Authorization groups provide a different level of access to APIs to developers. The following are the built-in authorization groups in Azure APIM:

• Administrators: The members of this group have access to manage APIM service instances, will be able to create APIs, manage operations, create products, and define SLAs for each product. They have the highest level of authority over the APIM service instance. 
• Developers: Client application developers who have subscribed to the product and have got access to use the APIs in their application fall under the developers group. They will have full access to the developer portal, control the operations of the APIs, know the usage of the APIs, and call them in their client applications. 
• Guests: These are the users who are not yet authenticated by the developer portal but are exploring and trying to understand the APIs for their client applications. Though these users have access to test the APIs in the developer portal, they will not be able to use them in their applications. These users could be potential clients for the organizations. 

Azure APIM also provides an option to create custom user groups in order to provide access to a group of products or APIs to specific organizations or groups of users.