Study Azure AZ-204 API Management: key concepts, common traps, and exam decision cues.
This lesson covers the API gateway lane Microsoft expects developers to know: how APIs are published, grouped, protected, and transformed through Azure API Management. On the exam, the hardest part is usually not naming API Management. It is separating gateway concerns from backend concerns, and separating products, subscriptions, policies, and authentication without mixing them together.
API product: Grouping in API Management that bundles APIs, policies, and subscription behavior for consumers.
Policy: Rule that changes or validates API traffic behavior at the gateway layer.
Microsoft is usually testing whether you can tell which problem belongs at the API gateway and which one belongs in the app or identity layer.
| If the stem is really about… | Strongest first |
|---|---|
| exposing APIs through one managed gateway with throttling, validation, or transformations | Azure API Management |
| grouping one or more APIs for a consumer offering | Product |
| request limits, header changes, token checks, response rewriting, caching, or backend routing rules | Policy |
| granting access to a product, API, or APIM scope by key | Subscription |
| authenticating users or apps with Microsoft Entra ID end to end | Entra ID and app auth flow, often with APIM in front |
| Concept | What it mainly does | What the exam tries to make you confuse it with |
|---|---|---|
| API Management instance | The managed gateway service and control plane | A single API or a single product |
| Product | Packages APIs for consumers and can require subscription approval or keys | A policy |
| Subscription | Grants access by key to a product, API, or all APIs scope | User authentication |
| Policy | Changes or validates traffic behavior at the gateway | Backend code changes |
| Backend | The real service that processes business logic | The gateway itself |
flowchart LR
A["Client app"] --> B["API Management gateway"]
B --> C{"What does the stem want?"}
C -->|Package APIs for consumers| D["Product"]
C -->|Grant keyed access| E["Subscription"]
C -->|Transform, validate, throttle, cache, route| F["Policy"]
C -->|Run business logic| G["Backend service"]
| Trap | Better reading |
|---|---|
| “Need to limit calls and rewrite headers, so change the API code.” | This is usually an API Management policy problem. |
| “Need separate partner offerings, so create separate policies only.” | Product structure is usually the first decision; policies can then apply at the right scope. |
| “Subscription key means the user is authenticated and authorized.” | Subscription keys control API access scope, but they are not the same thing as full user identity. |
| “If APIM is in front, all security logic moves there.” | APIM can enforce gateway rules, but backend authorization still matters. |
A team exposes the same backend through one public partner API and one internal mobile API. Partners need quota limits and approval-based access. Internal apps need different transformations and no partner-facing onboarding experience. The strongest first design is to publish the APIs through API Management, separate them with the right products or API scopes, and apply policies at the scope that matches the traffic behavior you need.