Share via

APIM Develop Portal - 400 "User Registration Not Supported" on POST /developer/users after Entra authentication, only in one environment

Alon Fischer 0 Reputation points
2026-05-04T17:15:37.65+00:00

Issue:

We have multiple Azure API Management Instances across environments (dev, qa, uat, prod). All instances are deployed using the same Azure Devops pipeline, and we have confirmed that the configurations match between environments. In all environments, new users authenticate via Microsoft Entra ID on the developer portal, are directed to a "complete sign up" page, and upon submitting, the portal calls:
POST https://{apim-name}.developer.azure-api.net/developer/users?api-version=2022-04-01-preview
This returns 200 and creates the user successfully in DEV, QA, and PROD. In UAT, the identical flow returns HTTP 400 - "User Registration Not Supported".

What we have already ruled out:

  • Entra app registration - UAT is sharing the same Azure AD app registration as another APIM which does have it working, so the issue does not appear to be on the Entra side.
  • portalsettings/signup - both UAT and a working environment return enabled:false. We also tried setting it to true in UAT with no change in behavior
  • APIM Tier - both UAT and DEV are on Developer (No SLA), with the DEV environment working
  • Identity provider credentials - Confirmed the clientId and clientSecret are valid in the UAT instance

Question:

Beyond the signup setting and identity provider credentials, what controls whether POST /developer/users can create users after external identity provider authentication on the developer portal? What else should we be comparing between our working and broken APIM instances?

Azure API Management
Azure API Management

An Azure service that provides a hybrid, multi-cloud management platform for APIs.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rakesh Mishra 8,420 Reputation points Microsoft External Staff Moderator
    2026-05-04T18:32:13.7266667+00:00

    Hi Alon, thanks for the detailed breakdown, you've already ruled out the most common culprits. Here are the specific things to check that go beyond portalsettings/signup and identity provider credentials:

    1. Check portalsettings/delegation
      This is separate from portalsettings/signup and is the most overlooked cause of "User Registration Not Supported." APIM has a delegation settings block under portalsettings/delegation with a userRegistration.enabled property. If this is set to true in UAT (perhaps from a past pipeline experiment or manual test), APIM will try to forward user registration to an external delegation URL. If that URL is absent, broken, or not reachable in UAT, the portal surfaces exactly this 400 error. Compare the delegation settings across environments via REST or CLI: 
         az rest --method GET \
     --url "https://management.azure.com/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ApiManagement/service/{apim}/portalsettings/delegation?api-version=2024-05-01"
      You're looking for: 
         {
     "properties": {
       "userRegistration": { "enabled": false },
       "subscriptions": { "enabled": false },
       "url": null
     }
   }
      If UAT has userRegistration.enabled: true and/or a stale URL, that's your issue. Set it to false (or fix the delegation endpoint) and republish the portal.
    2. Verify the Entra ID identity provider is actually saved and active in UAT
      Even though credentials are valid, confirm the identity provider is in a healthy state in UAT specifically: 
         az rest --method GET \
     --url "https://management.azure.com/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ApiManagement/service/{apim}/identityProviders/aad?api-version=2024-05-01"
      Cross-check the response with a working environment. Pay attention to the clientId, signinTenant, and allowedTenants fields - a mismatched tenant domain (e.g., an unverified domain vs. the .onmicrosoft.com canonical name) can break user creation even if authentication succeeds.
    3. Confirm MSAL migration was applied to UAT
      If you use Microsoft Entra ID identity providers, you need to update the identity provider configuration to use the Microsoft Authentication Library (MSAL), following the September 2025 breaking change. If your pipeline deployed the UAT identity provider config before that migration was applied, UAT may still be on the old ADAL client library while your other environments were updated. In the portal, go to Developer portal → Identities → your Entra ID provider and check that the Client library field is set to MSAL, not ADAL.
    4. Republish the developer portal after any configuration change
      After you configure an identity provider (for example, Microsoft Entra ID), you need to republish the portal for the changes to take effect. Most configuration changes (for example, VNet, sign-in, product terms) require republishing the portal. This applies even to pipeline-deployed config - if the portal content was last published before the identity provider config was pushed, the portal is still serving stale behavior.
    5. Verify the Redirect URI in the shared app registration
      Since UAT shares an app registration with another APIM instance, confirm that the UAT developer portal's callback URL is registered under Authentication → Redirect URIs in the Entra app:
      https://{uat-apim-name}.developer.azure-api.net/signin-aad
      If it's missing (and only the other instance's URL is registered), authentication will succeed but the subsequent user-creation call can fail depending on how the token is validated server-side.

    Please check above and let me know in comments if it works or any other issues.

    Note: This response was drafted with the help of AI system.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.