services / Azure / APIM identity providers
Identity provider configurations for an Azure API Management service, defining the external/federated authentication sources (AAD, OAuth, social logins) used to authenticate to the developer portal.
These configurations govern who can authenticate to the API Management portal and management surface; their secrets are usable IdP credentials.
Microsoft.ApiManagement/service/identityProviders/listSecrets/action
Returns the IdP client secrets (OAuth/AAD app credentials), letting an attacker export usable credential material and impersonate the federated identity integration to pivot.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security