Enforce basic authentication in Azure API Management

When connecting with legacy systems, Basic Authentication is often the only supported security scheme that is available.  Azure API Management has an out-of-the-box policy that implements Basic Authentication between API Management and the backend API (backdoor).  However, there is no standard policy that performs this security between the API consumer and API Management (frontdoor).

On the internet, I’ve found several solutions which I didn’t like.  In many cases, they throw internal exceptions if the security is not implemented as expected.  In the end, Basic Authentication is just validating the “Authorization” HTTP header.  Its value should be Basic base64(user:password).The easiest way achieve this in Azure API Management, is by using the Check HTTP Header policy.

   <base />
   <set-variable name="user-password" value="{{user}}:{{password}}" />
   <check-header name="Authorization" failed-check-httpcode="401" failed-check-error-message="Not authorized" ignore-case="false">
      <value>@("Basic " + System.Convert.ToBase64String(Encoding.UTF8.GetBytes((string)context.Variables["user-password"])))</value>


In this example, the user and password are defined as named values.  The policy could also be extended to retrieve the password from Key Vault.  To achieve this, you can get some inspiration in this nice blog post.


About me

Hi! I’m Toon Vanhoutte, a hands-on Azure architect – based in Belgium – with a big passion for teaching and helping people out. I’m happy to assist you during your Azure journey with high-quality advisory and I would love to teach you Azure’s possibilities via my tailored training courses.

Subscribe to the blog