How to set up Azure API Management for mult-tenant API

Question

I have multi-tenant application, which exposes some API for our customers to use. I would like to expose it using Azure API Management. Mostly to provide Development Portal to our customers, which I find very useful, and maybe use some other features.

If I understand correctly, our customers will set up their own subscription keys for authentication, which API Management proxy will validate.

Question: How can I link and identify user/subscription to the tenant of my application, to ensure that only data from this tenant are returned.

One direction I can see to explore is to use delegated sign up, which I guess will help me to link subscription to the tenant. But then still the question is how to get user id in my backend API?

Any direction to documentation or samples is very appreciated

Answer 1

You could create separate groups in APIM to represent your tenants and then put users into those groups using delegation hookups. Withing APIM policy in expressions you can reference context.User.Groups to list groups user making the call belongs to and forward that information to backend.

Alternatively you could use Note field to store tenant name and access it as context.User.Note. Or if you're willing to store mapping on your side the just take an id context.User.Id.

All of above could be passed as a header using set-header policy like:

<set-header name="userId">
    <value>@(context.User.Id)</value>
</set-user>

All scenarios would require you to have delegation setup to fill this information automatically for every new user created.