BasicV2 APIM — /identityProviders/aad PUT returns 502 on all attempts — developer portal AAD sign-in cannot be configured

Question

BasicV2 APIM — /identityProviders/aad PUT returns 502 on all attempts — developer portal AAD sign-in cannot be configured

Mike 20

The APIM developer portal cannot be configured for Azure AD sign-in.

Every write attempt to the /identityProviders/aad ARM sub-resource

returns HTTP 502 Bad Gateway. The ARM GET on /identityProviders

returns 200 with 0 results, confirming no provider has ever been

saved.

What was attempted

Portal wizard ("Enable Azure AD") — ran twice. All 5 steps show

green checkmarks but nothing is written. Developer portal confirms no

AAD sign-in option appears.

Manual "Add identity provider" form (Identities blade) — same 502.
ARM REST API — tested on API versions 2021-08-01, 2022-08-01,

2023-09-01-preview — all 502 on PUT.

APIM direct management API with admin SAS token — 502.
After assigning API Management Service Contributor RBAC and

re-authenticating interactively — still 502.

What works on the same instance

GET /identityProviders → 200 (0 results)
PUT /openidConnectProviders → succeeds
All other APIM management operations work normally

This confirms the 502 is specific to the /identityProviders write

path on this instance, not a general management plane outage.

App registration — fully configured per MS recommendations

✅ SPA redirect URI (new developer portal)
✅ Web redirect URI (deprecated portal)
✅ Access tokens and ID tokens enabled
✅ Directory.ReadAll Application permission — admin consent granted
✅ User.Read Delegated permission — admin consent granted
✅ Optional claims (email, family_name, given_name) on ID token
✅ Client secret valid, not expired
✅ MSAL selected as client library

Error is unchanged after all of the above.

Question

Is this a known issue with the BasicV2 management plane for the

/identityProviders sub-resource? The openidConnectProviders path

works on the same instance, so the fault appears specific to the

identity providers backend. Is there a way to repair this without

recreating the APIM instance?

Pravallika KV 15,465 Reputation points Microsoft External Staff Moderator

2026-05-11T09:18:08.1233333+00:00

Hi @Mike , following up to see if you have checked the above provided information and if it was helpful. Please let me know if you have any questions.
Mike 20 Reputation points

2026-05-11T09:51:39.81+00:00
Thanks for the response, but I'd like to push back — the tier limitation claim is contradicted by Microsoft's own documentation.

Both of these official documentation pages explicitly list Basic v2 in their "APPLIES TO" header for configuring Microsoft Entra ID identity providers on the developer portal:

Secure access to developer portal (https://learn.microsoft.com/en-us/azure/api-management/secure-developer-portal-access) — "APPLIES TO: Developer | Basic | Basic v2 | Standard | Standard v2 | Premium |

Premium v2"

Authorize developer accounts by using Microsoft Entra ID (https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-aad) — same list, including Basic v2

There is no caveat or exception note for Basic v2 on either page.

Additionally, the symptoms don't match a tier limitation:

HTTP status is 502, not 4xx. If the operation were unsupported on this tier, the platform should return a clean 400/403/501. A 502 is the standard signal for an upstream backend fault — not "not supported".

/openidConnectProviders PUT works on the same instance, which rules out a tier-wide block on identity-related sub-resources.

Every code path returns 502 — portal wizard, manual Identities form, ARM REST API on multiple API versions including the v2-recommended 2024-05-01. The portal wizard even shows false-positive green

checkmarks while no provider is written, which is a UI bug, not a tier feature.

App registration is fully compliant per MS guidance: SPA + Web redirect URIs, MSAL client library, access + ID tokens enabled, Directory.ReadAll (Application) admin-consented, User.Read (Delegated)

admin-consented, optional ID token claims (email, family_name, given_name), valid client secret.

RBAC is correct — caller has API Management Service Contributor on the resource, confirmed after a fresh interactive sign-in.

Could you escalate this to the APIM management plane team to investigate the /identityProviders write path on this specific Basic v2 instance? The correlation IDs from the original post should let them trace

the 502 directly.

If Basic v2 genuinely doesn't support this configuration despite what the docs say, then the documentation needs to be corrected on both pages — but until that correction lands, this should be treated as a

platform bug.
Pravallika KV 15,465 Reputation points Microsoft External Staff Moderator

2026-05-11T16:34:29.7366667+00:00

Hi Mike, I reached out to you over private message, please check and respond to investigate the issue further

Answer accepted by question author

0 additional answers

Your answer

Pravallika KV 15,465 Reputation points Microsoft External Staff Moderator

2026-05-11T09:18:08.1233333+00:00

Hi @Mike , following up to see if you have checked the above provided information and if it was helpful. Please let me know if you have any questions.
Pravallika KV 15,465 Reputation points Microsoft External Staff Moderator

2026-05-11T16:34:29.7366667+00:00

Hi Mike, I reached out to you over private message, please check and respond to investigate the issue further

Answer 1

Pravallika KV 15,465 Microsoft External Staff Moderator

Hi @Mike ,

Thanks for the confirmation, glad the issue is resolved.

This is a known issue, and we engaged backend team to investigate and resolve the issue. A hot fix has been deployed to all the regions; you should be able to configure the Entra ID Authentication for V2 SKUs.

Hope this helps!

If the resolution was helpful, kindly take a moment to click on User's image and click on Yes for was this answer helpful. And, if you have any further query do let us know.

0 comments

Share via

BasicV2 APIM — /identityProviders/aad PUT returns 502 on all attempts — developer portal AAD sign-in cannot be configured

0 additional answers

Your answer