Securing an API using Open ID Connect from AAPIM

Part 1: Register an application in Azure AD to represent the API

Rushank Karekar
3 min readDec 2, 2020


Configuring OpenID Connect for your APIs hosted in Azure API Management adds an extra layer of security and prevents unauthorized access. This is a very important configuration form Security point of view for your Endpoints and is provided out of the box by Azure. This is the first part of a series of Blogs on Securing your API using OpenID Connect in Azure API Management. Please go through all the parts to find easy and detailed steps that will help you configure the OpenID Connect Authentication.

Note: This Blog will demonstrate the steps to configure and test the Open ID connect Authentication with Developer portal (Legacy). The steps are similar for Developer Portal Open ID connect Authentication Configuration. But it is worth noting that the Developer Portal currently only supports Implicit Mode of Authentication and might give you a 401 Error.

Register an application in Azure AD to represent the API

1. Go to the Azure portal to register your application. Search for and select APP registrations.

2. Select New registration.

3. When the Register an application page appears, enter your application’s registration information:

o In the Name section, enter a meaningful application name that will be displayed to users of the app, such as “Test_OIDC”.

o In the Supported account types section, select option as required (Multi_tenant).

4. In the Redirect URI section, select Web and enter the Azure APIM Developer Portal (Legacy App) URL.

5. Select Register to create the application.

6. On the app Overview page, find the Application (client) ID value and record it for later.

7. Enable the OAuth2 implicit flow for Implicit Auth.

Now, create a client secret for this application to use in a subsequent step.

1. From the list of pages for your client app, select Certificates & secrets, and select New client secret.

2. Under Add a client secret, provide a Description. Choose when the key should expire and select Add.

Links to All Blogs of this Series

Part 1: Register an application in Azure AD to represent the API

Part 2: Configure/Setup and Enable Open ID Connect in the Developer Console

Part 3: Successfully call the API from the developer portal (legacy)

Part 4: Configure a JWT validation policy to pre-authorize requests



Rushank Karekar

Working as a Software Engineer at CloudFronts in BI department with Hands-on experience on Azure Integration Services, Power BI, SSRS, SSIS and Scribe Online.