We've connected our Azure API Management developer portal to Microsoft Entra Id (AAD) following the instructions described on https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-aad#manually-enable-microsoft-entra-application-and-identity-provider. The "Supported account types" off the app registration has been set to "Accounts in this organizational directory only (... only - Single tenant)". The 'username and password' identity provider has been removed from APIM.
We have a single Microsoft Entra Id (AAD) instance in which all users are registered. Every environment (DTAP) has its own developer portal instance which is connected to Entra using there own separate app registration. Using groups in Entra we have restricted access to our products in API Management.
What I've noticed is that every user that is registered in Entra seems to be able to log into the Developer Portal on every environment. The first time they log in, they can 'signup' and are automatically registred as a user in the corresponding API Management and added to the built-in Developer group.
Is there a way to only allow users that are member of a specific group to log in to the portal, or can I only use groups to restrict access to products and pages?
A colleague of mine found the answer. You can restrict access via the 'Enterprise Application' of the app registration.
Steps:
If a user tries to login that is not assigned, they will get an error message.