Azure API Management: Hiding Developer Portal from anonymous users [step-by-step guide]

Azure API Management is Microsoft’s turnkey solution for administrating and publishing APIs to external and internal customers; and for many development teams, Azure API Management is part of the whole lifecycle of an API: specification, development, test, production, monetization, support, etc. But exactly when are you ready to release a version of your new API to the public (or even to a limited set of users)?

I see many teams using Azure API Management quite early in the API lifecycle (specification, dev, test) but by default Azure API Management allows everyone to know the API Specifications (Swagger/WSDL) and API Documentation (and even query the API) through the Developer Portal. When crafting your API in its very early stages, you often don’t want to share specifications and documentation with anyone outside your team. Mostly because the API will change rapidly during its early phases, and you don’t want your (potential) users to spend their valuable time on something that might change tomorrow. So, is there a good way to control this?

In this blog post, I will show you how to configure and control access to API specifications and API documentation in the Developer Portal.

Option 1: Force all users to sign in

By default, anonymous users can access your API documentation and API specifications (Swagger/WSDL) in the Developer portal. That might not be what you want, and a straightforward way to solve this is simply to force all users to sign in before accessing the Developer Portal.

The following steps will show you how:

Step 1: Sign in to the Azure Portal and open your Azure API Management instance

Screenshot showing how to force anonymous users to sign in.

Step 2: Once you are inside the API Management blade in Azure Portal, click on ‘Identities’ in the left-side menu.

Step 3: Now click on ‘Settings.’

Step 4: Finally, put a checkmark in “Redirect anonymous users to sign-in page” and click “Save.”

Step 5: When you open the Developer Portal, you will instantly be redirected to the sign-in page.

Screenshot is showing the mandatory Sign-in page in Developer Portal.

Option 2: Remove username/password sign-in and sign-up

Now that we can require that users are signed in, we can start to look at the types of users we want to permit access to the Developer Portal.

When an anonymous user creates a new account and completes e-mail verification, the user will instantly gain access to your API documentation and specifications. How do you control who exactly is accessing your Developer Portal?

The most effective thing you can do is to remove to the possibility for users to sign in with username/password altogether.

This gives two advantages:

1. Only users who are accessing the Developer Portal through the Azure Portal will be able to gain access.
2. You can add identity providers of your choice later as long as they support OAuth 2.0, OpenID Connect, Azure AD, Google, etc…
   1. This gives you the freedom to grant access to specific organizations or providers.

This is how it is done:

Screenshot showing how to remove “Username and password” provider type

Step 1: Click on “Identities” in the left-side menu

Step 2: Click on the “…”-button under the provider type called “Username and password.”

Step 3: Click the “Delete”-button and click “Yes” to the confirmation pop-up.

Step 4: Finally, open the Developer Portal and see that sign-in is disabled for external users:

Developer Portal is showing that sign-in is disabled.

Conclusion

In this blog post, I have shown you how to handle anonymous access to your API documentation and specifications in Azure API Management via the Developer Portal. But are there ways to gain even more granular control over how content is presented in the Developer Portal? The answer is yes! In a future blog post I will show you how to restrict access to individual widgets and pages in the Developer Portal. So stay tuned…