Azure Api Management – User Migration Tooling – Internal User

In Azure API Management users are managed in the Publisher Portal which will one day be deprecated. Till then we have the Azure Portal which is slowly being ported to allow us to manage groups, users and permissions. One element that is not as easy at it may seem. Is the migration of said users from one instance to another. Some API programs have up to 6 instances of API management, migrating test users and onboarded users to various boxes is tedious and doing so manually is not a consideration. 

Here are some things that are to be considered for our scenario:

a) Users are stored in an internal database and not in AAD. 

b) We will not use ARM templates to move the users over

c) We wish to use the underlying API from APIM to access users/groups and more in order to migrate new users and update certain elements as part of the CI/CD pipeline.

Let’s take a look at a solution.
  1. Get all users in the current zone
    1. API Call to : https://management.azure.com/subscriptions/{SubscriptionIDTarget}/resourceGroups/{RessourceGroupNameTarget}/providers/Microsoft.ApiManagement/service/{APIMInstanceNameTarget}/users?api-version=2017-03-01
  2. Get all users in the target zone
    1. API Call to : https://management.azure.com/subscriptions/{SubscriptionIDTarget}/resourceGroups/{RessourceGroupNameTarget}/providers/Microsoft.ApiManagement/service/{APIMInstanceNameTarget}/users?api-version=2017-03-01
  3. Compare and determine if the user is to be moved
    1. Use the Lists returned with 
      Intersect and Except to find out what is in both lists and what is not included
  4. Assign user to a group
    1. Get the users groups with https://management.azure.com/subscriptions/{SubscriptionID}/resourceGroups/{RessourceGroupName}/providers/Microsoft.ApiManagement/service/{APIMInstanceName}/users/{userID}/groups?api-version=2017-03-01
  5. Assign user to a subscription
    1. Use https://management.azure.com/subscriptions/{SubscriptionID}/resourceGroups/{RessourceGroupName}/providers/Microsoft.ApiManagement/service/{APIMInstanceName}/users/{userID}/subscriptions?api-version=2017-03-01
  6. Report on the interaction.
    1. Prepare a report.

This technique has demonstrated at many talks that I do and I have a full project for you if you wish. Let me know and I can send you the source if you would like to use it.

For the CI/CD Pipeline I use the release constructs to fire a unit test which contains the migration tooling. Great for test and dev zones.

Happy coding!