Securing an API app with an Application Identity–Part 1

Deploying an API within Azure is a very simple tasks. But how about security? The API itself is exposed to the outside world. When for example have a API app that is connected to on-premise systems with an Hybrid Connection the API will have to be secured in a certain way.

An option is to use Azure Active Directory. Within Azure Active Directory you can register an Application Identity for the API App. The connecting application will also have to be registered within Active Directory in order to connect to the API Application (This part will be discussed in part 2).

Part 1 will contain the setup of the API application in Part 2 the configuration and code changes for the client application will be discussed.

First off all the API app needs to be registered within Azure Active Directory. In order to manage Azure Active Directory the old Azure portal : needs to be used.

Azure Active Directory

Open up the Active Directory and click on the “Applications” tab.


In the bar at the bottom of the screen you can add a new application by selecting new. Selecting “New” will open a wizard for adding an application.


Select the option “Add an application my organization is developing”.


Enter the name of the application and since our application is an API app select “Web Application and/or Web API” and click next.


Fill-in a Sign-On URL if you do not have a specific sign-in URL fill in your default URL for example “” (Note: The URL needs to be secured with SSL).

The APP ID URI is a URL specific for your tenant, this URL will need to contain the tenant name. It needs to be constructed in the following way: https://[tenant-name]/[app-name]

Save the options, the configuration screen of the application will be opened.

Code Changes

When the steps within Azure Active Directory are completed the API also needs some small code changes. To secure the application it self a couple of configuration need to be saved and we will save these in the web.config file.

<add key="auth:Tenant" value="[Tenant name,]" />
<add key="auth:APPIDURI" value="[App ID URI of your API Application]" />
<add key="auth:TrustedCallerClientIds" value="[Trusted Callers ClientIds seperated by ';']" />


  • APPIDURI: APP ID URI of your application.
  • Tenant:The name of the Azure AD tenant in which you registered the application ([tenant]
  • TrustedCallerIds:The Client Id’s of the clients that are authorized to access the application seperated by ‘;’.

In the “Startup” class register the Windows Azure Authentication mechanism.

public void ConfigureAuth(IAppBuilder app) {
        new WindowsAzureActiveDirectoryBearerAuthenticationOptions {
            TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters() {
                ValidAudience = ConfigurationManager.AppSettings["auth:APPIDURI"]
            Tenant = ConfigurationManager.AppSettings["auth:Tenant"]

Here you register your application and tenant for authentication. By these settings it will know on which tenant it is registered.

Next up it the API method itself. The methods within the API can be secured with a attribute called “Authorize”.

public string Get(string id) {
    if (string.IsNullOrEmpty(id))
        throw new ArgumentNullException("id", "Argument 'id' cannot be 'null' or 'string.empty'");

    //Get API

All of this together will make sure the application is secured. With a few additional steps you can also secure the application for specific caller applications. That is were the “TrustedCallersIds” configuration comes is.

From the ClaimsPrincipal of the caller application the client id can be retrieved. With the client id you check the values against the values saved within the web.config.

public string Get(string id) {

    Collection<string> trustedCallerClientId = AuthConfiguration.TrustedCallerClientIds;
    string currentCallerClientId = ClaimsPrincipal.Current.FindFirst("appid").Value;

    if (trustedCallerClientId.Contains(currentCallerClientId)) {
        //Get API
        throw new AuthenticationException("Client is not Authorized");

The “AuthConfiguration” class is a object that retrieves the Authentication settings from the web.config. The “TrustedClientIds” property retrieves the TrustedClientIds from the web.config.

public static Collection<string> TrustedCallerClientIds {
    get {
        List<string> retVal =new List<string>();
        string ids = ConfigurationManager.AppSettings["auth:TrustedCallerClientIds"];
        string[] itemIds = ids.Split(new string[]{";"}, StringSplitOptions.RemoveEmptyEntries);
        return retVal.ToCollection();

All of this together will secure you’re API APP. In the next post will be explained how to configure the client application.

Related Posts

Listing Azure Services within a CSV file In some situations you will look into a current Azure Environment and the setup/governance of it and need to migrate or move resources around. The ...
Azure Event Grid with Custom Events As of yesterday (16-8-2017) the public preview of Azure Event Grid is live. Azure Event Grid is a fully managed event routing service. Azure Event Gri...
Removing the Classis Hybrid Connections from Azure (Azure BizTalk Service) As you know the classic hybrid connections that are build upon Azure BizTalk Services are deprecated. These connection will have to be replaced by the...
Restricting access to your Azure Web Application As you may know almost everything that is deployed to Azure is publicly available. As with Azure SQL Database you do not have a firewall available for...
Configure access to a private network for a Azure App Services On-Premise connections for Azure App Services can be created by using Hybrid Connections. Hybrid connections do not need any development or re-configu...
Extensions and Tips for deploying with Azure Resource Templates Working with Azure Services in different subscriptions means that the Azure Services need to run in different subscriptions. This often occurs when we...

Leave a Reply

Your email address will not be published. Required fields are marked *