When to use Azure AD to protect Azure API Management?

1
votes

I am working on one API which will be exposed to a couple of external clients. And I would like to limit access to my API and let only trusted 3rd parties access my API. I have found that Azure API Management provides subscription keys, which can be used to protect API - https://docs.microsoft.com/en-us/azure/active-directory-b2c/secure-api-management?tabs=app-reg-ga

Moreover, I see that I can connect my API to Azure AD - https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad, which might be useful if I want to restrict access based on roles and types of external systems (for example some external systems will have one role that allows using some additional features)

Could you please help me to understand all other cases when I must use Azure AD instead of subscription keys? And can I use them together?

I also would like to understand which approach is the best for me if you want to give access to the client apps (browser, mobile apps and etc.). As I understand, Azure AD B2C can be the best option here

1
azure-active-directoryazure-api-management
If I'm now developing an API program, I can use azure ad rather than apim to achieve many features because apim is expensive.tiny-wa

1 Answers

0
votes

For your requirement, if APIM is not necessary (you do not need to configure the exposed url of your api by APIM), I suggest you to just use Azure AD to protect your api. You can refer to this document.

If APIM is necessary, and your requirements do not need to limit multiple permissions for different role to access the api (in other words, you just want client can/can't access the api). You can implement it just by subscription key as you mentioned in your question.

If APIM is necessary, and your requirements need to provide different permissions for different roles to access the api, you can do it as the second document link you provided. You can validate the roles or other claims of access token to provide different permissions to client.