services / Azure / ExpressRoute circuit authorizations
An ExpressRoute circuit authorization is a grant (with an associated authorization key) that permits a virtual network gateway to link into a private ExpressRoute circuit, providing hybrid/private connectivity between Azure and on-premises or other networks.
Authorization keys are connection credentials: holding one lets a party peer their own gateway onto the private circuit, so they are sensitive credential material for a single production network function.
Microsoft.Network/expressRouteCircuits/authorizations/addAuthorization/action
Creates a new authorization, generating a redeemable authorization key that lets an attacker link their own gateway/VNet into the private circuit and establish a durable connectivity grant.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security