services / Azure / API policies configuration
The API-level policy configuration (XML) in Azure API Management defines the gateway's request/response processing for an API: authentication (validate-jwt), authorization, IP filtering, rate limiting, caching, and backend routing/transformation.
Policy XML is the gateway's security and routing enforcement layer; it may reference named-values/secrets but read access returns those as references rather than decrypted secret material.
Microsoft.ApiManagement/service/apis/Policies/delete
Deleting the API policy strips whatever protections it enforced (authentication, authorization, IP filtering, rate limiting), weakening the gateway's defenses and reverting/altering how requests are processed.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security