Edit

Share via

Trusted service connectivity retirement (March 2026)

APPLIES TO: All API Management tiers

Effective 15 March 2026, Azure API Management is retiring trusted service connectivity to supported Azure services - Azure Storage, Key Vault, Key Vault Managed HSM, Service Bus, Event Hub, and Container Registry. If your API Management resource relies on this feature to communicate with these services after 15 March 2026, the communication will fail. Use alternative networking options to securely connect to those services.

API Management services created on or after 1 December 2025 no longer support trusted service connectivity. Contact Azure support if you need to enable trusted service connectivity in those services until the retirement date.

Is my service affected by this change?

First, check for an Azure Advisor recommendation:

  1. In the Azure portal, go to Advisor
  2. Select the Recommendations > Operational excellence category.
  3. Search for "Disable trusted service connectivity in API Management".

If you don't see a recommendation, your API Management resource isn't affected by the change.

If you see a recommendation, your API Management resource is affected by the breaking change and you need to take action:

  1. Determine if your API Management resource relies on trusted service connectivity to Azure services.
  2. If it does, update the networking configuration to eliminate the dependency on trusted service connectivity. If it doesn’t, proceed to the next step.
  3. Disable trusted service connectivity in API Management.

Step 1: Does my API Management resource rely on trusted service connectivity?

API Management should no longer rely on trusted service connectivity to Azure services. Instead, it should establish a networking line of sight.

To verify if API Management relies on trusted connectivity to Azure services, check the networking configuration of all Azure Storage, Key Vault, Key Vault Managed HSM, Service Bus, Event Hub, and Container Registry resources that API Management connects to:

For Storage accounts

  1. Go to Networking under Security + networking.
  2. Select Manage in the Public network access tab.
  3. API Management may rely on trusted service connectivity if Allow trusted Microsoft services to access this resource is selected if:
    • Public network access is set to Disable, or
    • Public network access is set to Enable and Public network access scope is set to Enable from selected networks.
  4. API Management may rely on trusted service connectivity if API Management is configured under Resource instances, if Public network access is set to Enable and Public network access scope is set to Enable from selected networks.

Screenshot of trusted connectivity settings to Azure Storage in the portal.

For Event Hubs and Key Vault Managed HSM

  1. Go to Networking under Settings.
  2. Select Manage in the Public access tab.
  3. API Management may rely on trusted service connectivity if Allow trusted Microsoft service to access this resource is selected if:
    • Public network access is set to Disable, or
    • Public network access is set to Enable and Default action is set to Enable from selected networks.

For Service Bus (Premium only) and Key Vault

  1. Go to Networking under Settings.
  2. API Management may rely on trusted service connectivity if Allow trusted Microsoft services to bypass this firewall is selected if you're using the Allow public access from specific virtual networks and IP addresses or Disable public access options.

For Container Registry (Premium pricing plan only)

  1. Go to Networking under Settings.
  2. API Management may rely on trusted service connectivity if Allow trusted Microsoft services to access this container registry is checked under Firewall exception if Public network access is set to Selected networks or Disabled.

Step 2: Eliminate dependency on trusted service connectivity

If you verified that API Management relies on trusted connectivity to Azure resources, you need to eliminate this dependency by establishing a networking line of sight for communication from API Management to the listed services.

You can configure the networking of target resources to one of the following options:

  • Enable public connectivity from all networks.

  • Set a network security rule to allow API Management traffic based on the IP address or virtual network connectivity.

  • Secure traffic from API Management with Private Link connectivity.

  • Use Network Security Perimeter to secure your Azure backends and allow traffic from API Management, if supported (for example, for Azure Storage). Learn more about Network Security Perimeter:

Step 3: Disable trusted service connectivity in API Management

After ensuring that API Management doesn’t access other Azure services using trusted service connectivity, you must explicitly disable trusted connectivity in your API Management service to acknowledge you have verified that the service no longer depends on trusted connectivity.

To do so, set a custom property Microsoft.WindowsAzure.ApiManagement.Gateway.ManagedIdentity.DisableOverPrivilegedAccess to "True" on the API Management resource. For example:

{
  "type": "Microsoft.ApiManagement/service",
  "apiVersion": "2025-03-01-preview",
  "name": "string",
  "identity": {
    "type": "SystemAssigned"
  },
  "location": "string",
  "properties": {
    "customProperties": {
      "Microsoft.WindowsAzure.ApiManagement.Gateway.ManagedIdentity.DisableOverPrivilegedAccess": "True"
    }
  },
  "sku": {
    "capacity": "1",
    "name": "Developer"
  }
}

The Azure Advisor recommendation should disappear within a day or two of disabling the trusted connectivity on the API Management service.

What is the deadline for the change?

After 15 March 2026, the trusted connectivity from API Management to supported Azure services - Azure Storage, Key Vault, Key Vault Managed HSM, Service Bus, Event Hubs, and Container Registry - is retired. If your API Management resource relies on this feature to establish communication with these services, the communication will start failing after that date.

Help and support

If you have questions, get answers from community experts in Microsoft Q&A. If you have a support plan and you need technical help, create a support request.

  1. Under Issue type, select Technical.
  2. Under Subscription, select your subscription.
  3. Under Service, select My services, then select API Management Service.
  4. Under Resource, select the Azure resource that you're creating a support request for.
  5. For Summary, type a description of your issue, for example, "Trusted service connectivity".

Related content

See all upcoming breaking changes and feature retirements.

  • Last updated on