services / Azure / API Management credential-manager authorization (connection)
An Authorization (connection) is a stored credential-manager record holding the OAuth access/refresh tokens (or client-credential secret) that APIM uses to call an OAuth-protected backend identity on the caller's behalf.
The stored tokens are encrypted and write-only: they are never returned by read/list APIs and are usable only at runtime through the get-authorization-context policy. Read operations expose only connection metadata/status.
Microsoft.ApiManagement/service/authorizationProviders/authorizations/write
Creating an authorization establishes a stored OAuth credential/connection bound to a backend identity, giving the attacker a durable, attacker-provisioned credential connection that APIM policies can use to act as that identity (lateral movement to the backend).
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security