Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
I would like to deploy Azure OpenAI as a web app, and use APIM to enforce quota limits for users based on their UPNs. How should this be implemented?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 7.000000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
凯旋 李
0
Reputation points
I would like to deploy Azure OpenAI as a web app, and use APIM to enforce quota limits for users based on their UPNs. How should this be implemented?Additionally, is it possible to set token quotas for Azure OpenAI usage under a specific Azure account? When deploying Azure OpenAI as part of an application, besides custom code development, can I directly configure certain parameters in Azure to achieve user token quota restrictions?
Azure API Management
{count} votes
-
Jerald Felix 4,450 Reputation points2025-07-30T03:39:08.3566667+00:00 Hi 凯旋 李,
Great question! Here’s how you can deploy Azure OpenAI as a web app and enforce user-based quota limits using Azure API Management (APIM):
Expose the Web App through APIM: Publish your Azure OpenAI web app endpoint as an API in Azure API Management.
User Identification via UPN: Require authentication (such as Azure AD) so each user’s UPN (User Principal Name) becomes available in headers or as a claim.
Apply Quota Policies: In your API Management policy, use the
<quota>policy within the<inbound>section. You can key quotas by UPN for personalized limits, for example:xml <quota-by-key calls="1000" renewal-period="3600" counter-key="@(context.Principal.Identity.Name)" />This limits each user (by UPN) to a set number of calls per period.
Token Quotas in Azure OpenAI: Azure OpenAI does not natively support per-user token quota settings, but you can enforce token limits at the API layer with custom policies or code (by tracking token usage per user and rejecting requests that exceed limits).
Automation and Monitoring: Use Azure Monitor and APIM analytics to track quota consumption and alert users.
In summary, leverage APIM for request-based quotas by UPN, and track token usage with custom code in your app or via API policies.
Best regards,
Jerald Felix
-
凯旋 李 0 Reputation points
2025-07-30T07:30:38.94+00:00 If I want to target specific users, how should I set it up? For example, I want A to use 1000 and B to use 2000
-
Jerald Felix 4,450 Reputation points
2025-07-30T07:35:38.58+00:00 Hello 凯旋 李,
To set up different quota limits for specific users (for example, user A can use 1000 calls and user B can use 2000 calls), you should use Azure API Management (APIM) policies with a combination of conditional logic and the <quota> policy. Here’s a practical approach:- Expose the Azure OpenAI web app through APIM as an API.
Authenticate users—typically with Azure AD. This ensures you have the user's UPN available in the incoming request.
Apply user-specific quotas with policy logic. In the APIM policy for the API, you can add conditional logic in the
<inbound>section to check the user's UPN and assign different quota limits. Here’s an example in policy XML:xml <inbound> <choose> <when condition="@(context.Principal.Identity.Name == "******@yourdomain.com")"> <quota-by-key calls="1000" renewal-period="3600" counter-key="@(context.Principal.Identity.Name)" /> </when> <when condition="@(context.Principal.Identity.Name == "******@yourdomain.com")"> <quota-by-key calls="2000" renewal-period="3600" counter-key="@(context.Principal.Identity.Name)" /> </when> <otherwise> <quota-by-key calls="500" renewal-period="3600" counter-key="@(context.Principal.Identity.Name)" /> </otherwise> </choose> </inbound>Replace "******@yourdomain.com" and "******@yourdomain.com" with the actual UPNs.
Token quotas: Azure OpenAI does not natively support per-user token quotas, so if you need to track and enforce token-based limits (rather than just request counts), you’ll need to implement this logic yourself—either in your web app’s code or with a combination of APIM usage logging, Azure Monitor, and custom business rules.
Best Regards,
Jerald Felix
-
凯旋 李 0 Reputation points
2025-07-30T08:46:38.12+00:00 - Error in element 'choose' on line 5, column 6: 'IProxyRequestContext' does not contain a definition for 'Principal' and no extension method 'Principal' accepting a first argument of type 'IProxyRequestContext' could be found (are you missing a using directive or an assembly reference?)
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 21%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKC%3C/text%3E%3C/svg%3E)
Krishna Chowdary Paricharla 2,080 Reputation points Microsoft External Staff Moderator2025-07-31T05:46:55.4133333+00:00 Hello 凯旋 李 •,
The error you are seeing means that
context.Principalis not available in that APIM context — most likely because authentication is not properly configured, or the policy is being applied before the user is authenticated.-
context.Principalis not supported — usecontext.Request.Claimsinstead. - The JWT token must include the
upnclaim, which is only accessible after successful validation with<validate-jwt>. - Without validating the token, user identity info is not available in APIM.
- Enable Azure AD authentication using the
<validate-jwt>policy in the APIM inbound section. - Extract the UPN from the JWT token using:
<set-variable name="userUpn" value="@(context.Request.Claims.GetValueOrDefault("upn"))" /> - Apply conditional quotas using the
<choose>block and matchuserUpnagainst specific users:<when condition="@(context.Variables["userUpn"] == "******@domain.com")">
-
-
凯旋 李 0 Reputation points
2025-07-31T08:13:25.45+00:00 Could you please send me the complete strategy,thanks
-
Krishna Chowdary Paricharla 2,080 Reputation points Microsoft External Staff Moderator
2025-07-31T09:23:58.89+00:00 Hello 凯旋 李 •,
1. Enable Authentication in APIM
Use Azure AD to authenticate users and get their UPN in JWT claims:
- Go to your Azure API Management instance.
- Under APIs > Settings, configure OAuth 2.0 / Azure Active Directory for inbound requests.
- Register an app in Azure AD: 1.Assign a client ID. 2.Set redirect URI and audience. 3.Give required API permissions.
2. Add Policy in APIM to Validate JWT and Extract UPN
Use this full
<inbound>policy in your API Management to validate the user and enforce quotas:xml Copy <inboundReplace:
-
{your-tenant-id}with your Azure AD tenant ID -
{your-client-id}with the client ID of your registered Azure AD app -
******@yourdomain.com, etc., with actual users’ UPNs
3. Monitor Usage
Use Azure Monitor and APIM Analytics to:
- Track usage per user (via UPN)
- Set alerts when usage is near limits
- Export data to Log Analytics
4. Enforce Token Quotas (Advanced)
If you want to limit tokens instead of requests:
- Parse prompt/response sizes in a custom backend or Azure Function
- Track token usage in Cosmos DB or Redis
- Deny requests that exceed per-user token limits
APIM doesn’t support token counting natively, so this requires custom logic.
For your reference, please follow the below documentation:
API in Azure API Management using OAuth 2.0 authorization with Microsoft Entra ID
JWT Authentication and authorization
-
凯旋 李 0 Reputation points
2025-08-01T06:22:33.93+00:00 -
Krishna Chowdary Paricharla 2,080 Reputation points Microsoft External Staff Moderator
2025-08-04T18:03:12.56+00:00 Hello 凯旋 李 •,
The 401 Invalid JWT error likely comes from a misconfigured
validate-jwtpolicy or OAuth setup.
Troubleshooting StepsCheck
validate-jwtPolicy:- Use the correct
tenant IDandclient ID(audience). - Ensure the policy includes: <openid-config url="https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration" /> <audiences><audience>{client-id}</audience></audiences>
Verify Token Contents:
Use https://jwt.ms to decode the token.
Make sure it contains:
- Correct
audclaim (must matchclient ID) -
upnclaim (for user identification)
Review OAuth 2.0 Settings in APIM (
contoso):- Ensure authorization/token endpoints and client credentials match your Azure AD app.
- Use the correct
-
Krishna Chowdary Paricharla 2,080 Reputation points Microsoft External Staff Moderator
2025-08-05T18:25:39.78+00:00 Hello 凯旋 李 •,
Just checking in to see if you've had a chance to review my previous response. Let me know if you have any additional questions
-
凯旋 李 0 Reputation points
2025-08-06T01:33:54.8233333+00:00 It's still 401
-
Krishna Chowdary Paricharla 2,080 Reputation points Microsoft External Staff Moderator
2025-08-06T17:05:59.2966667+00:00 Hello 凯旋 李 •,
Could you please follow below steps to resolve 401 error:
Decode the Token at jwt.ms:Ensure the token has:
-
audclaim = matchesvalidate-jwtaudience - upn claim = needed for user quota logic
- Not expired
Verify
validate-jwtPolicy:- Use correct
tenant IDandclient ID - URL must be:
https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration
Ensure OAuth Is Attached to the Product:
- Go to Products > [Your Product] > Settings
- Set OAuth 2.0 =
contoso
Check Authorization Header in Requests:
- Must include
Authorization: Bearer <token>
Optional: Test in Postman or curl
- Use the token manually to verify API call works
-
-
Krishna Chowdary Paricharla 2,080 Reputation points Microsoft External Staff Moderator
2025-08-09T02:42:43.51+00:00 Hello 凯旋 李 •,
Just checking in to see if you've had a chance to review my previous response. Let me know if you have any additional questions
-
Krishna Chowdary Paricharla 2,080 Reputation points Microsoft External Staff Moderator
2025-08-11T22:22:54.5333333+00:00 Hello 凯旋 李 •,
I wanted to follow up to see if you’ve had an opportunity to look over my earlier response. Please let me know if you have any further questions.
Sign in to comment
Sign in to answer