Monetize your APIs with Azure API Management

In a world of Microservices and APIs, it might come a time when you realize you have some service that others might want to use.

Azure API Management was made for this purpose, to centralize the management of all your APIs.

It allows an easy tracking of usage, thanks to its subscription-key approach, with a unique key per user; so you can easily charge money to use your APIs.

But one caveat is that the user base in API Management is a "standalone" list, not necessarily aligned with Azure Active Directory (where you probably will have already all your users).

So if you want to align these two worlds, as of now you need to be creative, bend some concept, and implement a few tricks, as explained here.

Let's start from the basic, that is how Azure Active Directory works behind the scenes.

Here you can see the basic entities of Azure Active Directory for an Application: the App Registration and the Enterprise Applications; from these two entry points in the Azure portal you can manage almost everything about your App authentication.

Now, if you want to have some Customer specific division in your Azure Active Directory, you need to be a bit creative, and mis-use some entity to achieve your needs (I was hoping that AAD B2B or B2C would help achieving this, but apparently that is not the case so far).

As you can see in the above picture, you define CustomerA and CustomerB in AAD as Security Groups; then you can add to these group all the users from each Company, which you previously invited to your AAD as described here.

At this point you edit your Application Manifest in the AAD Registration and add two new AppRoles: CustomerA and CustomerB.

Then you open the Enterprise Applications menu of the AAD section in the Azure portal, and assign those new AppRoles to your users individually (behind the scenes through a AppRoleAssignment).

Now, since you use API Management, you need an App Registration in AAD also for its Developer portal (this is where your API consumers will login in order to learn about and test your APIs).
Once you did that, you can switch to the API Management Publisher portal, and import your API, as described here.


You will also need to create an Authorization Server in the Publisher Portal, so that it can use the OAuth2 Permissions in AAD, as shown in the picture above.


Now, to make things a bit more complex, you need to have your API users to register on the API Management Developer portal (as of now, "invite" for some reason does not work, so you have to rely on them to do it...).

Once they did register, and you have your users in API Management, you can create the Customer Groups as you did in AAD, choosing to "Add groups from AAD". in the Product section of the API Management Publisher portal. under the Visibility tab.

Obviously you need to have a Product for each Customer, with the same names as the Groups you previously created. That will allow for an easy match and assignment without confusion, as you can see in the picture here below.


Once you performed all these steps, you are now able to use Role-Based Authorization as usual at your Operation (action or method) level in your APIs, as shown here below.

Limit access to this Operation only to CustomerA users:

Limit access to this Operation only to CustomerB users:


Allow access to this Operation to both CustomerA and CustomerB users:



And thanks to the API Management Analytics section in the Publisher portal, you can see all details about usage of your APIs, by user, as well as Customer.

Now, the only work left for all this to be really useful and easy, is to automate it, of course!

Luckily API Management provides a REST API that you can use, more or less like the Azure Graph API.

But I will tell you about it in a next post.
;)


For now, Happy Holidays!

Comments

  1. UnknownAugust 22, 2018 at 2:31 PM

    Very informative and very useful to the users. Keep share and update your information Azure Online Training Hyderabad

    ReplyDelete
  2. MikeyDecember 9, 2018 at 5:07 AM

    Great article! Would the Operation be visible to everyone and return an error code? Or would it be visible to only those who can make an authorized call? btw the last 'analytics' image is blurred out..

    ReplyDelete
  3. PriyaDecember 24, 2019 at 8:22 AM

    Hey thanks for this amazing post! Thank you so much for sharing the good post, I appreciate your hard work.Keep blogging.
    Mulesoft Online Training
    Mulesoft Training in Hyderabad

    ReplyDelete
  4. Cognex TechnologyFebruary 19, 2020 at 11:03 AM

    Thanks for this guide. By using this guide, I will monetize it. keep more updates on Microsoft azure

    ReplyDelete
  5. AnonymousJune 5, 2020 at 10:24 AM

    Great post.... if any one interested to power bi training call or whatsapp +91 9885022027.

    ReplyDelete

Post a Comment

Popular posts from this blog

Cloud Computing using Microsoft Azure for Dummies

Image
Microsoft Azure is one of the first On-Demand Cloud Services available since several years, along with Amazon . So what is this Cloud Computing ? “Cloud computing, also known as 'on-demand computing', is a kind of Internet-based computing, where shared resources, data and information are provided to computers and other devices on-demand” [ Wikipedia ] Since a few years, and especially thanks to the worldwide Globalization , the amount of data exchanged over the Internet has been growing exponentially, bringing into the game some new paradigm such as Big Data , which challenged the existing hardware and infrastructure at every level. Most public exposed systems and websites had suddenly to deal with a huge amount of traffic, data and requests, from any part of the world, with potential peaks at any given time, 24/7.  This represented a big challenge for the stability and availability of systems, which for most businesses required an incredib
Read more

RabbitMQ on Kubernetes Container Cluster in Azure

Image
Introduction This post is quite technical (and long, and detailed), so sit down, enjoy your coffee, and let’s get started! Containers are becoming the way forward in the DevOps and IT worlds, as they greatly simplify deployments of applications and IT infrastructure . RabbitMQ is “the most widely deployed open source message broker”, and easy to use within a Docker Container Image . Kubernetes is considered the De-facto Standard for Container Orchestration . To follow this tutorial you can use the built in Azure Cloud Shell , or download and install the Azure CLI , and use PowerShell locally. Make sure you have installed  Azure PowerShell . You will also need Kubectl , so make sure you install that too (I suggest Choco as the easiest way). Here I am using PowerShell . Resource Group First you have to login to Azure through PowerShell: az login You will receive a message such as: To sign in , use a web browser to open the page http
Read more

AD vs AAD (Active Directory vs Azure Active Directory)

Image
Comparing AD vs AAD is a bit like comparing apples and oranges; they are two very different technologies used for different scenarios and needs . As organizations look to move a great deal of their infrastructure to Azure , Active Directory ceases to become the right option .  Azure AD therefore, becomes the solution that is recommended. This post is aimed at explaining the main reasons behind this statement. On-Premise Active Directory Windows Server AD offers 5 core services. · Active Directory Domain Services (ADDS) · Active Directory Certificate Services (ADCS) · Active Directory Rights Management Services (ADRMS) · Active Directory Lightweight Directory Services (ADLDS) · Active Directory Federation Services (ADFS) Those 5 services together make up the entirety of on-premises AD . When most of us talk about AD , we’re mostly talking about ADDS . None of those 5 services are available in Azure AD . When you thi
Read more