services / Azure / API Management tenant access keys
The API Management tenant access keys (primary/secondary) authenticate direct access to the service's legacy Management REST endpoint and the Git configuration repository, which control the entire APIM service configuration (APIs, policies, named values).
These keys grant broad management-plane access to a single APIM service instance; possession is equivalent to administrative control of the gateway. The /read action exposes the listSecrets path, which returns the live key values.
Microsoft.ApiManagement/service/Tenants/keys/regeneratePrimaryKey/action
Regenerating the primary key invalidates the existing credential, denying access to legitimate key holders and tooling, while replacing it with a fresh value the attacker controls for persistent management access. The REST operation returns 204 No Content, so it does not itself disclose the new key (separate listSecrets call required).
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security