services / Azure / API Management API operation policies
The policy configuration (XML) applied at the API operation level on an Azure API Management gateway, controlling inbound/outbound request processing such as authentication, authorization, rate limiting, IP filtering, and backend routing.
APIM operation policy XML acts as the gateway's enforcement layer and frequently references or embeds secret material (named-value references, authorization headers, backend credentials, tokens).
Microsoft.ApiManagement/service/apis/Operations/Policies/delete
Deleting an operation policy removes the enforced controls (auth validation, rate limiting, IP restrictions) protecting that endpoint, disabling defenses and altering how requests are processed.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security