You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[Microsoft Entra External ID](/entra/external-id/external-identities-overview) is a cloud identity management solution that allows external identities to securely access your apps and resources. You can use it to manage access to your API Management developer portal by external identities.
21
21
22
-
In this article, you learn the configuration of the Microsoft Entra ID identity provider for the following scenario:
22
+
For an overview of options to secure access to the developer portal, see [Secure access to the API Management developer portal](secure-developer-portal-access.md).
23
23
24
-
* Integration with Microsoft Entra External ID in your *workforce tenant*. For example, if your workforce tenant is for the Contoso organization, you might want to configure Google or Facebook as an external identity provider so that these external users can also sign in using their accounts.
24
+
Currently, API Management supports external identity providers in Microsoft Entra External ID when configured in a Microsoft Entra ID *workforce tenant*. For example, if you're enabling access to the developer portal by users in your workforce tenant, such as the Contoso organization, you might want to configure Google or Facebook as an external identity provider so that these external users can also sign in using their accounts. [Learn more about workforce and external tenant configurations in Microsoft External ID](/entra/external-id/tenant-configurations).
25
25
26
-
For an overview of options to secure access to the developer portal, see [Secure access to the API Management developerportal](secure-developer-portal-access.md).
@@ -38,78 +38,42 @@ For an overview of options to secure access to the developer portal, see [Secure
38
38
39
39
## Add external identity provider to your tenant
40
40
41
-
An external identity provider must be enabled in your workforce tenant. Configuring the external identity provider is outside the scope of this article. For more information, see [Identity providers for External ID in workforce tenant](/entra/external-id/identity-providers).
42
-
43
-
## Create Microsoft Entra app registration
44
-
45
-
Create an app registration in your Microsoft Entra ID tenant. The app registration represents the developer portal application in Microsoft Entra and enables the portal to sign in users by using Microsoft Entra ID.
46
-
47
-
1. In the Azure portal, go to Microsoft Entra ID.
48
-
1. In the sidebar menu, under **Manage**, select **App registrations** > **+ New registration**.
49
-
1. In the **Register an application** page, enter your application's registration information.
50
-
* In the **Name** section, enter an application name of your choosing.
51
-
* In the **Supported account types** section, select **Accounts in this organizational directory only**.
52
-
* In **Redirect URI**, select **Single-page application (SPA)** and enter the following URL: `https://{your-api-management-service-name}.developer.azure-api.net/signin`, where `{your-api-management-service-name}` is the name of your API Management instance.
53
-
* Select **Register** to create the application.
54
-
1.On the app **Overview** page, find the **Application (client) ID** and **Directory (tenant) ID** and copy these values to a safe location. You need them later.
55
-
1. In the sidebar menu, under **Manage**, select **Certificates & secrets**.
56
-
1. From the **Certificates & secrets** page, on the **Client secrets** tab, select **+ New client secret**.
57
-
* Enter a **Description**.
58
-
* Select any option for **Expires**.
59
-
* Choose **Add**.
60
-
1. Copy the client **Secret value** to a safe location before leaving the page. You need it later.
61
-
1. In the sidebar menu, under **Manage**, select **Token configuration** > **+ Add optional claim**.
62
-
1. In **Token type**, select **ID**.
63
-
1. Select (check) the following claims: **email**, **family_name**, **given_name**.
64
-
1. Select **Add**. If prompted, select **Turn on the Microsoft Graph email, profile permission**.
41
+
For this scenario, you must enable an identity provider for External ID in your workforce tenant. Configuring the external identity provider depends on the specific provider and is outside the scope of this article. For options and links to steps, see [Identity providers for External ID in workforce tenants](/entra/external-id/identity-providers).
For external users to sign up for access to the developer portal, you must complete these steps:
47
+
To allow external users to register for access to the developer portal, complete the following steps:
69
48
70
-
* Enable self-service sign-up for your tenant.
49
+
* Enable self-service sign-up for the external tenant.
71
50
* Add your app to the self-service sign-up user flow.
72
51
73
-
For more information and detailed steps, see the following articles:
74
-
75
-
- Workforce tenant: [Add self-service sign-up user flows for B2B collaboration](/entra/external-id/self-service-sign-up-user-flow)
76
-
77
-
## Configure Microsoft Entra ID as an identity provider for developer portal
78
-
79
-
In your API Management instance, configure the Microsoft Entra ID identity provider. You need the values you copied from your app registration in a previous section.
52
+
For more information and detailed steps, see [Add self-service sign-up user flows for B2B collaboration](/entra/external-id/self-service-sign-up-user-flow).
80
53
81
-
1. In the [Azure portal](https://portal.azure.com) tab, navigate to your API Management instance.
82
-
1. In the sidebar menu, under **Developer portal**, select **Identities** > **+ Add**.
83
-
1. In the **Add identity provider** page, select **Microsoft Entra ID**. Once selected, you're able to enter other necessary information.
84
-
1. In **client id**, enter the **Application (client) ID** from your app registration.
85
-
1. In **Client secret**, enter the **Secret value** from your app registration.
86
-
1. In **Signin tenant**, enter the **Directory (tenant) ID** from your app registration.
87
-
* In the **Client library** dropdown, select **MSAL**.
88
-
1. Select **Add**.
89
54
90
-
:::image type="content" source="media/api-management-howto-external-id/entra-id-identity-provider.png" alt-text="Screenshot of the Microsoft Entra ID identity provider configuration in the portal.":::
91
-
1. Republish the developer portal for the Microsoft Entra configuration to take effect. In the sidebar menu, under **Developer portal**, select **Portal overview** > **Publish**.
55
+
## <aid="log_in_to_dev_portal"></a> Sign in to developer portal with Microsoft Entra External ID
92
56
93
-
> [!IMPORTANT]
94
-
> You need to [republish the developer portal](developer-portal-overview.md#publish-the-portal) when you create or update the identity provider's configuration settings for the changes to take effect.
57
+
In the developer portal, you can enable sign in with Microsoft Entra External ID by using the **Sign-in button: OAuth** widget. The widget is already included on the sign-in page of the default developer portal content.
95
58
96
-
## Sign in to developer portal with Microsoft Entra External ID
59
+
A user can then sign in with Microsoft Entra External ID as follows:
97
60
98
-
In the developer portal, sign-in with Microsoft Entra External ID is possible with the **Sign-in button: OAuth** widget. The widget is already included on the sign-in page of the default developer portal content.
61
+
1. Go to the developer portal. Select **Sign in**.
99
62
100
-
1.To sign in by using Microsoft Entra External ID, open a new browser window and go to the developer portal. Select **Sign in**.
63
+
1.On the **Sign in** page, select **Microsoft Entra ID**.
101
64
102
-
1. On the **Sign in** page, select **Azure Active Directory**.
65
+
:::image type="content" source="media/api-management-howto-external-id/developer-portal-sign-in.png" alt-text="Screenshot of selecting Microsoft Entra ID on Sign in page in developer portal.":::
103
66
104
-
:::image type="content" source="media/api-management-howto-external-id/developer-portal-sign-in.png" alt-text="Screenshot of select Azure Active Directory on Sign in page in developer portal.":::
67
+
> [!TIP]
68
+
> If you configure more than one Microsoft Entra tenant for access, more than one Microsoft Entra ID button appears on the sign-in page. Each button is labeled with the tenant name.
105
69
106
-
1. In the sign-in window for your Microsoft Entra tenant, select **Sign-in options**. Select the identity provider you configured in your Microsoft Entra tenant to sign in. For example, if you configured Google as an identity provider, select **Sign in with Google**.
70
+
1. In the sign-in window for your Microsoft Entra tenant, select **Sign-in options**. Select the external identity provider configured in your Microsoft Entra tenant to sign in. For example, if you configured Google as an identity provider, select **Sign in with Google**.
107
71
108
72
:::image type="content" source="media/api-management-howto-external-id/sign-in-options.png" alt-text="Screenshot of select external identity provider in Microsoft Entra.":::
109
73
110
-
To continue sign-in, respond to the prompts. After sign-in is complete, you're redirected back to the developer portal.
74
+
1.To continue sign-in, respond to the prompts. After sign-in is complete, the user is redirected back to the developer portal.
111
75
112
-
You're now signed in to the developer portal for your API Management service instance. You're added as a new API Management user identity in Users, and a new external tenant user in Microsoft Entra ID.
76
+
The user is now signed in to the developer portal, added as a new API Management user identity in **Users**, and added as a new external tenant user in Microsoft Entra ID.
![learn-build-service-prod[bot]](https://avatars.githubusercontent.com/in/237442?v=4&size=40){kind=avatar}
0 commit comments