services / Azure / API Management credential-manager authorization provider
An AuthorizationProvider (credential manager) defines an OAuth 2.0 credential-provider connection configuration (identity provider, client id, scopes, grant type) used by APIM to broker tokens to backend SaaS/OAuth APIs.
Provider configuration may reference a client secret, but read operations do not return secret material; the stored access/refresh tokens live in child Authorization records and are write-only (usable only at runtime via the get-authorization-context policy).
Microsoft.ApiManagement/service/authorizationProviders/write
Creating/updating an authorization provider lets an attacker wire up an attacker-controlled OAuth credential-provider configuration (client id/secret, identity provider) as a foothold for brokering token access to backends and altering integration config.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security