I have an Azure API Management, added a logic app as back end API. Now I want to enable basic authentication for the API Management so that when client will call the logic app url which is protected by API Management need to provide username and password. I am familiar with access restriction policy of API Management , now my question is where and how to set basic authentication credentials in the APIM?

Here is a code snippet to set up basic auth wuth username="someUser" and password="ThePassw0rd"

<policies>
    <inbound>
        <set-variable name="isAuthOk" 
value="@(context.Request.Headers.ContainsKey("Authorization") 
            && context.Request.Headers["Authorization"].Contains(
            "Basic " + Convert.ToBase64String(
                  Encoding.UTF8.GetBytes("someUser:ThePassw0rd")
                )
              )
              )" />
        <base />
        <choose>
            <when condition="@(context.Variables.GetValueOrDefault<bool>("isAuthOk"))">
            </when>
            <otherwise>
                <return-response>
                    <set-status code="401" reason="Unauthorized" />
                    <set-header name="WWW-Authenticate" exists-action="override">
                        <value>Basic realm="someRealm"</value>
                    </set-header>
                    <set-body>Wrong username or password</set-body>
                </return-response>
            </otherwise>
        </choose>
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

If I understood your question, you can set the policy in: Apis -> All Apis or specifc -> Design -> Inbound processing -> Code View. Inside policies/inbound you can insert:

authentication-basic username="username" password="password"

See more in: https://docs.microsoft.com/en-us/azure/api-management/api-management-authentication-policies#Basic

I am able to solve this , I have added a access restriction policy for basic authentication and put a credentials in the policy.

Sample Policy

Basic B64Credentials

You can use below code snippet https://github.com/Azure/api-management-policy-snippets/blob/master/examples/Perform%20basic%20authentication.policy.xml

<policies>
<inbound>
    <base />
    <choose>
        <when condition="@(context.Request.Headers.GetValueOrDefault("Authorization")==null || context.Request.Headers.GetValueOrDefault("Authorization").Length<1 || context.Request.Headers.GetValueOrDefault("Authorization").AsBasic().UserId!="{{UserId}}" || context.Request.Headers.GetValueOrDefault("Authorization").AsBasic().Password!="{{Password}}")">
            <return-response>
                <set-status code="401" reason="Not authorized" />
            </return-response>
        </when>
    </choose>
    <set-header name="Authorization" exists-action="delete" />
</inbound>
<backend>
    <base />
</backend>
<outbound>
    <base />
</outbound>
<on-error>
    <base />
</on-error>

And incase you want to store password to keyvault you can use below policy instead of above

<inbound>
    <base />
    <send-request ignore-error="false" timeout="20" response-variable-name="passwordResponse" mode="new">
        <set-url>https://mykvname.vault.azure.net/secrets/MySecretValue/?api-version=7.0</set-url>
        <set-method>GET</set-method>
        <authentication-managed-identity resource="https://vault.azure.net" />
    </send-request>
    <rewrite-uri template="/" copy-unmatched-params="true" />
    <set-backend-service base-url="https://testservice/" />
    <authentication-basic username="myusername" password="@{ var secret = ((IResponse)context.Variables["passwordResponse"]).Body.As<JObject>(); return secret["value"].ToString(); }" />
</inbound>

Hope this helps