services / Azure / API Management API operation policies

The policy configuration (XML) applied at the API operation level on an Azure API Management gateway, controlling inbound/outbound request processing such as authentication, authorization, rate limiting, IP filtering, and backend routing.

APIM operation policy XML acts as the gateway's enforcement layer and frequently references or embeds secret material (named-value references, authorization headers, backend credentials, tokens).


Microsoft.​ApiManagement/​service/​apis/​Operations/​Policies/​delete

Deleting an operation policy removes the enforced controls (auth validation, rate limiting, IP restrictions) protecting that endpoint, disabling defenses and altering how requests are processed.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ApiManagement
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog