services / Azure / APIM user accounts
Registered developer-portal user accounts within an API Management service instance, identifying developers who consume the published APIs.
User records include identifying attributes (name, email, state) and gate developer-portal access; they are identities but scoped to the APIM developer portal, not Azure RBAC.
Microsoft.ApiManagement/service/users/token/action
Returns a Shared Access Authorization Token for the user, exporting credential material that authenticates as that identity, enabling impersonation/account takeover.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog