services / Azure / API Management credential-manager authorization (connection)
An Authorization (connection) is a stored credential-manager record holding the OAuth access/refresh tokens (or client-credential secret) that APIM uses to call an OAuth-protected backend identity on the caller's behalf.
The stored tokens are encrypted and write-only: they are never returned by read/list APIs and are usable only at runtime through the get-authorization-context policy. Read operations expose only connection metadata/status.
Microsoft.ApiManagement/service/authorizationProviders/authorizations/confirmConsentCode/action
Confirming the consent code completes the OAuth flow and persists the access/refresh tokens into the connection, binding a backend identity's credentials that APIM can subsequently use, granting durable lateral access to that backend.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security