Skip to main content
availability

Package: Invicti AppSec Core (on-demand)

Azure API Management

Invicti AppSec Core can connect to Azure API Management to automatically import Swagger 2 and OpenAPI 3 specifications into your API catalog.

This document explains how to register an app in Azure, configure the required permissions, and set up the Azure API Management source in Invicti AppSec Core.

Why this matters

Azure API Management already governs which APIs your organization exposes. Connecting it to Invicti AppSec Core brings those APIs directly into your security workflow, so you don't have to maintain a separate inventory or manually upload specifications every time something changes.

Prerequisites

Before you begin, make sure you have a Microsoft Azure account with permission to register apps and configure credentials.

Step 1: Register an app in Azure

  1. In the Azure Portal, go to Azure Active Directory > App registrations.
  2. Click + New registration.
  3. Enter a name for the app.
  4. Select the supported account types.
  5. Click Register.

After registration, note the Application (client) ID and Directory (tenant) ID from the app's Overview page. You'll need these in Step 5.

Step 2: Assign a role to the app

  1. In the Azure Portal, go to your API Management service.

  2. Select Access control (IAM).

  3. Click + Add > Add role assignment.

  4. Assign a custom role that grants the following permission:

    Microsoft.ApiManagement/service/*/read

  5. Select the app you registered in Step 1 as the member, then save.

Step 3: Add API permissions

  1. In the app registration, go to API permissions.
  2. Click + Add a permission.
  3. Select Azure Service Management.
  4. Enable the user_impersonation scope.
  5. Click Add permissions.

Step 4: Create a client secret

  1. In the app registration, go to Certificates & secrets.
  2. Click + New client secret.
  3. Enter a description and set an expiration period.
  4. Click Add and copy the secret value immediately. You can't retrieve it after leaving the page.

Step 5: Configure Azure API Management in Invicti AppSec Core

  1. Select Discovery > API sources from the left-side menu.
  2. Click Add source.
  3. Select the Azure API Management source type card.
  4. Click Continue.
  5. Enter the Application (client) ID, Directory (tenant) ID, and client secret.
  6. Click Authenticate and save.

Step 6: Synchronize

To run an immediate sync, click the sync icon next to the source on the API sources page.

Invicti AppSec Core automatically synchronizes with Azure API Management every 24 hours.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?