services / Azure / APIM developer portal config
Configuration of the API Management developer portal (a public-facing site), including sign-in/sign-up, delegation, CORS, and CSP settings.
The developer portal is an externally visible asset; its config controls public access and delegated-authentication behavior.
Microsoft.ApiManagement/service/portalConfigs/listDelegationSecrets/action
Returns the portal delegation validation (signing) key, cryptographic credential material an attacker can use to forge valid delegation sign-in/subscription requests and impersonate portal users.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog