az apim list --resource-group <resource-group>API Management operation
An API Management operation is one callable action inside an API, such as GET /orders or POST /claims. It tells Azure API Management which HTTP method, URL template, parameters, and display name should be exposed to consumers. The operation can map to a backend route, return a mock response, accept.
Source: Microsoft Learn - Manually add an API Reviewed 2026-05-10
- Exam trap
- Changing API Management operation in production before proving the exact scope, owner, and dependency chain that will be affected.
- Production check
- Can you identify the exact Azure resource, API, app, cluster, or tenant object that owns API Management operation?
Article details and learning context
- Aliases
- APIM operation, API operation in API Management
- Difficulty
- intermediate
- CLI mappings
- 4
- Last verified
- 2026-05-10
- Review level
- top250-pre130-priority-upgraded
- Article depth
- field-manual
Understand the concept
In plain English
An API Management operation is one callable action inside an API, such as GET /orders or POST /claims. It tells Azure API Management which HTTP method, URL template, parameters, and display name should be exposed to consumers. The operation can map to a backend route, return a mock response, accept parameters, and inherit or apply policies. In plain terms, it is the gateway’s contract for one request shape, not the whole API or the backend service itself.
Why it matters
API Management operations matter because consumers call operations, not vague services. A missing operation can produce gateway 404 responses even when the backend endpoint exists. A loose wildcard operation can expose more backend behavior than intended. A poorly named or undocumented operation makes developer onboarding and incident triage harder. Operations also give architects a place to attach narrow policies, examples, tests, metrics, and documentation. When teams treat each operation as a managed contract, they can change backends, publish products, test revisions, and protect individual routes without rebuilding every client integration. Clear ownership, evidence, and rollback notes turn the concept into something teams can operate safely.
Official wording and source
An API Management operation is a method-and-path entry exposed by an API, mapped to a backend operation and optionally shaped by policies.
Technical context
Technically, an API Management operation sits under an API inside an API Management service. It belongs to the data-plane request path but is configured through control-plane resources, portal design screens, ARM, REST, or CLI. Each operation defines method, URL template, template parameters, query/header metadata, and policy scope. Imported OpenAPI, SOAP, GraphQL, Function, Logic App, or manually added APIs create operations that the gateway can match before routing traffic to the configured backend. It should be documented with scope, dependencies, and the control plane that manages it.
Exam context
Compare with
Where it is used
Where you see it
- You see it on an API Management API design page where each method and URL template becomes a callable route, testable from the portal or developer portal.
- You see it in gateway metrics and logs when latency, failures, subscription use, or policy errors are grouped by operation instead of only by whole API.
- You see it in OpenAPI imports when paths and methods become API Management operations that can receive policies, documentation, examples, and product exposure. with approved ownership
Common situations
- Define the exact method, route, parameters, and response contract that API consumers call through API Management.
- Apply operation-level policies for validation, transformation, throttling, caching, authentication, or backend routing without changing the whole API.
- Troubleshoot a single failing route by comparing operation matching, inbound policy, backend forwarding, response handling, and test console evidence.
- Document developer portal behavior so teams understand which operation represents each business capability and support contact.
- Automate repeatable checks that prevent method, URL template, display name, and policy drift between environments.
Illustrative Azure scenarios
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Scenario 01 Claims route isolation Scenario, objectives, solution, measured impact, and takeaway.
Harbor Mutual, an insurance carrier, needed to expose a new claims-status route without opening unrelated policy-administration endpoints.
- publish one GET operation for claims status
- keep legacy backend routes hidden from partners
- reduce failed partner onboarding calls by 40 percent
- capture operation-level diagnostics for support
The integration team created a dedicated API Management operation for GET /claims/{claimId}/status and mapped it to the internal claims service. The operation defined template parameters, examples, response descriptions, and inherited JWT validation from the API scope. A small operation-level policy normalized partner headers, rejected missing claim identifiers, and added correlation IDs before forwarding to the backend. Product exposure was limited to approved partner subscriptions. The team used CLI inventory and policy export before launch, then tested the operation from the developer portal and a synthetic monitor. Backend owners kept their existing internal routes, while API Management published only the approved contract. The runbook named API Management operation ownership, rollback evidence, expected monitoring signals, and the first support checks after rollout.
- partner setup defects dropped 46 percent in the first month
- support isolated route errors without reviewing unrelated API calls
- no legacy administrative endpoints were exposed through the gateway
- synthetic checks detected two bad partner tokens before production traffic
An API Management operation is valuable because it turns one backend action into a controlled, documented, observable contract.
Scenario 02 Retail inventory lookup Scenario, objectives, solution, measured impact, and takeaway.
Fabrikam Market, a national retailer, wanted stores to query inventory by SKU while preventing direct access to warehouse service paths.
- launch a store-safe inventory lookup route
- hide internal warehouse URLs from store devices
- keep p95 lookup latency below 250 milliseconds
- prove usage by operation for seasonal planning
Architects added a GET /inventory/{sku} operation to the store API in API Management and mapped it to a warehouse backend endpoint. They configured required path parameters, response examples, and a cache policy for low-risk availability data. A rate-limit policy protected the backend from scanner bursts during stock counts. Diagnostics sent operation name, subscription, response code, and latency to monitoring. Store applications used the developer portal documentation instead of backend tribal knowledge. The operations team compared the operation configuration across test and production with CLI before each release and documented rollback to the previous operation definition. The runbook named API Management operation ownership, rollback evidence, expected monitoring signals, and the first support checks after rollout.
- p95 inventory lookup latency stayed under 190 milliseconds
- backend request volume fell 31 percent because safe responses were cached
- seasonal planning used operation-level metrics by store subscription
- warehouse engineers retired three direct-access integration exceptions
Well-designed operations let teams expose exactly the request a client needs while shielding backend complexity.
Scenario 03 Clinic appointment check-in Scenario, objectives, solution, measured impact, and takeaway.
Northwind Clinics, a healthcare network, needed a mobile check-in request that could be monitored separately from billing and records APIs.
- separate appointment check-in traffic from other clinical calls
- validate required identifiers before backend routing
- meet audit evidence requirements for API changes
- reduce mobile release rollback time below 15 minutes
The platform team created a POST /appointments/{id}/checkin operation in API Management and assigned it to a patient-mobile product. The operation required appointment identifiers, documented expected request fields, and applied a policy that rejected missing correlation IDs before the request reached the scheduling backend. Monitoring dashboards filtered by operation, so support teams could see mobile check-in errors without noise from billing APIs. The release playbook exported the operation and policy JSON before deployment, tested a sample request, and stored the current revision reference for rollback. Clinical system owners approved the backend mapping and reviewed diagnostics retention. The runbook named API Management operation ownership, rollback evidence, expected monitoring signals, and the first support checks after rollout.
- mobile check-in failures were isolated within 8 minutes during launch
- audit reviewers accepted exported operation and policy records
- rollback rehearsal completed in 11 minutes
- backend validation errors fell 38 percent after gateway checks
Operation-level control is practical because it makes one customer journey observable, testable, and safe to change.
Azure CLI
Azure CLI is useful for API Management operation because it gives operators repeatable evidence instead of one-off portal screenshots. Teams can inspect configuration, compare environments, export review data, and automate safe changes before production behavior changes.
Useful for
- Inventory API Management operation across resource groups and subscriptions before a release, migration, audit, or incident review.
- Show the current API Management operation configuration and capture IDs, scopes, names, status fields, or route settings for change evidence.
- Update nonproduction API Management operation settings through a scripted path, then compare the result with the approved production baseline.
- Export command output as JSON so platform, security, and application teams can review the same facts during troubleshooting.
Before you run a command
- Confirm tenant, subscription, resource group, service name, and environment because similarly named resources often exist in several stages.
- Use an identity with the least privileges required to read or change the resource, and record whether the command is read-only.
- Check whether the operation affects production traffic, security boundaries, authentication, routing, throttling, or customer-visible behavior.
- Choose JSON output for evidence, and save the previous configuration before running commands that create, update, or delete settings.
What the output tells you
- Resource IDs and names prove which Azure boundary was inspected, preventing mistakes caused by the wrong subscription or instance.
- Status, version, route, identity, or policy fields show whether the live configuration matches the intended design or release record.
- Missing values, empty arrays, or unexpected defaults often reveal incomplete deployment, portal-only drift, or permissions hiding part of the result.
- Timestamps, provisioning states, and nested properties help separate a failed change from a working configuration that simply needs propagation time.
Mapped commands
Apim operations
directaz apim show --name <apim-name> --resource-group <resource-group>az apim api list --service-name <apim-name> --resource-group <resource-group>az apim api import --service-name <apim-name> --resource-group <resource-group> --path <path> --specification-url <url> --specification-format OpenApiArchitecture context
Security: Security for an API Management operation starts with deciding exactly what the gateway should expose. Each operation can inherit API, product, or global policies, but sensitive routes often need operation-specific validation, throttling, header checks, or subscription behavior. Wildcard operations should be used carefully because they can pass unexpected paths through the gateway. Operators should confirm that authentication, authorization, request-size limits, schema validation, and backend routing match the risk of the route. Logs should capture enough context for investigation without exposing secrets, tokens, or protected payload fields. Security reviewers should confirm the approved scope, identity path, and logging behavior before production release. Reliability: Reliability depends on matching the operation definition to the backend behavior clients expect. Incorrect URL templates, missing parameters, route conflicts, or policy errors can break only one operation while the rest of the API appears healthy. Revisions help test operation changes before making them current. Monitoring should track operation-level response codes, latency, backend failures, and subscription traffic so incidents are not hidden inside aggregate API metrics. Rollback plans should include the previous operation definition and policy, not only the backend deployment that implements the route. Reliable teams test the setting in nonproduction, document rollback values, and monitor the first production signals after change. Operations: Operations teams inspect API Management operations during onboarding, release reviews, and incidents. Useful work includes listing operations for an API, checking method and URL templates, confirming backend mappings, reviewing operation-level policies, testing sample requests, and comparing nonproduction definitions with production. Documentation should name the backend owner, expected response pattern, authentication expectations, and product exposure. During incidents, operation-level metrics help isolate whether a single route is failing because of policy, parameter matching, backend health, subscription keys, or a client using an outdated path. Runbooks should include owners, commands, expected outputs, review cadence, and the first checks to perform during incidents. That makes support work repeatable instead of dependent on memory. Cost: An API Management operation has no separate standalone charge, but it can influence costs through traffic volume, logging, caching, policy work, and backend usage. A chatty operation can drive gateway capacity, Application Insights ingestion, backend compute, and data transfer. Operation-level rate limits, caching, and pagination can reduce unnecessary calls. Poorly designed wildcard or bulk routes can create unexpected backend load. FinOps reviews should examine high-volume operations, expensive diagnostics, repeated retries, and whether operation-specific policies are doing heavy transformations better handled by the backend or a cache. Cost owners should review usage, diagnostics, and duplicated environments whenever the setting changes or traffic grows. Performance: Performance is shaped by how the operation matches, validates, transforms, and routes requests. Operation-level policies can add latency when they parse large payloads, call external services, perform complex expressions, or disable caching opportunities. Clean URL templates, narrow parameter rules, backend proximity, response caching, and consistent timeout behavior improve responsiveness. Operators should review latency by operation instead of relying only on whole-API averages. A single slow operation can dominate customer experience, trigger retry storms, and make the gateway look slow when the issue is backend route design. Performance reviews should compare before-and-after telemetry and separate gateway, identity, network, and backend effects.
- Security
- Security for an API Management operation starts with deciding exactly what the gateway should expose. Each operation can inherit API, product, or global policies, but sensitive routes often need operation-specific validation, throttling, header checks, or subscription behavior. Wildcard operations should be used carefully because they can pass unexpected paths through the gateway. Operators should confirm that authentication, authorization, request-size limits, schema validation, and backend routing match the risk of the route. Logs should capture enough context for investigation without exposing secrets, tokens, or protected payload fields. Security reviewers should confirm the approved scope, identity path, and logging behavior before production release.
- Cost
- An API Management operation has no separate standalone charge, but it can influence costs through traffic volume, logging, caching, policy work, and backend usage. A chatty operation can drive gateway capacity, Application Insights ingestion, backend compute, and data transfer. Operation-level rate limits, caching, and pagination can reduce unnecessary calls. Poorly designed wildcard or bulk routes can create unexpected backend load. FinOps reviews should examine high-volume operations, expensive diagnostics, repeated retries, and whether operation-specific policies are doing heavy transformations better handled by the backend or a cache. Cost owners should review usage, diagnostics, and duplicated environments whenever the setting changes or traffic grows.
- Reliability
- Reliability depends on matching the operation definition to the backend behavior clients expect. Incorrect URL templates, missing parameters, route conflicts, or policy errors can break only one operation while the rest of the API appears healthy. Revisions help test operation changes before making them current. Monitoring should track operation-level response codes, latency, backend failures, and subscription traffic so incidents are not hidden inside aggregate API metrics. Rollback plans should include the previous operation definition and policy, not only the backend deployment that implements the route. Reliable teams test the setting in nonproduction, document rollback values, and monitor the first production signals after change.
- Performance
- Performance is shaped by how the operation matches, validates, transforms, and routes requests. Operation-level policies can add latency when they parse large payloads, call external services, perform complex expressions, or disable caching opportunities. Clean URL templates, narrow parameter rules, backend proximity, response caching, and consistent timeout behavior improve responsiveness. Operators should review latency by operation instead of relying only on whole-API averages. A single slow operation can dominate customer experience, trigger retry storms, and make the gateway look slow when the issue is backend route design. Performance reviews should compare before-and-after telemetry and separate gateway, identity, network, and backend effects.
- Operations
- Operations teams inspect API Management operations during onboarding, release reviews, and incidents. Useful work includes listing operations for an API, checking method and URL templates, confirming backend mappings, reviewing operation-level policies, testing sample requests, and comparing nonproduction definitions with production. Documentation should name the backend owner, expected response pattern, authentication expectations, and product exposure. During incidents, operation-level metrics help isolate whether a single route is failing because of policy, parameter matching, backend health, subscription keys, or a client using an outdated path. Runbooks should include owners, commands, expected outputs, review cadence, and the first checks to perform during incidents. That makes support work repeatable instead of dependent on memory.
Common mistakes
- Changing API Management operation in production before proving the exact scope, owner, and dependency chain that will be affected.
- Trusting a portal label without exporting the underlying JSON, especially when workspaces, revisions, identities, or environments are involved.
- Assuming a successful command means the application path works; many Azure settings still require client, network, or policy validation.
- Ignoring rollback evidence, which turns a small configuration error into a long outage or audit dispute.