Share via

Can you backup API Management Instance without including the product subscription keys

curious7 276 Reputation points
2026-05-12T23:32:47.9+00:00

I am following this KB to backup and restore APIM instance:-
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-disaster-recovery-backup-restore?tabs=powershell

But it includes the product subscription keys which can be a security concern.

Can you backup API Management Instance without including the product subscription keys?

Azure API Management
Azure API Management

An Azure service that provides a hybrid, multi-cloud management platform for APIs.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pravallika KV 15,465 Reputation points Microsoft External Staff Moderator
    2026-05-12T23:50:16.76+00:00

    Hi @curious7 ,

    Thanks for reaching out to MicrosoftmQ&A.

    Unfortunately, the built-in APIM backup/restore mechanism is “all-or-nothing” when it comes to runtime data such as products, subscriptions and their keys. There isn’t a flag or parameter today that lets you omit subscription keys from the backup.

    Here’s what you can do instead:

    1. Use ARM templates (or the Git-based config feature)
    • Export only the API, product and policy definitions you need.
    • Deploy that to your target environment without copying over subscriptions or keys.
    1. Rotate or regenerate subscription keys after restore
    • If you’re doing a full backup/restore (e.g. for DR), run a script (PowerShell/CLI/REST) post-restore to regenerate all subscription keys.
    • You can automate key rotations via the REST API or PowerShell cmdlets (e.g. Set-AzApiManagementSubscription).
    1. Script out subscriptions only when needed
    • If you need subscription objects but want blank keys, export subscription metadata (customer, product assignment) and then create new subscriptions in the target with fresh keys.

    Hope that helps!

    References:

    Hope this helps!

    If the resolution was helpful, kindly take a moment to click on User's imageand click on Yes for was this answer helpful. And, if you have any further query do let us know.

    Was this answer helpful?

  2. AI answer

    2026-05-12T23:33:00.4566667+00:00

    Backup and restore of an Azure API Management instance always includes runtime data such as users and subscriptions. This behavior is by design and might not be desirable when subscription keys are considered sensitive.

    The built-in backup/restore mechanism does not provide an option to exclude product subscription keys or other specific runtime data. To avoid including subscription keys, use an alternative approach instead of full-service backup/restore, such as:

    1. Using APIOps tooling or infrastructure as code (IaC) to back up and redeploy only configuration (APIs, policies, etc.) without runtime data.
    2. Using the API Management REST API to export and re-create only the entities that are needed, rather than performing a full backup.

    These approaches allow replication of configuration between environments without carrying over subscription keys.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.