Posted inTech

How to Disable Trusted Service Connectivity in Azure API Management (CLI & PowerShell)

Posted inTech

Azure is retiring trusted service connectivity in API Management, and this change directly affects how your gateway communicates with Azure services. Starting March 15, 2026, API Management will no longer allow implicit trusted access to services like Azure Storage, Key Vault, Service Bus, Event Hubs, and Container Registry. If your setup still depends on this, your API calls can fail without warning.

How to Disable Trusted Service Connectivity in APIM Using Azure CLI and PowerShell
How to Disable Trusted Service Connectivity in APIM Using Azure CLI and PowerShell

If you use Managed Identity with the gateway, you must disable over-privileged access before the deadline. This ensures your API Management instance continues to communicate securely with Azure services after the change.

This guide shows you exactly how to disable trusted service connectivity using Azure CLI and PowerShell without breaking your existing setup.

What Happens When You Disable Trusted Connectivity in APIM

Azure added a custom property that controls this behavior:

Microsoft.WindowsAzure.ApiManagement.Gateway.ManagedIdentity.DisableOverPrivilegedAccess

When you set it to "True", your API Management gateway stops using trusted service connectivity and switches to a more secure model.

Important Before You Start

You must follow this carefully to avoid issues:

  • Always fetch existing customProperties first
  • Always send all existing properties in the update
  • Never update only one key directly
  • Use "True" as a string value (not boolean)

If you skip existing properties, Azure may remove them during the update.

Method 1: Disable Using Azure CLI (Recommended)

Avoid az apim update --set because it fails with dotted property names. Use az rest instead.

Step 1: Get Current APIM Configuration

SUBSCRIPTION_ID="<your-subscription-id>"
RESOURCE_GROUP="rg-x-01"
APIM_NAME="apim-x"

RESOURCE_ID="/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.ApiManagement/service/$APIM_NAME"

az rest \
  --method get \
  --uri "https://management.azure.com$RESOURCE_ID?api-version=2025-03-01-preview"

Copy the existing customProperties from the response.

Step 2: Update the Property

az rest \
  --method patch \
  --uri "https://management.azure.com$RESOURCE_ID?api-version=2025-03-01-preview" \
  --body '{
    "properties": {
      "customProperties": {
        "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls10": "False",
        "Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Protocols.Tls11": "False",
        "Microsoft.WindowsAzure.ApiManagement.Gateway.ManagedIdentity.DisableOverPrivilegedAccess": "True"
      }
    }
  }'

Replace the TLS entries with your actual existing properties.

Method 2: Disable Using PowerShell

PowerShell gives you better control when handling JSON objects.

Step 1: Fetch Current Configuration

$subscriptionId = "<your-subscription-id>"
$resourceGroup = "rg-x-01"
$apimName = "apim-x"

$resourceId = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.ApiManagement/service/$apimName"
$apiVersion = "2025-03-01-preview"

$current = Invoke-AzRestMethod -Method GET -Path "$resourceId?api-version=$apiVersion"
$apim = $current.Content | ConvertFrom-Json -Depth 100

Step 2: Update the Property

if (-not $apim.properties.customProperties) {
    $apim.properties | Add-Member -NotePropertyName customProperties -NotePropertyValue @{}
}

$apim.properties.customProperties.'Microsoft.WindowsAzure.ApiManagement.Gateway.ManagedIdentity.DisableOverPrivilegedAccess' = "True"

Step 3: Send PATCH Request

$body = @{
    properties = @{
        customProperties = $apim.properties.customProperties
    }
} | ConvertTo-Json -Depth 100

Invoke-AzRestMethod -Method PATCH -Path "$resourceId?api-version=$apiVersion" -Payload $body

Why Azure CLI Fails When Updating APIM Custom Properties

This command fails:

--set customProperties.Microsoft.WindowsAzure.ApiManagement...

Because:

  • CLI treats dots (.) as nested objects
  • Your property is actually a single key string
  • CLI tries to find customProperties.Microsoft as a path, not a key

That’s why you see:

Couldn't find 'Microsoft' in 'customProperties'

How to Verify It Worked

Run this command:

az rest \
  --method get \
  --uri "https://management.azure.com$RESOURCE_ID?api-version=2025-03-01-preview"

Check:

"Microsoft.WindowsAzure.ApiManagement.Gateway.ManagedIdentity.DisableOverPrivilegedAccess": "True"

Common Mistakes to Avoid

Before applying this change, review these pitfalls:

  • Do not use az apim update --set
  • Do not send partial customProperties
  • Do not use boolean true instead of "True"
  • Do not skip verification

What Happens After Disabling

Once you disable trusted connectivity:

  • API Management no longer uses implicit Azure trust
  • You must rely on proper network configuration (Private Endpoints, VNet, firewall rules)
  • Security improves, but misconfiguration can break access

Follow this guide step by step, preserve your existing settings, and verify the update after applying it. That ensures a smooth transition without downtime.

Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply