services / Azure / API Management credential-manager authorization (connection)

An Authorization (connection) is a stored credential-manager record holding the OAuth access/refresh tokens (or client-credential secret) that APIM uses to call an OAuth-protected backend identity on the caller's behalf.

The stored tokens are encrypted and write-only: they are never returned by read/list APIs and are usable only at runtime through the get-authorization-context policy. Read operations expose only connection metadata/status.


Microsoft.​ApiManagement/​service/​authorizationProviders/​authorizations/​delete

Deleting an authorization destroys the stored OAuth token/credential connection and breaks the backend access that dependent APIs rely on, denying authorized operation.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ApiManagement
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog