You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/api-management/api-management-howto-aad.md
+6-23Lines changed: 6 additions & 23 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ description: Learn how to enable user sign-in to the API Management developer po
6
6
author: dlepow
7
7
ms.service: azure-api-management
8
8
ms.topic: article
9
-
ms.date: 12/08/2023
9
+
ms.date: 09/19/2024
10
10
ms.author: danlep
11
11
ms.custom: engagement-fy23, devx-track-azurecli
12
12
---
@@ -76,14 +76,7 @@ After the Microsoft Entra provider is enabled:
76
76
1. Save the **Redirect URL** for later.
77
77
78
78
:::image type="content" source="media/api-management-howto-aad/api-management-with-aad001.png" alt-text="Screenshot of adding identity provider in Azure portal.":::
79
-
80
-
> [!NOTE]
81
-
> There are two redirect URLs:<br/>
82
-
> ***Redirect URL** points to the latest developer portal of the API Management.
83
-
> ***Redirect URL (deprecated portal)** points to the deprecated developer portal of API Management.
84
-
>
85
-
> We recommended you use the latest developer portal Redirect URL.
86
-
79
+
87
80
1. In your browser, open the Azure portal in a new tab.
88
81
1. Navigate to [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) to register an app in Active Directory.
89
82
1. Select **New registration**. On the **Register an application** page, set the values as follows:
@@ -104,9 +97,6 @@ After the Microsoft Entra provider is enabled:
104
97
* Select any option for **Expires**.
105
98
* Choose **Add**.
106
99
1. Copy the client **Secret value** before leaving the page. You will need it later.
107
-
1. Under **Manage** in the side menu, select **Authentication**.
108
-
1. Under the **Implicit grant and hybrid flows** section, select the **ID tokens** checkbox.
109
-
1. Select **Save**.
110
100
1. Under **Manage** in the side menu, select **Token configuration** > **+ Add optional claim**.
111
101
1. In **Token type**, select **ID**.
112
102
1. Select (check) the following claims: **email**, **family_name**, **given_name**.
@@ -117,21 +107,14 @@ After the Microsoft Entra provider is enabled:
117
107
> [!IMPORTANT]
118
108
> Update the **Client secret** before the key expires.
119
109
120
-
1. In the **Add identity provider** pane's **Allowed tenants** field, specify the Microsoft Entra instance's domains to which you want to grant access to the API Management service instance APIs.
121
-
* You can separate multiple domains with newlines, spaces, or commas.
122
-
123
-
> [!NOTE]
124
-
> You can specify multiple domains in the **Allowed Tenants** section. A global administration must grant the application access to directory data before users can sign in from a different domain than the original app registration domain. To grant permission, the global administrator should:
125
-
> 1. Go to `https://<URL of your developer portal>/aadadminconsent` (for example, `https://contoso.portal.azure-api.net/aadadminconsent`).
126
-
> 1. Enter the domain name of the Microsoft Entra tenant to which they want to grant access.
127
-
> 1. Select **Submit**.
128
-
110
+
1. In **Signin tenant**, specify a tenant name or ID to use for sign-in to Microsoft Entra. If no value is specified, the Common endpoint is used.
111
+
1. In **Allowed tenants**, add specific Microsoft Entra tenant names or IDs for sign-in to Microsoft Entra.
129
112
1. After you specify the desired configuration, select **Add**.
130
113
1. Republish the developer portal for the Microsoft Entra configuration to take effect. In the left menu, under **Developer portal**, select **Portal overview** > **Publish**.
131
114
132
115
After the Microsoft Entra provider is enabled:
133
116
134
-
* Users in the specified Microsoft Entra instance can [sign into the developer portal by using a Microsoft Entra account](#log_in_to_dev_portal).
117
+
* Users in the specified Microsoft Entra tenant(s) can [sign into the developer portal by using a Microsoft Entra account](#log_in_to_dev_portal).
135
118
* You can manage the Microsoft Entra configuration on the **Developer portal** > **Identities** page in the portal.
136
119
* Optionally configure other sign-in settings by selecting **Identities** > **Settings**. For example, you might want to redirect anonymous users to the sign-in page.
137
120
* Republish the developer portal after any configuration change.
@@ -160,7 +143,7 @@ For steps, see [Switch redirect URIs to the single-page application type](../act
160
143
## Add an external Microsoft Entra group
161
144
162
145
Now that you've enabled access for users in a Microsoft Entra tenant, you can:
163
-
* Add Microsoft Entra groups into API Management.
146
+
* Add Microsoft Entra groups into API Management. Groups added must be in the tenant where your API Management instance is deployed.
164
147
* Control product visibility using Microsoft Entra groups.
165
148
166
149
1. Navigate to the App Registration page for the application you registered in [the previous section](#enable-user-sign-in-using-azure-ad---portal).
0 commit comments