AZ-204 Developing Solutions for Microsoft Azure Exam

You can develop, but can you develop for the cloud? Harness your development skills and learn how to create robust solutions for Microsoft Azure, aiming for your Microsoft Certified: Azure Developer Associate certification!

Practice Test

Exam

Configure access to APIs

Implement Azure API Management

Implement API Authentication and Authorization

Azure API Management (APIM) provides a platform to secure and manage APIs. Use authentication and authorization to control how clients access APIs. APIM supports OAuth 2.0 and OpenID Connect protocols to verify a client’s identity. Only valid tokens with the right scopes or roles can reach your backend. Policies in APIM help handle token checks, caching, and error responses.

To set up OAuth 2.0 or OpenID Connect, start by registering your API and client apps in Azure AD B2C. You need the Client (Application) ID, the OpenID Connect well-known metadata URL, and the Issuer URI from the metadata. These values feed into APIM policies to validate incoming tokens. When a user signs in, AD B2C issues a JSON Web Token (JWT) that contains claims about the user. APIM reads this token before forwarding requests to your API.

In APIM, inbound policies enforce token validation and content checks before requests reach your API. Use the validate-jwt policy to inspect the Authorization header. Specify the openid-config URL, audiences (your API’s Client ID or App ID URI), and issuers (AD B2C tenant URL). You can require claims such as scp (scope) or roles to control access at a fine-grained level. This approach ensures every request meets your security rules.

Role-based access control (RBAC) and scope-based authorization give you flexible permission levels. Define scopes like demo.read and demo.write under the Expose an API section in AD B2C. Assign these scopes to client apps under API permissions in the Azure portal. In your APIM policy, reference required scopes or roles to authorize specific operations. This is key to enforcing the least-privilege principle.

Follow these best practices to keep your APIs secure and reliable.

  • Store secrets and identifiers in named values within APIM instead of hard-coding them.
  • Always require HTTPS on both APIM endpoints and your backend services.
  • Monitor authentication attempts and errors through APIM analytics for quick issue detection.
  • Regularly rotate keys and secrets in Azure AD B2C and APIM to reduce risk.
    This routine helps maintain strong security and clear audit trails.

Conclusion

In this section, you learned how Azure API Management and Azure Active Directory B2C work together to secure APIs using OAuth 2.0 and OpenID Connect. You saw how to register applications, extract key values, and write inbound policies that validate JWT tokens. You also reviewed how to define and enforce scopes and roles through RBAC for fine-grained access control. Finally, best practices like named values, HTTPS enforcement, monitoring, and key rotation help keep your API solutions robust and secure. With these skills, you can configure access to APIs effectively in Azure.

Create and document APIsImplement policies for APIs