API Management

Microsoft Azure API Management is a turnkey solution for publishing APIs to external and internal consumers. Quickly create consistent and modern API gateways for existing backend services hosted anywhere, secure and protect them from abuse and overuse, and gain insights into usage and health. Plus, automate and scale developer onboarding to help get your API program up and running in no time.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Improved mutual certificate authentication for front-end / public endpoint

    The current method of verifying client certificates is by hard-coding the certificate thumbprint into a conditional in the policy.

    A better solution would be to be able to match the incoming thumbprint to ALL thumbprints in the uploaded SSL key stores. As described in the last paragraph here:
    https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients

    However, currently only the private certificates are exposed in the context variable (context.Deployment.Certificates) rendering the aforementioned code non-working.

    41 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  1 comment  ·  Defining APIs  ·  Flag idea as inappropriate…  ·  Admin →
  2. Return status code 405 instead of 404 when wrong method is used

    Defining an API involves creating the resources and the allowed methods for each resource. When invoking the operation (accessing the resource) with a wrong HTTP method (for example, PUT instead of GET), the API Management service returns a 404 Resource Not Found instead of a 405 Method Not Allowed. Passing an OWASP test implies to return the correct code (https://www.owasp.org/index.php/RESTSecurityCheatSheet#HTTPReturn_Code).

    Is it possible to return this code with API Management right now? Will it be included in future releases

    40 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  3. Expose API Management Events

    Expose events from API Management.

    Example would be, a user registers. Currently we get an email. It would be nice if it was an event we could subscribe to (WebHook or API Call or Service Bus message.. etc) so that we could use the user registration as the start of a workflow.
    Another example would be if a user requests a Product, having an event we could leverage things like PowerApp/Flow/Logic App to start an approval process or setup their development environment.

    Simple Event list that would have the most value:
    -User Created
    -User Requested Subscription
    -Issue Created

    40 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    triaged  ·  6 comments  ·  Service management  ·  Flag idea as inappropriate…  ·  Admin →
  4. Support building multipart/form-data in Policy Expressions for legacy apis

    Ability to build multipart/form-data requests from an originating non-multipart request. Ideally, the json-to-xml converter would also be able to be used. Use case is legacy API for querying that accepts xml files submitted via multipart POST. Would like to expose as standard json service (no multipart)-or at least standard non-multipart xml service. Presumably adding multipart support would involve some additions to the available Policies.

    39 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  4 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  5. Define policies in JSON

    I am not a big fan of XML so having an option to define policies using JSON would make it much easier to apply a policy and understand what exactly is going on.

    38 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  6. Increase password strength for basic user accounts

    Basic user accounts can be created via;
    1. Admin portal (minimum password length=6)
    2. Self registration page (minimum password length=8).
    No other rule applies i.e. very poor password strength.

    When possible, we definitely use AAD.
    For cases where we can not use AAD the Azure PaaS Developer Support Team has recommended us to use Facebook, Google, Microsoft or Twitter accounts...

    Please, provide UI page where Admin can design password policy by choosing;
    - Minimum password length. [Default=8?].
    - English upper case letters (e.g., A, B, C, ...Z). [Checkbox True|False].
    - English lower case letters (e.g., a, b, c, ...z). [Checkbox…

    33 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    need-feedback  ·  0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  7. Register app with Azure AD through developer portal

    Given that there are already integrations with Azure AD, it would be developer friendly if you could register and manage your apps with Azure AD through the developer console.

    That way you would need just one portal to deal with things like client ids, secrets etc

    32 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  2 comments  ·  Developer portal  ·  Flag idea as inappropriate…  ·  Admin →
  8. Support backendTlsVersion logging

    As multiple organizations and teams start enforcing TLS 1.2, it's always better to have this log to understand the TLS versions used by backend APIs. This will help teams strategize push for TLS 1.2 and make informed decisions.

    32 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Gateway  ·  Flag idea as inappropriate…  ·  Admin →
  9. Limit call rate by key in the Consumption tier

    The rate-limit-by-key policy prevents API usage spikes on a per key basis by limiting the call rate to a specified number per a specified time period. This is really important feature of api managament and it's not available in Consumption tier.

    32 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  API management experience  ·  Flag idea as inappropriate…  ·  Admin →
  10. Provide means to restrict TLS cipher suites or means to access cipher suite information

    Provide (1) means to restrict TLS cipher suites that are used in TLS communication between Azure API Management and API callers or (2) means for developers to access detailed information about the cipher suite used in the TLS connection from within API implementations.

    Background:

    We are investigating whether Azure API Management can be used for Financial-grade API (https://openid.net/wg/fapi/).

    Financial-grade API, also known as FAPI, is a set of standard specifications that are built on top of OAuth 2.0 and OpenID Connect. UK Open Banking (https://www.openbanking.org.uk/) has officially adopted FAPI and built Open Banking Profile (OBP) on…

    32 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  11. Import and append api's to an existing api through arm deployments

    In the azure portal it is possible to append multiple backends behind one logical api endpoint. I want to have the same functionality via ARM. Every repo uses the apim devops resource kit to get the swashbuckle generated openapi spec and generates based on this the ARM that registers the API in APIM. Currenlty when you have 2 ARM templates that target an api with the same ID this api is replaced. It should be possible to append and postfix the operations in case of conflicts. So basically the same as the azure portal does but this time via arm…

    32 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Defining APIs  ·  Flag idea as inappropriate…  ·  Admin →
  12. Improved RBAC roles for API Management

    Right now, Azure RBAC only has 3 API Management specific roles defined: API Management Service Contributor, API Management Service Operator and API Management Service Reader.

    These are OK, but they are not enough for many customers. In particular, many customers require giving developers or architects permissions to define and manage APIs without touching anything else (i.e no product, security, or similar configurations).

    While this is potentially possible to do using custom RBAC roles, doing so in a way that keeps everything working correctly and that does not break when the PG changes the way the portal works is non-trivial.

    So…

    31 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  13. Customize 'New subscription requested notification'

    The current 'new subscription requested notification' messages can't be modified in the 'Notification templates'. The current messages sent to APIM admins include the following:

    "Dear member of the [API Team],
    It is our pleasure to let you know that your API has another potential subscriber! [AccountName] submitted a subscription request to the API product [ProductName] on [RequestedDateTime].
    Please accept or decline the request by going to the [ProductName] page on the administrative portal located here [DevPortal link].
    Thank you,
    [API Team]
    [Dev Portal URI]"

    A more useful feature for admins is the ability to approve/reject the request either directly from…

    31 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    triaged  ·  1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  14. Allow longer URLs and Query parameters

    Currently URLs in the Consumption Tier are limited to a length of 4096 bytes with a maximum length for query parameters of 2048 bytes (source: https://github.com/MicrosoftDocs/azure-docs/blob/master/includes/api-management-service-limits.md). As there is no maximum size defined in the URL standard, the API Management shouldn't constrain the length of URLs and Query Params either (or should have a much higher limit which does not restrict realistic use cases). This would e.g. allow the transmission of data-URLs, Authentication information in the Query Parameter or signed URLs.

    30 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Defining APIs  ·  Flag idea as inappropriate…  ·  Admin →
  15. Allow same API URL suffix across different APIs and API products

    We are facing the problem that we have multiple microservices developed by multiple teams which have independent delivery pipelines to publish their APIs.

    Dependent on the service functionality certain APIs shall only be usable/visible for specific uder groups. Hence, we have to publish them in different API products.

    In general, we want to design the overall API surface across API products in a REST-ful way with a consistent terminology.

    Currently this is not possible because we are facing conflicts between APIs and API products when the REST-ful notion would suggest functionality to be exposed under the same API URL suffix…

    30 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Defining APIs  ·  Flag idea as inappropriate…  ·  Admin →
  16. Make it possible to call a long-running backend API which need more than 4 minutes to return

    Hi team,

    We have some legacy backend APIs which need around 10 minutes to return. Yet, the APIM SLB has a defalut timeout for 4 minutes, which is not changeable from the user side even if I set forward-request timeout to be 15 minutes via Policy, I have never got a response from the APIM. The 4 minutes limit can be avoided by a keep live logic. Could you please implement this while calling a backend API and make sure the timeout can meet the value set in the Policy.

    29 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  API management experience  ·  Flag idea as inappropriate…  ·  Admin →
  17. api management - import OpenApi from internal URL

    It would be interesting to allow import an openapi definition from an internal URL (through VNET integration). The request should resolve with custom dns and go through VPN or Express Route.
    Now, you get errors that the URL is not publicly available.

    So, the target would be to load openapi specifications from onpremise through VNET and VPN

    Regards,

    29 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  18. Hiding operations in developer portal

    This is a duplicate but the original suggestion was closed as Completed.

    I would like to hide operations in the developer portal but still expose them through the proxy.

    29 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    6 comments  ·  Defining APIs  ·  Flag idea as inappropriate…  ·  Admin →
  19. Updated APIM Product subscription request management

    What we would like is to be able to have specific users approve specific products in the APIM.

    For example have user Abc only get the approval subscription-requests on product 1.
    However user Xyz will only get the approval subscription-requests on product 2.

    As the system is working today both user Abc and Xyz will get all the approval subscription-requests.

    29 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  20. Support Basic Authentication in Front-end API

    We are currently consuming our APIs via various clients, including Microsoft Excel and various integration tools. These tools do NOT support the current front-end API authentication methods.
    One solution is to enable Basic Auth support in the front-end API.
    The existing username and subscription key could be used as the credentials, but the API Management would accept them in the standard base64-encoded Authorization header.

    28 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →

    Basic credentials can be already validated using a combination of check header policy and expression (use named value for storing username and password).

    We could simplify this use case by implementing a “validate basic credentials” policy, hence I am keeping this under review.

  • Don't see your idea?

Feedback and Knowledge Base