Share via

Unable to add Entra ID as authentication method on our Azure API Management

Jaswinder Puri (A) 0 Reputation points
2026-05-01T17:55:33.23+00:00

Unable to add Entra ID authentication. We are getting the following error message.

We tried to deploy it using Portal Overview > Enable Azure Active Directory and got the following error message*.*

Register 'YourAPI' Azure Active Directory application - Success

Enable access tokens and ID tokens authentication to the Azure Active Directory application - Success

Add Directory.ReadAll permissions to Microsoft Graph and Azure Active Directory Graph APIs - Success

Create client secret in the Azure Active Directory application - Success

Add Azure Active Directory identity in API Management - Failed with following error

ajaxExtended call failed<br/><br/>Correlation ID: {REDACTED}

Also tried manually, it fails manually also.
Created several manual App registrations, had no luck.

How do I fix this issue?

Azure API Management
Azure API Management

An Azure service that provides a hybrid, multi-cloud management platform for APIs.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. kagiyama yutaka 3,080 Reputation points
    2026-05-02T02:14:47.3233333+00:00

    Looks like the Entra auth setup just got stuck on the APIM side. Only Support can reset that state; retries or re‑creating the reg won’t clear it anyway.

    Was this answer helpful?

    0 comments
  2. Rakesh Mishra 9,340 Reputation points Microsoft External Staff Moderator
    2026-05-01T19:34:27.2333333+00:00

    [UPDATED]

    Hi Jaswinder,

    Please find the summary of our discussion over Email and Private messages.

    Resolution: We tried below troubleshooting steps, but it did not work. So, we reached out to backend team and there was an issue ongoing. The issue was then fixed by backend team and released the fix.

    And you confirmed that it is working now.

    Key Troubleshooting Steps
    1. Verify Your User Account Permissions
      The most critical requirement is that YOUR user account (the person performing this operation) needs adequate permissions in Entra ID. To create app registrations and grant permissions, you need at least Cloud Application Administrator or Application Administrator role.
      • Go to Microsoft Entra ID > Roles and administrators
      • Verify your account has one of these roles:
        • Cloud Application Administrator (least privileged for this task)
        • Application Administrator
        • Global Administrator (if you have it)
    2. Try Manual Configuration Instead
      Since the automatic flow is failing, try the manual approach:
      1. Navigate to your API Management instance > Developer portal > Identities > + Add
      2. Select Microsoft Entra ID from the dropdown and choose MSAL as the client library
      3. Save the Redirect URL provided
      4. In a new browser tab, create an app registration in Microsoft Entra ID with the redirect URI set to Single-page application (SPA)
      5. Generate a client secret and copy both the Application (client) ID and secret back to APIM
    3. Clear Browser Cache and Try Again
      The "ajaxExtended call failed" error is often a generic Azure portal error. Try:
      • Clearing browser cache and cookies completely
      • Using an InPrivate/Incognito browser window
      • Trying a different browser entirely
    4. Check Azure Activity Log
      Review the Azure Activity Log for failed write operations on Microsoft.ApiManagement/service/identityProviders to get more specific error details:
      1. Go to your API Management instance
      2. Select Activity log
      3. Filter to the timeframe when you saw the error
      4. Look for operations related to "identityProviders" with "Failed" status
      5. Click on the failed operation to see detailed error messages
    5. Verify Required Permissions for the App Registration
      If you're doing manual setup, ensure the app registration has these permissions (these are for the app registration itself, not for APIM): Add the following minimum application permissions for Microsoft Graph API:
      • User.Read.All (for reading user's group membership)
      • Grant admin consent for these permissions
    6. Network and Connectivity Issues
      If your APIM is in a virtual network, ensure it can reach the required Microsoft Graph endpoints. For troubleshooting guidance, refer to Troubleshoot network connectivity to Microsoft Graph from inside a VNet.
    Reference Documentation

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.