Azure
Escape's Azure integration discovers APIs managed by Azure API Management (APIM) across all subscriptions accessible by the configured service principal. Discovered APIs and their OpenAPI schemas are automatically imported as assets in Escape's ASM for continuous security testing.
Discovered Resources¶
- APIM APIs: REST API endpoints and their OpenAPI specifications from every API Management instance the service principal can reach.
How It Works¶
The integration authenticates as an Entra ID application (service principal) using a client-credentials flow, then:
- Lists all subscriptions the principal has access to.
- Discovers every
Microsoft.ApiManagement/serviceresource via the Azure Resource Manager. - Enumerates APIs within each APIM instance.
- Exports the OpenAPI schema for each API.
Setup¶
1. Register an Application in Entra ID¶
See Register an application with the Microsoft identity platform.
2. Assign Permissions¶
The service principal needs read-only access to subscriptions, resource groups, and API Management instances. Assign the following built-in roles at the scope that covers the subscriptions you want to scan (subscription or management group):
| Role | Purpose | Reference |
|---|---|---|
| Reader | List subscriptions and discover APIM resources via Azure Resource Manager | Reader role |
| API Management Service Reader | List APIs and export OpenAPI schemas from APIM instances | API Management Service Reader role |
To assign roles:
3. Configure in Escape¶
Enter the three values from step 1 in Escape's Azure integration page:
| Field | Value |
|---|---|
| Tenant ID | Directory (tenant) ID of your Entra ID tenant |
| Client ID | Application (client) ID of the registered app |
| Client Secret | Secret value created for the app |
Internal Networks¶
If your APIM instances are deployed in a private virtual network, you may need to configure a Private Location and whitelist the required FQDNs.