How to provide access to APIs for a specific set of external users ( not with everyone ) in secure way"

[Madhan-Rommala]

We know DAB works for internal users and can allow role-based access for users using Azure AD. However, We also need to understand how to make this API accessible to outside users in secure way. We know that, if we configure the entity with "role": "anonymous", everyone can access it right now. But what I need is "to provide access to APIs for a specific set of external users only ( not with everyone ) in secure way". Is there a way around this?

[Aniruddh25]

Hi @Madhan-Rommala,
Are you able to assign a role to that specific set of external users, perhaps through a different authentication provider than Azure AD?
You should be able to provide that provider's name in place of AAD, with the audience and issuer in the authentication section of the configuration file https://learn.microsoft.com/en-us/azure/data-api-builder/authentication#jwt

Each request in DAB is executed in context of a single role. And you need to provide the value of the role the request should be evaluated as in the X-MS-API-ROLE header as described here: https://learn.microsoft.com/en-us/azure/data-api-builder/authorization#roles-selection
Note, the external users should be part of this role and DAB should be able to validate the JWT token with the 3rd party authentication provider

[Madhan-Rommala]

Do you mean that, I need to add the external guest users to Azure AD in order to access DAB generated API's in secure way?

[abhishekkumams]

you can use an external identity provider. To learn more: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/identity-providers