api-management-developer-portal icon indicating copy to clipboard operation
api-management-developer-portal copied to clipboard

Published 20 hours ago verified publisher icon Azure

Support disabling developer portal

Open johndowns opened this issue 4 years ago • 7 comments

Please consider adding an option to completely disable the developer portal. For example, customers who have their own custom portal will not want to have a platform-provided portal accessible.

Currently there are some workarounds (see below), but it would be even better to have the option to not have the developer portal made available by the platform.

Workarounds

  1. For new API Management instances, the developer portal is not published by default. If a customer does not publish it themselves then it is effectively disabled. However, if a customer publishes it (intentionally or accidentally) there is no supported way to unpublish it.

  2. Customers can avoid mapping a DNS name to the developer portal hostname provided by the platform. This does not prevent someone from figuring it out, but it makes it much less likely they will do so.

  3. Customers can configure the developer portal with the following two settings, which together have the effect of making the developer portal unusable:

    • Disable sign-up by removing all identity types (this can be done in the Azure portal - choose the API Management instance, then click Identities and remove each identity type).
    • Force anonymous users to be directed to the sign-up page (this is done in the same part of the Azure portal).

johndowns avatar Aug 14 '20 19:08 johndowns

We would like an easy way to un-publish/disable the Developer portal. This was flagged via a security audit.

Any updates?

sdg002 avatar Sep 22 '21 09:09 sdg002

No updates at the moment, but you can ask MS Support to turn it off.

azaslonov avatar Sep 22 '21 17:09 azaslonov

@azaslonov Thanks for the MS support idea.

Is there any REST end point which will tell me whether Administrative Portal has been turned on ? If there is one, then it would be very helpful to us in creating security Alerts.

sdg002 avatar Sep 22 '21 19:09 sdg002

@sdg002, unfortunately no, that's why we still rely on MS Support.

azaslonov avatar Sep 22 '21 19:09 azaslonov

This seems to be dragging on for some time, we have also had a security audit done which has highlighted issues with the dev portal so we just want to switch it off.

It doesnt seem like its something that should be that difficult to implement?

DavidDBD avatar Apr 12 '22 10:04 DavidDBD

@DavidDBD, it's not difficult to implement, it's just a matter of priorities. If this is urgent, feel free to either contact MS support or send your service name to [email protected], we'll disable it from our end.

azaslonov avatar Apr 12 '22 20:04 azaslonov

I understand that its a matter of priorities but people have been asking for this since 2019, quite a few of us are asking for it to be disabled because pen tests have flagged issues with it, I'd hope that would bump it up the list a bit :)

I've passed the email address on to my client who will be requesting that its disabled, Thanks for the help.

DavidDBD avatar Apr 13 '22 14:04 DavidDBD