Unable to add Entra ID as authentication method on our Azure API Management

Hi Jaswinder,

I understand you're encountering the ajaxExtended call failed error when trying to enable Microsoft Entra ID authentication on your API Management developer portal. Based on Microsoft's official documentation, here's how to troubleshoot this issue:

Understanding the Automatic Setup Process

When you use Portal Overview > Enable Microsoft Entra ID, API Management automatically creates and configures a Microsoft Entra application and identity provider. The steps you mentioned (Register application, Enable tokens, Add permissions, Create client secret) all succeeded, but the final step "Add Azure Active Directory identity in API Management" failed.

Key Troubleshooting Steps

1. Verify Your User Account Permissions
   The most critical requirement is that YOUR user account (the person performing this operation) needs adequate permissions in Entra ID. To create app registrations and grant permissions, you need at least Cloud Application Administrator or Application Administrator role.
   • Go to Microsoft Entra ID > Roles and administrators
   • Verify your account has one of these roles:
     • Cloud Application Administrator (least privileged for this task)
     • Application Administrator
     • Global Administrator (if you have it)
2. Try Manual Configuration Instead
   Since the automatic flow is failing, try the manual approach:
   1. Navigate to your API Management instance > Developer portal > Identities > + Add
   2. Select Microsoft Entra ID from the dropdown and choose MSAL as the client library
   3. Save the Redirect URL provided
   4. In a new browser tab, create an app registration in Microsoft Entra ID with the redirect URI set to Single-page application (SPA)
   5. Generate a client secret and copy both the Application (client) ID and secret back to APIM
3. Clear Browser Cache and Try Again
   The "ajaxExtended call failed" error is often a generic Azure portal error. Try:
   • Clearing browser cache and cookies completely
   • Using an InPrivate/Incognito browser window
   • Trying a different browser entirely
4. Check Azure Activity Log
   Review the Azure Activity Log for failed write operations on Microsoft.ApiManagement/service/identityProviders to get more specific error details:
   1. Go to your API Management instance
   2. Select Activity log
   3. Filter to the timeframe when you saw the error
   4. Look for operations related to "identityProviders" with "Failed" status
   5. Click on the failed operation to see detailed error messages
5. Verify Required Permissions for the App Registration
   If you're doing manual setup, ensure the app registration has these permissions (these are for the app registration itself, not for APIM): Add the following minimum application permissions for Microsoft Graph API:
   • User.Read.All (for reading user's group membership)
   • Grant admin consent for these permissions
6. Network and Connectivity Issues
   If your APIM is in a virtual network, ensure it can reach the required Microsoft Graph endpoints. For troubleshooting guidance, refer to Troubleshoot network connectivity to Microsoft Graph from inside a VNet.

Additional Information Needed

To better diagnose your specific issue, could you provide:

1. What role does your user account have in the Entra ID tenant?
2. Is your APIM instance in a virtual network (VNet)?
3. Can you share the correlation ID and timestamp from the Activity Log for this specific error?
4. Are you using the same tenant for both APIM and Entra ID, or different tenants?

Important Clarification

Note: The automated setup process should handle all app registration and permissions automatically. You do NOT need to manually assign directory roles to the API Management service principal itself. The requirements are about your user account permissions and the app registration that gets created.

Alternative Approach

If the portal continues to fail, you can use Azure PowerShell or ARM templates to configure the identity provider programmatically, which may provide more detailed error messages.

Reference Documentation

• Authorize access to API Management developer portal by using Microsoft Entra ID

Please try these steps and let me know the results, particularly any specific error messages from the Activity Log.

Note: This response is drafted with the help of AI systems.

Hi @Jaswinder Puri (A) , following up to see if you had a chance to check the above response by Rakesh and if it was helpful. Please let us know if you have any questions.

I verified that the permissions are good. Getting this error. Can you please help me in resolving this.

ajaxExtended call failed<br/><br/>Correlation ID: cf766a52-9d57-46ca-a982-9513cef63f07