If you are using Azure API Management service, you may get notified or see an Azure advisor recommendation regarding – Disable trusted service connectivity in API Management.
While reviewing Azure Advisor recommendations across multiple subscriptions, I noticed something interesting: only a subset of our API Management (APIM) services appeared in the advisor alerts. This prompted me to dig deeper and find a reliable way to identify all APIM instances that still have this deprecated feature enabled.
I used Azure Resource Graph explorer, which shows all API Management Service instances that do not have the recommended value set. I went with this approach > Azure Advisor as all our APIM instances are deployed via the same Terraform module and want to ensure the configuration settings match across all deployments. (No drift between environments)
Recommendation details from Azure
Microsoft is retiring trusted service connectivity for Azure API Management in March 2026. If your APIM instance relies on this feature to access other Azure services and you don’t update the configuration, you’re setting yourself up for service disruption later.
Microsoft’s guidance is pretty clear:
Your API Management service may rely on trusted service connectivity to access other Azure services. To prevent service disruption following the retirement of this feature in March 2026 (effective 15th March), update your networking configuration and disable trusted connectivity in API Management.
Have a quick look at the recommended approach from Azure regarding trusted service connectivity retirement
In short:
If you don’t explicitly disable it, you’re at risk.
Azure Resource Graph Query
Azure Resource Graph is your KQL-powered superpower for querying ALL Azure resources across subscriptions, management groups etc.
Resources
| where type =~ "microsoft.apimanagement/service"
| extend customProps = properties.customProperties
| extend disableOverPrivilegedAccess =
tostring(customProps["Microsoft.WindowsAzure.ApiManagement.Gateway.ManagedIdentity.DisableOverPrivilegedAccess"])
| where disableOverPrivilegedAccess !~ "True"
What does this query do?
- Finds all API Management services
- Pulls out their custom properties
- Checks whether the required setting is present and set correctly
- Shows you only the APIM instances that still need fixing
Running the above will show all APIM instances see APIM instances that did not have “Disable trusted service connectivity in API Management gateway“.
Recommended Approach To Fix
Awesome, I now have a list of effected APIM resources, now what?
I do still recommend following the Microsoft documentation & following the step 2 approach of Eliminate any dependencies & then make the change. (Preferably testing a lower environment etc first)
Finally once all checks and dependencies remediated, then do disable trusted service connectivity in your APIM instance.
Lets breakdown into steps:
- Identify and eliminate dependencies on trusted service connectivity
- Review which Azure services your APIM instances access
- Update networking configurations to use alternative methods
- Test in lower environments first (dev/staging etc) before production
- Disable trusted service connectivity once dependencies are resolved
- Re-run the Resource Graph query. Confirm your estate is clean
Yes, it takes a bit more time – but it’s far better than discovering broken integrations in production in March 2026.
Wrapping Up
This is one of those changes that’s easy to ignore until it’s suddenly urgent.
Running a simple Resource Graph query now gives you:
- Full visibility
- Time to plan
- Control over the rollout
If you’re responsible for Azure API Management at any scale, I’d recommend adding this check to your regular platform hygiene.
Future-you will thank you for it!