services / Azure / Automation DSC agent registration information
DSC agent registration information for an Azure Automation account contains the registration endpoint URL and the primary/secondary registration keys that machines use to enroll as DSC pull-mode managed nodes.
The registration keys are credential material: holding them lets an attacker onboard arbitrary/rogue nodes and pull or push desired-state configurations to managed machines, so this resource is treated as CRITICAL.
Microsoft.Automation/automationAccounts/agentRegistrationInformation/read
The GET returns the registration endpoint and primary/secondary registration keys (credentials), exporting secret material that lets an attacker register nodes and pivot onto managed machines.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security