Skip to content
Kong Docs are moving soon! Our docs are migrating to a new home. You'll be automatically redirected to the new site in the future. In the meantime, view this page on the new site!
Kong Logo | Kong Docs Logo
  • Docs
    • Explore the API Specs
      View all API Specs View all API Specs View all API Specs arrow image
    • Documentation
      API Specs
      Kong Gateway
      Lightweight, fast, and flexible cloud-native API gateway
      Kong Konnect
      Single platform for SaaS end-to-end connectivity
      Kong AI Gateway
      Multi-LLM AI Gateway for GenAI infrastructure
      Kong Mesh
      Enterprise service mesh based on Kuma and Envoy
      decK
      Helps manage Kong’s configuration in a declarative fashion
      Kong Ingress Controller
      Works inside a Kubernetes cluster and configures Kong to proxy traffic
      Kong Gateway Operator
      Manage your Kong deployments on Kubernetes using YAML Manifests
      Insomnia
      Collaborative API development platform
  • Plugin Hub
    • Explore the Plugin Hub
      View all plugins View all plugins View all plugins arrow image
    • Functionality View all View all arrow image
      View all plugins
      AI's icon
      AI
      Govern, secure, and control AI traffic with multi-LLM AI Gateway plugins
      Authentication's icon
      Authentication
      Protect your services with an authentication layer
      Security's icon
      Security
      Protect your services with additional security layer
      Traffic Control's icon
      Traffic Control
      Manage, throttle and restrict inbound and outbound API traffic
      Serverless's icon
      Serverless
      Invoke serverless functions in combination with other plugins
      Analytics & Monitoring's icon
      Analytics & Monitoring
      Visualize, inspect and monitor APIs and microservices traffic
      Transformations's icon
      Transformations
      Transform request and responses on the fly on Kong
      Logging's icon
      Logging
      Log request and response data using the best transport for your infrastructure
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
Kong Konnect
  • Home icon
  • Kong Konnect
  • Dev Portal
  • Applications
  • Dynamic Client Registration
  • Azure
github-edit-pageEdit this page
report-issueReport an issue
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Kong AI Gateway
  • Plugin Hub
  • decK
  • Kong Ingress Controller
  • Kong Gateway Operator
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • Introduction
    • Overview of Konnect
    • Architecture
    • Network Resiliency and Availability
    • Port and Network Requirements
    • Private Connections to Other Cloud Providers
      • Create a private connection with AWS PrivateLink
    • Geographic Regions
    • Centralized consumer management
    • Compatibility
    • Stages of Software Availability
    • Release Notes
    • Support
      • Control Plane Upgrades FAQ
      • Supported Installation Options
  • Get Started
    • Overview
    • Add your API
    • Migrating a Self-Managed Kong Gateway into Konnect
  • Gateway Manager
    • Overview
    • Dedicated Cloud Gateways
      • Overview
      • Provision a Dedicated Cloud Gateway
      • Securing Backend Traffic
      • Transit Gateways
      • Azure VNET Peering
      • Custom Domains
      • Custom Plugins
      • Data plane logs
    • Serverless Gateways
      • Overview
      • Provision a serverless Gateway
      • Securing Backend Traffic
      • Custom Domains
    • Data Plane Nodes
      • Installation Options
      • Upgrade a Data Plane Node
      • Verify a Data Plane Node
      • Secure Control Plane/Data Plane Communications
      • Renew Data Plane Certificates
      • Parameter Reference
      • Using Custom DP Labels
    • Control Plane Groups
      • Overview
      • Working with Control Plane Groups
      • Migrate Configuration into Control Plane Groups
      • Conflicts in Control Planes
    • Kong Gateway Configuration in Konnect
      • Overview
      • Manage Plugins
        • Overview
        • Adding Custom Plugins
        • Updating Custom Plugins
        • How to Create Custom Plugins
      • Create Consumer Groups
      • Secrets Management
        • Overview
        • Konnect Config Store
        • Set Up and Use a Vault in Konnect
      • Manage Control Plane Configuration with decK
    • Active Tracing
      • Overview
    • KIC Association
    • Backup and Restore
    • Version Compatibility
    • Troubleshooting
  • Mesh Manager
    • Overview
    • Create a mesh with the Kubernetes demo app
    • Federate a zone control plane to Konnect
    • Migrate a self-managed zone control plane to Konnect
  • Service Catalog
    • Overview
    • Integrations
      • Overview
      • Datadog
      • GitHub
      • GitLab
      • PagerDuty
      • SwaggerHub
      • Traceable
      • Slack
    • Scorecards
  • API Products
    • Overview
    • Product Documentation
    • Productize a Service
  • Dev Portal
    • Overview
    • Dev Portal Configuration Preparation
    • Create a Dev Portal
    • Sign Up for a Dev Portal Account
    • Publish an API to Dev Portal
    • Access and Approval
      • Manage Developer Access
      • Manage Developer Team Access
      • Add Developer Teams from IdPs
      • Manage Application Registrations
      • Configure generic SSO for Dev Portal
      • Configure Okta SSO for Dev Portal
    • Application Lifecycle
    • Register and create an application as a developer
    • Enable and Disable App Registration for API Product Versions
    • Dynamic Client Registration
      • Overview
      • Okta
      • Curity
      • Auth0
      • Azure
      • Custom IdP
    • Portal Management API Automation Guide
    • Audit Logging
      • Overview
      • Set up an Audit Log Webhook
      • Set up an Audit Log Replay Job
    • Portal Customization
      • Overview
      • About Self-Hosted Dev Portal
      • Host your Dev Portal with Netlify
      • Custom Domains
    • Dev Portal SDK
    • Troubleshoot
  • Advanced Analytics
    • Overview
    • Dashboard
    • Explorer
    • Analyze API Usage and Performance with Reports
    • Requests
  • Org Management
    • Plans and Billing
    • Authentication and Authorization
      • Overview
      • Teams
        • Overview
        • Manage Teams
        • Teams Reference
        • Roles Reference
      • Manage Users
      • Manage System Accounts
      • Personal Access Tokens
      • Social Identity Login
      • Org Switcher
      • Configure Generic SSO
      • Configure Okta SSO
      • Login Sessions Reference
      • Troubleshoot
    • Audit Logging
      • Overview
      • Set up an Audit Log Webhook
      • Set up an Audit Log Replay Job
    • Account and Org Deactivation
  • API
    • Overview
    • API Request API (Beta)
      • API Spec
    • API Products API
      • API Spec
    • Audit Logs API
      • API Spec
      • Audit Log Webhooks
    • Control Plane API
      • API Spec
    • Control Plane Configuration API
      • API Spec
    • Cloud Gateways API
      • API Spec
    • Identity API
      • API Spec
      • Identity Integration Guide
      • SSO Customization
    • Konnect Search API (Beta)
      • API Spec
    • Mesh Manager API
      • API Spec
      • Kong Mesh API Reference
    • Portal Client API
      • API Spec
    • Portal Management API
      • API Spec
    • Reference
      • Filtering
      • API Errors
  • Reference
    • Labels
    • Plugin Ordering Reference
    • Konnect Search
    • Terraform Provider
    • Audit Logs
    • Verify audit log signatures
    • IdP SAML attribute mapping
enterprise-switcher-icon Switch to OSS
On this pageOn this page
  • Prerequisites
  • Configure Azure
  • Configure the Dev Portal
  • Create an application with DCR
  • Make a successful request
Looking for the new Developer Portal beta docs? Try the beta now.

Configuring Azure for Dynamic Client Registration

Prerequisites

  • Enterprise Konnect account.
  • An Azure AD account.

Note: Dynamic client registration supports Azure OAuth v1 token endpoints only. v2 is not supported.

Configure Azure

In Azure, create the main application:

  1. In Azure Active Directory, click App registrations and then click New registration.

  2. Enter a name for the application.
  3. Ensure Accounts in this organizational directory only is selected for Supported account types.

  4. Click Register.

  5. On the application view, go to API permissions, click Add permissions > Microsoft Graph and select the following:
    • Application.Read.All
    • Application.ReadWrite.All
    • Application.ReadWrite.OwnedBy
    • User.Read
  6. Once added, click Grant admin consent. An administrator with Global Admin rights is required for this step.

  7. Select Certificates & secrets and then create a client secret and save it in a secure location. You can only view the secret once.

  8. On the Overview view, note your Directory (tenant) ID and Application (client) ID.

Configure the Dev Portal

Konnect UI
API

Once you have Azure configured, you can set up the Dev Portal to use Azure for Dynamic Client Registration (DCR). This process involves two steps: creating the DCR provider and establishing the authentication strategy. DCR providers are designed to be reusable configurations. This means once you’ve configured the Azure DCR provider, it can be used across multiple authentication strategies without needing to be set up again.

  1. Log in to Konnect and select the Dev Portal dev-portal icon from the menu.

  2. Go to Application Auth to find the authentication settings for your API products.

  3. Open the DCR Providers to review existing DCR Providers.

  4. Select New DCR Provider button to create an Azure configuration. Enter a name for internal reference in Konnect. This name, along with the provider type, will remain internal and not be visible to developers on the Dev Portal.

  5. Provide the Issuer URL for your Azure tenant, using the format https://sts.windows.net/YOUR_TENANT_ID.

  6. For Provider Type, select AzureAD.

  7. Enter your Application (Client) ID from Azure into the Initial Client ID field and the Azure admin application’s client secret into the Initial Client Secret field. The Initial Client Secret will be stored in isolated, encrypted storage and will not be readable through any Konnect API.

  8. After saving, your new DCR Provider will appear in the list.

  9. Click the Auth Strategy tab, then select New Auth Strategy to create an auth strategy that uses the DCR Provider you just added.

  10. Name it for internal reference in Konnect and provide a display name for visibility in the Portal. Select DCR as the Auth Type and choose your newly created DCR provider from the dropdown. The Issuer URL entered earlier will be will be prepopulated.

  11. In the Credential Claims field, enter appid.

  12. Select the relevant Auth Methods you need (client_credentials, bearer, session), and save.

  1. Start by creating the DCR provider. Send a POST request to the dcr-providers endpoint with your DCR configuration details:
    curl --request POST \
    --url https://us.api.konghq.com/v2/dcr-providers \
    --header 'Authorization: $KPAT' \
    --header 'content-type: application/json' \
    --data '{
    "name": "Azure DCR Provider",
    "provider_type": "Azure",
    "issuer": "https://sts.windows.net/YOUR_TENANT_ID",
    "dcr_config": {
       "initial_client_id": "abc123",
       "initial_client_secret": "abc123xyz098!",
       "initial_client_audience": "https://my-custom-domain.com/api/v2/"
    }
    }'
    

    You will receive a response that includes a dcr_provider object similar to the following:

    {
       "created_at": "2024-02-29T23:38:00.861Z",
       "updated_at": "2024-02-29T23:38:00.861Z",
       "id": "93f8380e-7798-4566-99e3-2edf2b57d289",
       "name": "Azure DCR Provider",
       "provider_type": "Azure",
       "issuer": "https://sts.windows.net/YOUR_TENANT_ID",
       "dcr_config": {
          "initial_client_id": "abc123",
          "initial_client_audience": "https://my-custom-domain.com/api/v2/"
       },
       "active": false
    }
    
    

    Save the id value for creating the authentication strategy.

  2. With the dcr_id obtained from the first step, create an authentication strategy. Send a POST request to the create-auth-strategies endpoint describing an authentication strategy:

       curl --request POST \
       --url https://us.api.konghq.com/v2/application-auth-strategies \
       --header 'Authorization: $KPAT' \
       --header 'content-type: application/json' \
       --data '{
       "name": "Azure Auth",
       "display_name": "Azure Auth",
       "strategy_type": "openid_connect",
       "configs": {
          "openid-connect": {
             "issuer": "https://sts.windows.net/YOUR_TENANT_ID",
             "credential_claim": [
             "client_id"
             ],
             "scopes": [
             "openid",
             "email"
             ],
             "auth_methods": [
             "client_credentials",
             "bearer"
             ]
          }
       },
       "dcr_provider_id": "93f8380e-7798-4566-99e3-2edf2b57d289"
       }
    

Create an application with DCR

From the My Apps page in the Dev Portal, follow these instructions:

  1. Click the New App button.

  2. Fill out the Create New Application form with your application name, authentication strategy, and description.

  3. Click Create to save your application.

  4. After your application has been created, you will see the Client ID and Client Secret. Store these values, they will only be shown once.

  5. Click Proceed to continue to the application’s details page.

Once your application is created, you will see it in Azure. From your Azure homepage select App registrations > All applications. You will see your application that was created in the Dev Portal.

Make a successful request

In the previous steps, you obtained the Client ID and Client Secret. To authorize the request, you must attach this client secret pair in the header. You can do this by using any API product, such as Insomnia, or directly using the command line:

curl example.com/REGISTERED_ROUTE -H "Authorization: Basic CLIENT_ID:CLIENT_SECRET"

Where example.com is the address of the data plane node.

You can also request a bearer token from Azure using this command, using an OAuth2 v1 token endpoint:

curl --request GET \
  --url https://login.microsoftonline.com/TENANT_ID/oauth2/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data grant_type=client_credentials \
  --data client_id=CLIENT_ID \
  --data 'scope=https://graph.microsoft.com/.default' \
  --data 'client_secret=CLIENT_SECRET'
Thank you for your feedback.
Was this page useful?
Too much on your plate? close cta icon
More features, less infrastructure with Kong Konnect. 1M requests per month for free.
Try it for Free
  • Kong
    Powering the API world

    Increase developer productivity, security, and performance at scale with the unified platform for API management, service mesh, and ingress controller.

    • Products
      • Kong Konnect
      • Kong Gateway Enterprise
      • Kong Gateway
      • Kong Mesh
      • Kong Ingress Controller
      • Kong Insomnia
      • Product Updates
      • Get Started
    • Documentation
      • Kong Konnect Docs
      • Kong Gateway Docs
      • Kong Mesh Docs
      • Kong Insomnia Docs
      • Kong Konnect Plugin Hub
    • Open Source
      • Kong Gateway
      • Kuma
      • Insomnia
      • Kong Community
    • Company
      • About Kong
      • Customers
      • Careers
      • Press
      • Events
      • Contact
  • Terms• Privacy• Trust and Compliance
© Kong Inc. 2025