tenantId
resource developerPortalIdentityMicrosoftEntraId 'Microsoft.ApiManagement/service/identityProviders@2023-05-01-preview' = {
parent: apim
name: 'Aad'
properties: {
clientId: apimAppId
clientSecret: apimAppClientSecret
signinTenant: tenantId
allowedTenants: [
tenantId
]
type: 'aad'
clientLibrary: 'MSAL-2'
}
}
Complete Code
The complete code consists of the following files:
Add-DeveloperPortal-Microsoft-Entra-Id.ps1
- Powershell script to create the app registration and configure it for the Developer Portal.
apim.bicep
- Bicep file to create the API Management service and configure App Insights.
apim.developer.bicep
- Bicep file to register the app registration with the API Management service.
azure-pipeline.yaml
- Azure DevOps pipeline to automate the deployment of the API Management service and the Developer Portal.
Bicep API Management service
Bicep file to create the API Management service and configure App Insights apim.bicep.
@description('The email address of the owner of the service')
@minLength(1)
param publisherEmail string
@description('The name of the owner of the service')
@minLength(1)
param publisherName string
@description('Location for all resources.')
param location string = resourceGroup().location
var apimName = 'apim-eval-mm-${uniqueString(resourceGroup().id)}'
resource apim 'Microsoft.ApiManagement/service@2023-05-01-preview' = {
name: apimName
location: location
sku: {
name: 'Developer'
capacity: 1
}
identity: {
type: 'SystemAssigned'
}
properties: {
publisherEmail: publisherEmail
publisherName: publisherName
}
}
var tenantId = subscription().tenantId
var keyVaultName = 'kv-eval-mm-${uniqueString(resourceGroup().id)}'
resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' = {
name: keyVaultName
location: location
properties: {
enabledForTemplateDeployment: true
enablePurgeProtection: true
enableRbacAuthorization: true
enableSoftDelete: true
sku: {
family: 'A'
name: 'standard'
}
tenantId: tenantId
}
}
var logAnalyticsWorkspaceName = 'log-eval-mm-${uniqueString(resourceGroup().id)}'
resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' = {
name: logAnalyticsWorkspaceName
location: location
properties: any({
retentionInDays: 90
features: {
searchVersion: 1
}
sku: {
name: 'Standalone'
}
})
}
var appInsightsName = 'appi-eval-mm-${uniqueString(resourceGroup().id)}'
resource appInsights 'Microsoft.Insights/components@2020-02-02' = {
name: appInsightsName
location: location
kind: 'web'
properties: {
Application_Type: 'web'
WorkspaceResourceId: logAnalyticsWorkspace.id
publicNetworkAccessForIngestion: 'Enabled'
publicNetworkAccessForQuery: 'Enabled'
}
}
resource namedValueAppInsightsKey 'Microsoft.ApiManagement/service/namedValues@2023-05-01-preview' = {
parent: apim
name: 'instrumentationKey'
properties: {
tags: []
secret: false
displayName: 'instrumentationKey'
value: appInsights.properties.InstrumentationKey
}
}
resource apimLogger 'Microsoft.ApiManagement/service/loggers@2023-05-01-preview' = {
parent: apim
name: 'apimlogger'
properties: {
resourceId: appInsights.id
description: 'Application Insights for APIM'
loggerType: 'applicationInsights'
credentials: {
instrumentationKey: '{{instrumentationKey}}'
}
}
dependsOn: [
namedValueAppInsightsKey
]
}
Bicep API Management Developer Portal
Bicep file to register the app registration with the API Management service apim.developer.bicep.
@description('Client Secret of App Registration for APIM Developer Portal')
@secure()
@minLength(1)
param apimAppClientSecret string
@description('AppId of App Registration for APIM Developer Portal')
@minLength(1)
param apimAppId string
var apimName = 'apim-eval-mm-${uniqueString(resourceGroup().id)}'
resource apim 'Microsoft.ApiManagement/service@2023-05-01-preview' existing = {
name: apimName
}
var tenantId = subscription().tenantId
resource developerPortalIdentityMicrosoftEntraId 'Microsoft.ApiManagement/service/identityProviders@2023-05-01-preview' = {
parent: apim
name: 'Aad'
properties: {
clientId: apimAppId
clientSecret: apimAppClientSecret
signinTenant: tenantId
allowedTenants: [
tenantId
]
type: 'aad'
clientLibrary: 'MSAL-2'
}
}
Powershell
Powershell script to create the app registration and configure it for the Developer Portal Add-DeveloperPortal-Microsoft-Entra-Id.ps1.
<#
.SYNOPSIS
This code adds a new App Registration to Microsoft Entra Id.
.DESCRIPTION
This code adds the App Registration, creates a service principal and return the ClientSecret.
.PARAMETER ApimName
Specify the API Management Service name.
.OUTPUTS
Returns the ClientSecret and AppId.
.EXAMPLE
Example usage of the code:
.\Add-DeveloperPortal-Microsoft-Entra-Id.ps1 -ApimName apim-eval-mm-ta4jvourkbccs
.NOTES
The user / service principal running this script must have the necessary permissions to create an App Registration in the Azure AD tenant:
At least: Application.ReadWrite.OwnedBy
#>
[CmdletBinding()]
param (
[Parameter(Mandatory = $true)]
[string]
$ApimName
)
$appName = $ApimName
Write-Host "Creating app registration for '$appName'..."
try {
$existingApp = az ad app list --display-name $appName --query "[0]"
if (-not $existingApp) {
Write-Host "App does not exist. Creating app registration..."
# Create the app registration
$newApp = az ad app create --display-name $appName --sign-in-audience AzureADMyOrg
if (-not $newApp) {
Write-Error -Message "Cannot add App Registration" -ErrorAction Stop
return;
}
$appId = az ad app list --display-name $appName --query "[].[appId]" --output tsv
# Create client secret
$clientSecret = az ad app credential reset --id $appId --years 42 --display-name eval-secret --append --output tsv --query "password"
$webJson = @{
implicitGrantSettings = @{
enableIdTokenIssuance = $true
enableAccessTokenIssuance = $true
}
redirectUris = @()
} | ConvertTo-Json -d 4 -Compress
if ($IsWindows -eq $true) {
$webJson = $webJson | ConvertTo-Json -d 4
}
az ad app update --id $appId --set web=$webJson
$replyUrlSignInAad = "https://$appName.portal.azure-api.net/signin-aad"
$replyUrlSignIn = "https://$appName.developer.azure-api.net/signin"
$spaJson = @{
redirectUris = @(
"$replyUrlSignInAad"
"$replyUrlSignIn"
)
} | ConvertTo-Json -d 4 -Compress
if ($IsWindows -eq $true) {
$spaJson = $spaJson | ConvertTo-Json -d 4
}
az ad app update --id $appId --set spa=$spaJson
# requiredResourceAccess
az ad app permission add --id $appId --api 00000003-0000-0000-c000-000000000000 --api-permissions 7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role
az ad app permission add --id $appId --api 00000003-0000-0000-c000-000000000000 --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope
az ad app permission add --id $appId --api 00000002-0000-0000-c000-000000000000 --api-permissions 5778995a-e1bf-45b8-affa-663a9f3f4d04=Role
az ad app permission add --id $appId --api 00000002-0000-0000-c000-000000000000 --api-permissions 311a71cc-e848-46a1-bdf8-97ff7156d8e6=Scope
}
else {
Write-Output "App registration with the name '$appName' already exists."
Write-Output "No new app registration created."
}
}
catch {
Write-Output $_
Write-Error -Message "Error on adding App Registration" -ErrorAction Stop
}
# Return the client secret and app id
return @($clientSecret, $appId)
Pipeline
Azure DevOps pipeline to automate the deployment of the API Management service and the Developer Portal azure-pipeline.yaml.
The Powershell script returns the app registration details, such as the app ID and client secret, which are used in the Bicep files to configure the API Management service and the Developer Portal. Write-Host "##vso[task.setvariable variable=apimClientSecret;issecret=true]$appRegistrationClientSecret" is used to store this information as a secret in the Azure DevOps pipeline which will be passed later to the Bicep file.
trigger:
branches:
include:
- feature/*
pool:
vmImage: ubuntu-latest
variables:
ServiceConnectionName: 'Azure Service Connection'
ResourceGroupName: 'eval.webapp'
DeploymentDefaultLocation: 'westeurope'
jobs:
- job:
steps:
- task: AzureResourceManagerTemplateDeployment@3
inputs:
connectedServiceName: $(ServiceConnectionName)
location: $(DeploymentDefaultLocation)
resourceGroupName: $(ResourceGroupName)
csmFile: apim.bicep
overrideParameters: -publisherEmail lorem@ipsum -publisherName 'Lorem'
- task: AzureCLI@2
displayName: Deploy DEV - App Registration Script
inputs:
azureSubscription: $(ServiceConnectionName)
scriptType: pscore
scriptLocation: inlineScript
inlineScript: |
Write-Host "Create App Registration"
$appRegistration=$(Build.SourcesDirectory)/Add-DeveloperPortal-Microsoft-Entra-Id.ps1 -ApimName apim-eval-mm-ta4jvourkbccs
$appRegistrationClientSecret = $appRegistration[0]
$appRegistrationAppId = $appRegistration[1]
Write-Host "##vso[task.setvariable variable=apimClientSecret;issecret=true]$appRegistrationClientSecret"
Write-Host "##vso[task.setvariable variable=apimAppId;issecret=false]$appRegistrationAppId"
- task: AzureResourceManagerTemplateDeployment@3
condition: and(succeeded(), ne(variables['apimClientSecret'], ''), ne(variables['apimAppId'], ''))
inputs:
connectedServiceName: $(ServiceConnectionName)
location: $(DeploymentDefaultLocation)
resourceGroupName: $(ResourceGroupName)
csmFile: apim.developer.bicep
overrideParameters: '-apimAppClientSecret $(apimClientSecret) -apimAppId $(apimAppId)'