Microsoft provides capability to protect Azure API Management using the OAuth 2.0 with Azure Active Directory. Unfortunately Microsoft states Azure AD integration is only available in Developer, Standard and Premium tiers of API Management. (Protect an API by using OAuth 2.0 with Azure Active Directory and API Management)

This brings significant price for the use of OAuth to protect API access (for example at the moment price of Basic API Management instance is $0.26/hour whereas Standard is almost 5 times higher ($1.21/hour)) .

But "validate-jwt" in Azure API Management policy works to deliver OAuth protection to Basic pricing tier as well.

Simply

1. create App registration in Azure Active Directory to represent your API Management instance

2. Add "validate-jwt" to <inbound> section of API policy (provide your Azure tenant id and client Id of app registration you created).
   

Now when accessing API from Azure API test page, postman or your application:

Without proper bearer token in "Authorization" header we will receive 401(unauthorized) response

But with proper bearer token we will get successful response.

We have protected Azure API Basic tier using OAuth with significant cost savings compared to Standard or Premium tiers.

Will do more testing before we put into production and discuss with Microsoft but seems a definite option to consider. :)

Will publish more details soon.