The azure-native:apimanagement:AuthorizationProvider resource, part of the Pulumi Azure Native provider, defines OAuth2 authorization providers that enable API Management to broker access tokens from identity platforms. This guide focuses on two capabilities: Azure AD authorization code flow and Google OAuth2 integration.
Authorization providers belong to an API Management service and reference OAuth applications registered with identity platforms like Azure AD or Google. The examples are intentionally small. Combine them with your own API Management policies and authorization resources.
Configure Azure AD with authorization code flow
API Management often calls Microsoft Graph or other Azure AD-protected APIs on behalf of users, using the authorization code grant type for browser-based consent flows.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const authorizationProvider = new azure_native.apimanagement.AuthorizationProvider("authorizationProvider", {
authorizationProviderId: "aadwithauthcode",
displayName: "aadwithauthcode",
identityProvider: "aad",
oauth2: {
grantTypes: {
authorizationCode: {
clientId: "clientsecretid",
clientSecret: "clientsecretvalue",
resourceUri: "https://graph.microsoft.com",
scopes: "User.Read.All Group.Read.All",
},
},
redirectUrl: "https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1",
},
resourceGroupName: "rg1",
serviceName: "apimService1",
});
import pulumi
import pulumi_azure_native as azure_native
authorization_provider = azure_native.apimanagement.AuthorizationProvider("authorizationProvider",
authorization_provider_id="aadwithauthcode",
display_name="aadwithauthcode",
identity_provider="aad",
oauth2={
"grant_types": {
"authorization_code": {
"clientId": "clientsecretid",
"clientSecret": "clientsecretvalue",
"resourceUri": "https://graph.microsoft.com",
"scopes": "User.Read.All Group.Read.All",
},
},
"redirect_url": "https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1",
},
resource_group_name="rg1",
service_name="apimService1")
package main
import (
apimanagement "github.com/pulumi/pulumi-azure-native-sdk/apimanagement/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := apimanagement.NewAuthorizationProvider(ctx, "authorizationProvider", &apimanagement.AuthorizationProviderArgs{
AuthorizationProviderId: pulumi.String("aadwithauthcode"),
DisplayName: pulumi.String("aadwithauthcode"),
IdentityProvider: pulumi.String("aad"),
Oauth2: &apimanagement.AuthorizationProviderOAuth2SettingsArgs{
GrantTypes: &apimanagement.AuthorizationProviderOAuth2GrantTypesArgs{
AuthorizationCode: pulumi.StringMap{
"clientId": pulumi.String("clientsecretid"),
"clientSecret": pulumi.String("clientsecretvalue"),
"resourceUri": pulumi.String("https://graph.microsoft.com"),
"scopes": pulumi.String("User.Read.All Group.Read.All"),
},
},
RedirectUrl: pulumi.String("https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1"),
},
ResourceGroupName: pulumi.String("rg1"),
ServiceName: pulumi.String("apimService1"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var authorizationProvider = new AzureNative.ApiManagement.AuthorizationProvider("authorizationProvider", new()
{
AuthorizationProviderId = "aadwithauthcode",
DisplayName = "aadwithauthcode",
IdentityProvider = "aad",
Oauth2 = new AzureNative.ApiManagement.Inputs.AuthorizationProviderOAuth2SettingsArgs
{
GrantTypes = new AzureNative.ApiManagement.Inputs.AuthorizationProviderOAuth2GrantTypesArgs
{
AuthorizationCode =
{
{ "clientId", "clientsecretid" },
{ "clientSecret", "clientsecretvalue" },
{ "resourceUri", "https://graph.microsoft.com" },
{ "scopes", "User.Read.All Group.Read.All" },
},
},
RedirectUrl = "https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1",
},
ResourceGroupName = "rg1",
ServiceName = "apimService1",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.apimanagement.AuthorizationProvider;
import com.pulumi.azurenative.apimanagement.AuthorizationProviderArgs;
import com.pulumi.azurenative.apimanagement.inputs.AuthorizationProviderOAuth2SettingsArgs;
import com.pulumi.azurenative.apimanagement.inputs.AuthorizationProviderOAuth2GrantTypesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var authorizationProvider = new AuthorizationProvider("authorizationProvider", AuthorizationProviderArgs.builder()
.authorizationProviderId("aadwithauthcode")
.displayName("aadwithauthcode")
.identityProvider("aad")
.oauth2(AuthorizationProviderOAuth2SettingsArgs.builder()
.grantTypes(AuthorizationProviderOAuth2GrantTypesArgs.builder()
.authorizationCode(Map.ofEntries(
Map.entry("clientId", "clientsecretid"),
Map.entry("clientSecret", "clientsecretvalue"),
Map.entry("resourceUri", "https://graph.microsoft.com"),
Map.entry("scopes", "User.Read.All Group.Read.All")
))
.build())
.redirectUrl("https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1")
.build())
.resourceGroupName("rg1")
.serviceName("apimService1")
.build());
}
}
resources:
authorizationProvider:
type: azure-native:apimanagement:AuthorizationProvider
properties:
authorizationProviderId: aadwithauthcode
displayName: aadwithauthcode
identityProvider: aad
oauth2:
grantTypes:
authorizationCode:
clientId: clientsecretid
clientSecret: clientsecretvalue
resourceUri: https://graph.microsoft.com
scopes: User.Read.All Group.Read.All
redirectUrl: https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1
resourceGroupName: rg1
serviceName: apimService1
When a user authorizes access, API Management exchanges the authorization code for an access token. The identityProvider property specifies “aad” for Azure Active Directory. Inside oauth2.grantTypes.authorizationCode, you provide the clientId and clientSecret from your Azure AD app registration, the resourceUri for the target API (Microsoft Graph in this case), and the scopes your application needs. The redirectUrl must match the redirect URI configured in your Azure AD application.
Connect to Google APIs with OAuth2
APIs that integrate with Google services require OAuth2 authorization through Google’s identity platform.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const authorizationProvider = new azure_native.apimanagement.AuthorizationProvider("authorizationProvider", {
authorizationProviderId: "google",
displayName: "google",
identityProvider: "google",
oauth2: {
grantTypes: {
authorizationCode: {
clientId: "99999999-xxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com",
clientSecret: "clientsecretvalue",
scopes: "openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
},
},
redirectUrl: "https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1",
},
resourceGroupName: "rg1",
serviceName: "apimService1",
});
import pulumi
import pulumi_azure_native as azure_native
authorization_provider = azure_native.apimanagement.AuthorizationProvider("authorizationProvider",
authorization_provider_id="google",
display_name="google",
identity_provider="google",
oauth2={
"grant_types": {
"authorization_code": {
"clientId": "99999999-xxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com",
"clientSecret": "clientsecretvalue",
"scopes": "openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
},
},
"redirect_url": "https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1",
},
resource_group_name="rg1",
service_name="apimService1")
package main
import (
apimanagement "github.com/pulumi/pulumi-azure-native-sdk/apimanagement/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := apimanagement.NewAuthorizationProvider(ctx, "authorizationProvider", &apimanagement.AuthorizationProviderArgs{
AuthorizationProviderId: pulumi.String("google"),
DisplayName: pulumi.String("google"),
IdentityProvider: pulumi.String("google"),
Oauth2: &apimanagement.AuthorizationProviderOAuth2SettingsArgs{
GrantTypes: &apimanagement.AuthorizationProviderOAuth2GrantTypesArgs{
AuthorizationCode: pulumi.StringMap{
"clientId": pulumi.String("99999999-xxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com"),
"clientSecret": pulumi.String("clientsecretvalue"),
"scopes": pulumi.String("openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email"),
},
},
RedirectUrl: pulumi.String("https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1"),
},
ResourceGroupName: pulumi.String("rg1"),
ServiceName: pulumi.String("apimService1"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var authorizationProvider = new AzureNative.ApiManagement.AuthorizationProvider("authorizationProvider", new()
{
AuthorizationProviderId = "google",
DisplayName = "google",
IdentityProvider = "google",
Oauth2 = new AzureNative.ApiManagement.Inputs.AuthorizationProviderOAuth2SettingsArgs
{
GrantTypes = new AzureNative.ApiManagement.Inputs.AuthorizationProviderOAuth2GrantTypesArgs
{
AuthorizationCode =
{
{ "clientId", "99999999-xxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com" },
{ "clientSecret", "clientsecretvalue" },
{ "scopes", "openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email" },
},
},
RedirectUrl = "https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1",
},
ResourceGroupName = "rg1",
ServiceName = "apimService1",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.apimanagement.AuthorizationProvider;
import com.pulumi.azurenative.apimanagement.AuthorizationProviderArgs;
import com.pulumi.azurenative.apimanagement.inputs.AuthorizationProviderOAuth2SettingsArgs;
import com.pulumi.azurenative.apimanagement.inputs.AuthorizationProviderOAuth2GrantTypesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var authorizationProvider = new AuthorizationProvider("authorizationProvider", AuthorizationProviderArgs.builder()
.authorizationProviderId("google")
.displayName("google")
.identityProvider("google")
.oauth2(AuthorizationProviderOAuth2SettingsArgs.builder()
.grantTypes(AuthorizationProviderOAuth2GrantTypesArgs.builder()
.authorizationCode(Map.ofEntries(
Map.entry("clientId", "99999999-xxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com"),
Map.entry("clientSecret", "clientsecretvalue"),
Map.entry("scopes", "openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email")
))
.build())
.redirectUrl("https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1")
.build())
.resourceGroupName("rg1")
.serviceName("apimService1")
.build());
}
}
resources:
authorizationProvider:
type: azure-native:apimanagement:AuthorizationProvider
properties:
authorizationProviderId: google
displayName: google
identityProvider: google
oauth2:
grantTypes:
authorizationCode:
clientId: 99999999-xxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
clientSecret: clientsecretvalue
scopes: openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
redirectUrl: https://authorization-manager.consent.azure-apim.net/redirect/apim/apimService1
resourceGroupName: rg1
serviceName: apimService1
The identityProvider property switches to “google” for Google’s OAuth2 service. The authorizationCode configuration includes your Google OAuth client credentials and the scopes required for Google Workspace APIs. Unlike Azure AD, Google doesn’t use a resourceUri property; scopes directly identify the APIs and permissions. The redirectUrl must be registered in your Google Cloud Console OAuth client configuration.
Beyond these examples
These snippets focus on specific authorization provider features: OAuth2 authorization code flow and Azure AD and Google identity provider integration. They’re intentionally minimal rather than full API authorization solutions.
The examples reference pre-existing infrastructure such as API Management service instances and OAuth applications registered with identity providers. They focus on configuring the authorization provider rather than provisioning the surrounding API Management infrastructure.
To keep things focused, common authorization patterns are omitted, including:
- Client credentials grant type configuration
- Token refresh and expiration handling
- Authorization resource and access policy management
- Custom identity provider endpoints
These omissions are intentional: the goal is to illustrate how each authorization provider feature is wired, not provide drop-in OAuth modules. See the AuthorizationProvider resource reference for all available configuration options.
Let's configure Azure API Management Authorization Providers
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Setup
What identity providers are supported for authorization?
Examples demonstrate Azure Active Directory (
aad) and Google (google) as supported identity providers.How do I configure OAuth2 settings for an authorization provider?
Configure the
oauth2 object with grantTypes.authorizationCode (containing clientId, clientSecret, resourceUri, and scopes) and redirectUrl. The redirect URL follows the pattern https://authorization-manager.consent.azure-apim.net/redirect/apim/{serviceName}.What are the character limits for authorization provider names?
Both
displayName and identityProvider must be between 1 and 300 characters long.What's the difference between the two Azure AD authorization examples?
The authorization code example includes
clientId and clientSecret in the authorizationCode configuration for standard OAuth2 authorization code flow. The client credentials example omits these fields, using only resourceUri and scopes for client credentials grant flow.Immutability & Lifecycle
What properties can't I change after creating an authorization provider?
Three properties are immutable:
authorizationProviderId, resourceGroupName, and serviceName. Changing any of these requires replacing the resource.How do I import an existing authorization provider?
Use the import command with the resource path:
/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{serviceName}/authorizationProviders/{authorizationProviderId}How do I use a different Azure API version?
Generate a local SDK package using
pulumi package add azure-native apimanagement [ApiVersion]. Available versions range from 2022-04-01-preview to 2025-03-01-preview.Identity Provider Specifics
What scopes should I use for Azure AD authorization?
The examples show
User.Read.All Group.Read.All for Microsoft Graph API access with resourceUri set to https://graph.microsoft.com.What scopes should I use for Google authorization?
The Google example uses
openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email for basic profile and email access.Using a different cloud?
Explore integration guides for other cloud providers: