We are integrating our application with a third party and the agreement is to use mTLS. From my understanding, we can configure our APIM to load the third party's certificates so then when they are calling our API, which is behind APIM, their request will be verified/authenticated (although I'm not sure about this one either and whether we can do that or not). But when we call the external API, we also need to do this.
Our call is initiated from Microsoft Power Automate, so the question is whether we can do mTLS in APIM in an attempt to make it a centralised and also decoupling this from the internal process? If the answer is yes, how can we achieve this? If the answer is no, what is the recommendation to do this?
I used Postman to send a request to the third party API using our PFX files and CA certs and it worked fine but I do not know how to do this in our system.
For your information, we've never used APIM before and it's totally a new thing for us.
Yes, you can configure APIM to use mTLS to authenticate and verify requests from your third-party partner. You can also use APIM to initiate mTLS when calling the external API.
To configure mTLS in APIM, you will need to upload the third-party partner's certificate to APIM and configure the backend service to require client certificates. You can find more information on how to do this in the following documentation:https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates
To initiate mTLS when calling the external API from Power Automate, you will need to configure Power Automate to use a client certificate when making the request.
In this case, APIM will act as a gateway between Power Automate and the external API. When Power Automate sends a request to the external API, the request will be routed through APIM. APIM will then use the client certificate to authenticate and authorize the request, and to ensure that the request is secure.
If the request is authorized, APIM will forward the request to the external API on behalf of Power Automate. https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients