The Risk of “User_impersonation” Permission in Azure Service Management API

This is a short article to warn you about the risk of clicking “accept” on a prompt asking to “Access Azure Service Management as you” like this one:

(Cloudability is secure. They just needed this permission to configure the reader role on an Enterprise application. Finally, it was decided to configure this step manually and to totally ignore this prompt.)

Behind this prompt, the application is requesting the “user_impersonation” permission:

When you click on such a prompt, you grant the application the permission to request an OAuth token to access Azure on your behalf.

For more details, see the official documentation :

Authenticating Service Management Requests

Using this token, the app will be able to do whatever the app developer wants in Azure using your own Azure account.

This means that if the app developer is malicious or if the application is compromised, unknown malicious actions could be performed inside Azure using your account.

Before accepting this kind of prompt, it is recommended to:

1. Ask the editor what the app will be doing with your OAuth token inside Azure. Can these actions be configured manually by you? Most of the time, the answer is yes.
2. If the solution really requires this permission to work, then you should carefully understand what the solution will do in Azure on behalf of the signed-in users and ensure the application is secure. To increase security, you can configure a service account with just enough permission inside Azure to enable the app to work during installation, and then delete this account. If the application always needs to access Azure as the user, you could remove some permissions that are not necessary after installation and only keep the permissions needed for the run.

I’m Security Architect / CTO & part time Web security teacher at Panthéon-Sorbonne University, Paris.

I write about IT security and Business. If you find this article compelling, please do not hesitate to express your appreciation by clapping, sharing, and following me here or on linkedin. Should you have any questions or wish to contribute to the enhancement of the content, feel free to leave a comment :)

If you want to secure your e-mails from spoofing attacks and easily troubleshoot email delivery issues, feel free to visit my company’s website and book a call with me and my team. : https://www.dmarc-expert.com/offers