services / Azure / Function App authentication token

The Functions runtime/admin authentication token for a Function App, a bearer credential used to authenticate to and invoke the function host and key-management endpoints.

Returns usable credential material that grants control of the function runtime and can pivot to the app's identity.


Microsoft.​Web/​Sites/​functions/​token/​read

Returns the Functions bearer token an attacker can replay to authenticate to and act as the function app, exfiltrating credential material and enabling lateral movement into the function identity/key store.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​microsoft.​web
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog