--- title: "Configuring the Azure API Management Authorizer" slug: "azure-api-management-authorizer-configuration" updated: 2025-05-05T12:04:06Z published: 2025-05-05T12:04:06Z --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.plainid.io/llms.txt > Use this file to discover all available pages before exploring further. # Configuring the Azure API Management Authorizer The **PlainID Azure API Management Authorizer** enables fine-grained, policy-based access control for APIs managed by **Azure API Management (APIM)**. It provides consistent and centralized enforcement of business Access Policies by integrating with the PlainID Runtime (PDP), which evaluates access in real time. The Authorizer acts as a **Policy Enforcement Point (PEP)**, intercepting API calls and enforcing the access decision received from the **Policy Decision Point (PDP)**. Utilizing the API Contact our [Support Team](https://plainid.atlassian.net/servicedesk/customer/portals) for access to the Azure API Management Authorizer --- ## Architecture Overview ### Authorization Flow Diagram ![Azure AuthZ API Management.png](https://cdn.document360.io/726c7002-05a9-480e-b986-42c9e8824acd/Images/Documentation/Azure%20AuthZ%20API%20Management.png) ### Request Flow 1. User logs in and accesses the application. 2. The application sends an request to Azure API Management (APIM). 3. The PlainID Authorizer (PEP) intercepts the request. 4. The Authorizer extracts identity and request context from the call. 5. An Authorization request is sent to the PlainID Policy Decision Point (PDP). 6. The PDP evaluates Access Policies and returns an Allow or Deny decision. 7. The Authorizer enforces the decision, forwarding the request to the backend API or blocking it. --- ## Prerequisites Before you begin, ensure the following: - Access to the [Microsoft Azure Portal](https://portal.azure.com/). - A configured PlainID environment with access to the Runtime (PDP) endpoint. - A Scope in PlainID with associated client credentials (Client ID and Secret or JWT). - The necessary API(s) deployed and managed in Azure API Management. --- ## Deployment Instructions ### Defining Named Values In **Azure API Management > Named values**, create the following keys. Use **type = secret** for sensitive values such as `clientSecret`. Refer to [Use named values in Azure API Management policies](https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-properties?tabs=azure-portal) for more information on where to find Named Values and how to use them. | Name | Description | | --- | --- | | `clientId` | Client ID from the configured Scope in PlainID. | | `clientSecret` | Client Secret from the PlainID Scope (used if `authenticationMethod` is `secret`). | | `plaindidUrl` | Full URL to the PlainID Runtime endpoint for permit-deny decisions. | | `authenticationMethod` | `token` for JWT-based authentication or `secret` for client credentials. | | `enableTracing` | `true` to enable trace logs in APIM Analytics. | | `onPreventBody` | Body content returned when access is denied. | | `onPreventContentType` | Content-Type for denied responses (e.g., `application/json`). | | `onPreventStatusCode` | HTTP status code for denied requests (e.g., `403`). | | `runtimeFineTune` | JSON structure for tuning the Runtime access request. | | `runtimeRequestTimeout` | Timeout value in seconds for the Runtime request (e.g., `60`). | --- #### Example Configuration ``` clientId: PYX9B9H5S29IBG9OEISG clientSecret: **** plaindidUrl: https:///api/runtime/5.0/decisions/permit-deny authenticationMethod: token enableTracing: true onPreventBody: { "code": 403, "error": "Forbidden" } onPreventContentType: application/json onPreventStatusCode: 403 runtimeFineTune: { "includeAccessPolicy": "true", "includeAccessPolicyId": "true", "includeDetails": true, "includeAssetAttributes": true, "includeIdentity": true, "includeIdentityAttributes": true, "entityId": "userId", "entityAttributes": { "identityattr1": ["identityAtt1Value"] }, "entityTypeId": "User" } runtimeRequestTimeout: 60 ``` --- ### Adding the Authorization Policy 1. Navigate to the **API** you want to protect in the Azure Portal. 2. Select the **Inbound Processing** section. 3. Click **Add policy** and choose **Other policies**. 4. Paste the PlainID policy XML into the editor. 5. Save your changes. > You can refer to [Azure’s official guide](https://learn.microsoft.com/en-us/azure/api-management/set-edit-policies?tabs=form#configure-policy-in-the-portal) for detailed steps. Alternatively, you can apply the policy at the **Product** level under: `APIs > Products > [Your Product] > Policies > Inbound Processing` ---