Add AAD groups to API Management

Daniel Filakovsky 36 Reputation points
2022-04-26T08:47:07.403+00:00

Hello, I have configured AAD in Identities for API Management service incl. app registration with the following API permissions:

  • Directory.Read.All
  • User.Read
    for Azure Active Directory Graph and Microsoft Graph as well

In the Developer portal (settings) | Groups, I'm able to list all AAD groups from my tenant by + Add Azure AD group. But when I try to add any of them, the invoked request fails with 400 and the error message is

"Failed to query Azure Active Directory graph due to error: Invalid URI: The format of the URI could not be determined."

The original request body that azure portal sending looks like:
{ "properties": { "type": "external", "displayName": "DisplayName", "description": null, "externalId": "aad://{tenand_id}/groups/{group_id}" } }

When I intercept the request, remove aad:// prefix from externalId ( "externalId": "{tenand_id}/groups/{group_id}" ) and forward the request, the group was successfully added.

But with this little hack, it doesn't work when I try to add permission for a particular group and products. In the portal it looks like permission is configured correctly, but developers don't see their products in the portal GUI (*.developer.azure-api.net) even after publishing a new version.

I'm almost sure that it worked one month ago. Can you please help me? Am I doing something wrong, or why is the APIM service failing with Azure AD Graph API query?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,912 questions
Accepted answer
  1. MayankBargali-MSFT 69,946 Reputation points
    2022-04-28T13:27:09.263+00:00

    @Daniel Filakovsky @Atul Mehra Thanks for reaching out and apology for the inconvenience caused due to this issue. This is the known issue and Tentative ETA for Hotfix rollout completion is April 29th, 2022

    In case if anyone need immediate fix then please post the comment on this post so I can initiate the private comment and you can share the APIM instance details only to my private comment. I will reach out to my team to mitigate the issue on your APIM instances.

    Summary
    After recent API Management service upgrade, when an API Management service administrator tries to add an AAD group to API Management service by following
    this documentation, the operation will not complete and a message will be shown in Azure portal
    “Creating new group…”. A Fiddler/HAR trace will show that the management call to add the group returned
    400 Bad Request response code with following error:

    {"error":{"code":"ValidationError","message":"Failed to query Azure Active Directory graph due to error: Invalid URI: The format of the URI could not be determined.","details":null}}

    Cause
    The problem is caused by a regression in the recent service upgrade.

    Workaround/Mitigation
    A Hotfix is being rolled out for this issue. Tentative ETA for Hotfix rollout completion is April 29th, 2022

    4 people found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest