-
Notifications
You must be signed in to change notification settings - Fork 0
API Mgmt
api-mgmt is the API Management triage command for gateway posture, secret-handling cues, and
backend linkage.
Use it when you need to know which APIM service deserves review before you dive into deeper portal, backend, or service-specific detail.
- Which APIM service should you inspect first?
- Which one combines gateway reachability, secret dependency, and backend consequence in a way that matters now?
- Which service most changes what an attacker or operator could reach next?
azurefox api-mgmt --output tableFor saved structured output:
azurefox api-mgmt --output json| service | gateway | identity | inventory | exposure | posture |
|---|---|---|---|---|---|
apim-edge-01 |
apim-edge-01.azure-api.net; api.contoso.com |
SystemAssigned |
apis=2; subs=3; backends=1; named-values=2 |
gateway=2; management=1; portal=1; public=Enabled |
Developer; vnet=External; gateway=yes; devportal=Enabled; kv-backed=1 |
- when APIM may be acting as the public edge or control point for internal APIs
- when gateway posture and secret handling matter more than generic resource counts
- when you need to rank APIM instances before looking at backend systems
- public gateway, management, or portal hostnames
- named-value and Key Vault dependency cues
- managed identity presence
- subscription and backend complexity that makes one APIM service much more central than the rest
APIM can combine exposure, secret handling, and trust to downstream services in one place.
A publicly reachable gateway with many named values, Key Vault linkage, and interesting backend
relationships can matter much more than a quieter internal service. api-mgmt helps you spot the
APIM service that changes the trust story fastest.
- visible gateway reachability or public network relevance
- richer named-value or Key Vault dependency cues
- broader subscription and backend complexity
- identity context that makes the gateway more operationally important
- If you see public gateway, management, or portal hostnames, go next to Endpoints because it surfaces the externally visible ingress points around the APIM service.
- If you see
named_value_key_vault_countornamed_value_secret_countabove zero, go next to Keyvault because it shows the secret-management boundary behind that APIM configuration. - If the APIM service uses managed identity, go next to Permissions because it confirms whether that gateway identity already holds meaningful Azure roles.
- Start with the APIM service that is both externally relevant and internally consequential.
- Pair gateway posture with secret and identity posture instead of treating them as separate issues.
- Use the backend and secret cues to choose whether your next step belongs in ingress, secrets, or identity review.
api-mgmt is an APIM service triage command.
It should rank the APIM services that most deserve follow-up first. It is not a full APIM export, subscription-key workflow, or backend-content dump.
- Home
- Getting Started
- Platform Notes
- Running Against The Proof Lab
- Understanding Output
- Command Guides
Core
Identity
Config
Secrets
Storage
Resource
Compute
Orchestration
Chain Families
Grouped Sweeps
Investigations
- Axios - Post Exposure Azure Triage
- From EvilTokens to AzureFox: Why Token Theft Can Become Azure Control
- FAQ / Known Limits (coming soon)