services / Azure / APIM developer portal config

Configuration of the API Management developer portal (a public-facing site), including sign-in/sign-up, delegation, CORS, and CSP settings.

The developer portal is an externally visible asset; its config controls public access and delegated-authentication behavior.


Microsoft.​ApiManagement/​service/​portalConfigs/​listDelegationSecrets/​action

Returns the portal delegation validation (signing) key, cryptographic credential material an attacker can use to forge valid delegation sign-in/subscription requests and impersonate portal users.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​ApiManagement
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog