services / Azure / API Management credential-manager authorization provider

An AuthorizationProvider (credential manager) defines an OAuth 2.0 credential-provider connection configuration (identity provider, client id, scopes, grant type) used by APIM to broker tokens to backend SaaS/OAuth APIs.

Provider configuration may reference a client secret, but read operations do not return secret material; the stored access/refresh tokens live in child Authorization records and are write-only (usable only at runtime via the get-authorization-context policy).


Microsoft.​ApiManagement/​service/​authorizationProviders/​write

Creating/updating an authorization provider lets an attacker wire up an attacker-controlled OAuth credential-provider configuration (client id/secret, identity provider) as a foothold for brokering token access to backends and altering integration config.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ApiManagement
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog