Streamlining API Management with Workspaces: A Comprehensive Guide

This article was originally published on Microsoft Tech Community.

Workspace Overview

Azure API Management enables organizations to create, manage, and secure APIs at scale. The Workspace feature provides a logical container for grouping related APIs, policies, and configurations. Multiple Workspaces can exist within a single APIM instance, useful for organizing by department, project, or environment.

Workspaces enable a decentralized approach to API development. Individual teams can independently manage and market their own APIs, while a central platform team oversees the overall APIM infrastructure. Each workspace contains APIs, products, subscriptions, and related entities accessible only to workspace collaborators. Access is controlled via Azure's role-based access control (RBAC).

Reference: Workspaces in Azure API Management | Microsoft Learn

Create a Workspace

Sign in to the Azure portal and navigate to your API Management instance.
In the left-hand menu, click on the "Workspaces" tab.
Click on the "Add" button to create a new workspace.
In the "Add workspace" page, enter a name and optionally provide a description.

Key Features of Workspace

Managing APIs in the Workspace

Grouping related APIs in a workspace helps teams manage, govern, and deploy APIs in a streamlined manner. This improves cross-team collaboration, reduces deployment errors and downtime, and enhances scalability and reliability. Access within a workspace is governed through Azure RBAC.

Creating APIs in a Workspace follows the same process as creating them directly in API Management, except you do so inside the workspace.
For detailed steps on creating an API, see: Tutorial — Import and publish your first API in Azure API Management | Microsoft Learn

Managing Policy for All APIs in a Workspace

Workspace-level policies let teams enforce security, governance, and compliance requirements across all APIs in the workspace, improving consistency and reducing per-API management overhead.

Policy implementation at the Workspace scope mirrors implementation at the APIM level.
Use context.Api.Workspace and context.Product.Workspace objects in workspace-scoped policies and in the all-APIs policy at the service level.
Navigate to Workspace → APIs → All APIs, then click the editor tab.
Add the desired policy to apply it across all workspace APIs.
Pre-built policies are available: Azure API Management policy samples | Microsoft Learn

Product and Subscription in the Workspace

In a workspace, a product is scoped to that specific workspace and available only to its collaborators, enabling teams to manage and monetize APIs within their own development context.

A subscription grants access to a product or set of products for a developer or consumer. Subscriptions created within a workspace are only accessible to workspace collaborators.

Publish APIs with products — APIs can belong to a service-level or workspace-level product:
- Workspace-level product: Visibility configurable based on membership in workspace-level or service-level groups.
- Service-level product: Visibility configurable only for service-level groups.
Manage access via subscriptions — Subscriptions requested to an API or product within a workspace are created in that workspace.

Assigning Workspace Access to Users

Service-Scoped Roles

From the API Management instance, click Access Control (IAM) in the left blade.
Click Add → Add role assignment.
Assign one of these service-scoped roles:
- API Management Service Workspace API Developer: Read access to tags/products; write access to assign APIs to products and tags to products/APIs.
- API Management Service Workspace API Product Manager: Same as above, plus read access to users and write access to assign users to groups.

Workspace-Scoped Roles

From the APIM instance, click Workspaces (preview).
Enter the target workspace.
Click Access control (IAM) from the left blade.
Click Add → Add role assignment.
Assign one of these workspace-scoped roles:
- API Management Workspace Reader: Read-only access to workspace entities.
- API Management Workspace Contributor: Can manage the workspace and view (but not modify) its members.
- API Management Workspace API Developer: Read access to workspace entities; read/write access for editing APIs.
- API Management Workspace API Product Manager: Read access to workspace entities; read/write access for publishing APIs.

References

Workspace Overview

Key Features of Workspace

Managing APIs in the Workspace

Creating APIs in a Workspace follows the same process as creating them directly in API Management, except you do so inside the workspace.

For detailed steps on creating an API, see: Tutorial — Import and publish your first API in Azure API Management | Microsoft Learn

Managing Policy for All APIs in a Workspace

Workspace-level policies let teams enforce security, governance, and compliance requirements across all APIs in the workspace, improving consistency and reducing per-API management overhead.

Policy implementation at the Workspace scope mirrors implementation at the APIM level.

Use context.Api.Workspace and context.Product.Workspace objects in workspace-scoped policies and in the all-APIs policy at the service level.

Navigate to Workspace → APIs → All APIs, then click the editor tab.

Add the desired policy to apply it across all workspace APIs.

Pre-built policies are available: Azure API Management policy samples | Microsoft Learn

Product and Subscription in the Workspace

In a workspace, a product is scoped to that specific workspace and available only to its collaborators, enabling teams to manage and monetize APIs within their own development context.

A subscription grants access to a product or set of products for a developer or consumer. Subscriptions created within a workspace are only accessible to workspace collaborators.

Publish APIs with products — APIs can belong to a service-level or workspace-level product:

Workspace-level product: Visibility configurable based on membership in workspace-level or service-level groups.
Service-level product: Visibility configurable only for service-level groups.

Manage access via subscriptions — Subscriptions requested to an API or product within a workspace are created in that workspace.

Assigning Workspace Access to Users

Service-Scoped Roles

From the API Management instance, click Access Control (IAM) in the left blade.

Click Add → Add role assignment.

Assign one of these service-scoped roles:

API Management Service Workspace API Developer: Read access to tags/products; write access to assign APIs to products and tags to products/APIs.
API Management Service Workspace API Product Manager: Same as above, plus read access to users and write access to assign users to groups.

Workspace-Scoped Roles

From the APIM instance, click Workspaces (preview).

Enter the target workspace.

Click Access control (IAM) from the left blade.

Click Add → Add role assignment.

Assign one of these workspace-scoped roles:

API Management Workspace Reader: Read-only access to workspace entities.
API Management Workspace Contributor: Can manage the workspace and view (but not modify) its members.
API Management Workspace API Developer: Read access to workspace entities; read/write access for editing APIs.
API Management Workspace API Product Manager: Read access to workspace entities; read/write access for publishing APIs.

Streamlining API Management with Workspaces: A Comprehensive Guide

Workspace Overview

Create a Workspace

Key Features of Workspace

Managing APIs in the Workspace

Managing Policy for All APIs in a Workspace

Product and Subscription in the Workspace

Assigning Workspace Access to Users

Service-Scoped Roles

Workspace-Scoped Roles

References

Related Posts

Leveraging Azure's Voice Live API for Real-Time Voice Agents

Introduction to Microsoft Agent Framework: Building the Future of Autonomous AI Systems

How to Build a Monitoring System for Azure Workloads

Want to discuss this topic?

Streamlining API Management with Workspaces: A Comprehensive Guide

Workspace Overview

Create a Workspace

Key Features of Workspace

Managing APIs in the Workspace

Managing Policy for All APIs in a Workspace

Product and Subscription in the Workspace

Assigning Workspace Access to Users

Service-Scoped Roles

Workspace-Scoped Roles

References

Related Posts

Leveraging Azure's Voice Live API for Real-Time Voice Agents

Introduction to Microsoft Agent Framework: Building the Future of Autonomous AI Systems

How to Build a Monitoring System for Azure Workloads

Want to discuss this topic?