API Management

Microsoft Azure API Management is a turnkey solution for publishing APIs to external and internal consumers. Quickly create consistent and modern API gateways for existing backend services hosted anywhere, secure and protect them from abuse and overuse, and gain insights into usage and health. Plus, automate and scale developer onboarding to help get your API program up and running in no time.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Handle Signing requests

    Add a feature to manage customer keys, customer secret and signing validation of the requests.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  2. Remove TLS_RSA_WITH_AES_256_GCM_SHA384 from available TLS 1.2 ciphers

    Api Management is REQUIRING a WEAK CIPHER be enabled: TLSRSAWITHAES256GCMSHA384

    The documentation to remove ciphers excludes TLSRSAWITHAES256GCMSHA384 with no mention as to WHY: https://docs.microsoft.com/en-us/rest/api/apimanagement/2019-01-01/apimanagementservice/update#request-body

    Further, running command specifying this cipher as False is having no change on the API management gateway:

    Name: TLSRSAWITHAES256GCMSHA384
    Value: False

    SSLLABS is identifying cipher suites using TLS_RSA as weak: https://discussions.qualys.com/thread/17971-tlsrsawithaes256cbcsha-comes-to-be-weak-cipher

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  3. add access policy that supports managed identity validation

    similar to how azure key vault is secured with access policies tied back to the system-managed identities of azure resources accessing the key vault, create a similar mechanisim in APIM that allows an API to be secured. For example, if I want an API to be accessed only by a specific azure app service(s), create a way to set access policies to allow that resource's managed identity when the specific API is called.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  4. Having the ability to

    Having the ability to see which ciphers are active within the APIM. At the moment you can disable 3DES in the Portal and 9 other ciphers using a PATCH/PUT command but you cannot see which ciphers are actually active anywhere.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  5. Pre-populate Azure AD accounts to users with ARM template should act the same as the manual process

    I am pre-populating the users with Azure AD accounts with the following ARM template snippet using a VSTS CI-CD pipeline.

    {

    "apiVersion": "2018-06-01-preview",
    
    "type": "Microsoft.ApiManagement/service/users",
    "name": "[concat(parameters('serviceName'), '/', 'apim-dev')]",
    "properties": {
    "state": "active",
    "note": "Application account for the SIAM application",
    &quot;email&quot;: &quot;<a rel="nofollow noreferrer" href="mailto:apim-dev@contoso.onmicrosoft.com">apim-dev@contoso.onmicrosoft.com</a>&quot;,
    &quot;firstName&quot;: &quot;Dev&quot;,
    &quot;lastName&quot;: &quot;User&quot;,
    &quot;identities&quot;: [
    {
    &quot;provider&quot;: &quot;Aad&quot;,
    &quot;id&quot;: &quot;12ca3158-2a1b-4a00-87dc-454ebaa5d238&quot;
    }
    ]
    }

    }

    When I run this template the user is added with authentication type Azure AD and Basic. I only want Azure AD as authentication type which should be the same behavior as if the user is sigin-in for the first time…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  6. Automatically provision AD app registration for an API Management instance

    When we expose APIs through API Management, we often want to secure them using JWT validation. For fine-grained control, we would want to validate claims in the JWT to verify that the caller is allowed access to that particular API. Setting up and keeping in sync the app registration to allow this is tedious for the directory administrator particularly when the development environment is highly active.

    I suggest that you enable a way to automatically provision and keep in sync an app registration in the AD tenant whose app roles mirror the APIs offered in the API Management instance

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
1 3 Next →
  • Don't see your idea?

Feedback and Knowledge Base