Azure API Management Identity Provider Aad

Microsoft.ApiManagement/service (Azure Resource Manager)

The service in Microsoft.ApiManagement can be configured in Azure Resource Manager with the resource name Microsoft.ApiManagement/service. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

HasanIftakher/Azure-Monitor

{
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workbookDisplayName": {
      "type": "string",

tulpy/Azure

{
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workbookDisplayName": {
      "type": "string",

gaelor/SentinelAsCode

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
        "workbookName": {

lbournwhs/AzureMonitorCommunity

{
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workbookDisplayName": {
      "type": "string",

scautomation/Azure-Inventory-Workbook

{
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workbookDisplayName": {
      "type": "string",

VJchand-star/Azure

{
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workbookDisplayName": {
      "type": "string",

Parameters

• apiVersion required - string
• identity optional
  • type required - string

    The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the service.

  • userAssignedIdentities optional - undefined

    The list of user identities associated with the resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/ providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

• location required - string

  Resource location.

• name required - string

  The name of the API Management service.

• properties required
  • additionalLocations optional array
    • disableGateway optional - boolean

      Property only valid for an Api Management service deployed in multiple locations. This can be used to disable the gateway in this additional location.

    • location required - string

      The location name of the additional region among Azure Data center regions.

    • publicIpAddressId optional - string

      Public Standard SKU IP V4 based IP address to be associated with Virtual Network deployed service in the location. Supported only for Premium SKU being deployed in Virtual Network.

    • sku required
      • capacity required - integer

        Capacity of the SKU (number of deployed units of the SKU). For Consumption SKU capacity must be specified as 0.

      • name required - string

        Name of the Sku.

    • virtualNetworkConfiguration optional
      • subnetResourceId optional - string

        The full resource ID of a subnet in a virtual network to deploy the API Management service in.

    • zones optional - array

      A list of availability zones denoting where the resource needs to come from.

  • apiVersionConstraint optional
    • minApiVersion optional - string

      Limit control plane API calls to API Management service with version equal to or newer than this value.

  • certificates optional array
    • certificate optional
      • expiry required - string

        Expiration date of the certificate. The date conforms to the following format: yyyy-MM-ddTHH:mm:ssZ as specified by the ISO 8601 standard.

      • subject required - string

        Subject of the certificate.

      • thumbprint required - string

        Thumbprint of the certificate.

    • certificatePassword optional - string

      Certificate Password.

    • encodedCertificate optional - string

      Base64 Encoded certificate.

    • storeName required - string

      The System.Security.Cryptography.x509certificates.StoreName certificate store location. Only Root and CertificateAuthority are valid locations.

  • customProperties optional - string

    Custom properties of the API Management service.</br>Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TripleDes168 will disable the cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA for all TLS(1.0, 1.1 and 1.2).</br>Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11 can be used to disable just TLS 1.1.</br>Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10 can be used to disable TLS 1.0 on an API Management service.</br>Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls11 can be used to disable just TLS 1.1 for communications with backends.</br>Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls10 can be used to disable TLS 1.0 for communications with backends.</br>Setting Microsoft.WindowsAzure.ApiManagement.Gateway.Protocols.Server.Http2 can be used to enable HTTP2 protocol on an API Management service.</br>Not specifying any of these properties on PATCH operation will reset omitted properties' values to their defaults. For all the settings except Http2 the default value is True if the service was created on or before April 1st 2018 and False otherwise. Http2 setting's default value is False.</br></br>You can disable any of next ciphers by using settings Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.[cipher_name]: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA. For example, Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256:false. The default value is true for them. Note: next ciphers can't be disabled since they are required by Azure CloudService internal components: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384

  • disableGateway optional - boolean

    Property only valid for an Api Management service deployed in multiple locations. This can be used to disable the gateway in master region.

  • enableClientCertificate optional - boolean

    Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway.

  • hostnameConfigurations optional array
    • certificate optional
      • expiry required - string

        Expiration date of the certificate. The date conforms to the following format: yyyy-MM-ddTHH:mm:ssZ as specified by the ISO 8601 standard.

      • subject required - string

        Subject of the certificate.

      • thumbprint required - string

        Thumbprint of the certificate.

    • certificatePassword optional - string

      Certificate Password.

    • certificateSource optional - string

      Certificate Source.

    • certificateStatus optional - string

      Certificate Status.

    • defaultSslBinding optional - boolean

      Specify true to setup the certificate associated with this Hostname as the Default SSL Certificate. If a client does not send the SNI header, then this will be the certificate that will be challenged. The property is useful if a service has multiple custom hostname enabled and it needs to decide on the default ssl certificate. The setting only applied to Proxy Hostname Type.

    • encodedCertificate optional - string

      Base64 Encoded certificate.

    • hostName required - string

      Hostname to configure on the Api Management service.

    • identityClientId optional - string

      System or User Assigned Managed identity clientId as generated by Azure AD, which has GET access to the keyVault containing the SSL certificate.

    • keyVaultId optional - string

      Url to the KeyVault Secret containing the Ssl Certificate. If absolute Url containing version is provided, auto-update of ssl certificate will not work. This requires Api Management service to be configured with aka.ms/apimmsi. The secret should be of type application/x-pkcs12

    • negotiateClientCertificate optional - boolean

      Specify true to always negotiate client certificate on the hostname. Default Value is false.

    • type required - string

      Hostname type.

  • notificationSenderEmail optional - string

    Email address from which the notification will be sent.

  • privateEndpointConnections optional array
    • id optional - string

      Private Endpoint connection resource id

    • name optional - string

      Private Endpoint Connection Name

    • properties optional
      • privateEndpoint optional
      • privateLinkServiceConnectionState required
        • actionsRequired optional - string

          A message indicating if changes on the service provider require any updates on the consumer.

        • description optional - string

          The reason for approval/rejection of the connection.

        • status optional - string

          Indicates whether the connection has been Approved/Rejected/Removed by the owner of the service.

    • type optional - string

      Private Endpoint Connection Resource Type

  • publicIpAddressId optional - string

    Public Standard SKU IP V4 based IP address to be associated with Virtual Network deployed service in the region. Supported only for Developer and Premium SKU being deployed in Virtual Network.

  • publicNetworkAccess optional - string

    Whether or not public endpoint access is allowed for this API Management service. Value is optional but if passed in, must be 'Enabled' or 'Disabled'. If 'Disabled', private endpoints are the exclusive access method. Default value is 'Enabled'.

  • publisherEmail required - string

    Publisher email.

  • publisherName required - string

    Publisher name.

  • restore optional - boolean

    Undelete Api Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored.

  • virtualNetworkConfiguration optional
    • subnetResourceId optional - string

      The full resource ID of a subnet in a virtual network to deploy the API Management service in.

  • virtualNetworkType optional - string

    The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an Internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only.

• sku required
  • capacity required - integer

    Capacity of the SKU (number of deployed units of the SKU). For Consumption SKU capacity must be specified as 0.

  • name required - string

    Name of the Sku.

• tags optional - string

  Resource tags.

• type required - string
• zones optional - array

  A list of availability zones denoting where the resource needs to come from.