Critical APIM Developer Portal Flaw Enables Unauthorized Account Creation

A security issue in the Azure API Management (APIM) Developer Portal allows attackers to create user accounts on any tenant. Microsoft has classified the behavior as “by design” despite its high-risk implications.

Azure API Management (APIM) is a cloud-based service that enables organizations to publish, secure, monitor, and manage APIs at scale. It acts as a gateway between backend services and API consumers, and provides features like authentication, rate limiting, analytics, and developer portals for onboarding. APIM centralizes API governance to help businesses maintain consistent security policies, improve performance, and streamline integration across multiple applications and platforms.

How does the unauthorized signup bypass work?

This security vulnerability (CWE‑284 (Improper Access Control)) in Azure API Management’s Developer Portal occurs because disabling signup in the interface does not actually block backend registration requests. This design flaw means that even when administrators believe registration is blocked, the system still processes signup requests if Basic Authentication is enabled. This issue leaves portals exposed to unauthorized account creation. This flaw is rated high severity with a CVSS score of 6.5. It affects all APIM tiers, including Developer, Basic, Standard, and Premium, whenever Basic Authentication is enabled.

To exploit this, an attacker first registers on a portal where sign-up is allowed and intercepts the request using a proxy tool, such as Burp Suite. They then modify the Host header to target a different tenant where signup is disabled. The altered request is accepted because the backend /signup endpoint does not validate tenant restrictions. This allows the attacker to gain access to sensitive resources, such as API documentation and subscription keys, without requiring administrator approval.

Mitigation steps for affected organizations

Microsoft has not released a patch for this issue and stated that the behavior is “by design.” To mitigate the risk, organizations should disable Basic Authentication and switch to a secure identity provider such as Azure Active Directory. This prevents attackers from exploiting the exposed /signup endpoint and bypassing tenant restrictions.

Additionally, administrators should regularly audit user accounts in the Developer Portal to identify and remove any unauthorized entries created after the signup was visually disabled. They should also implement strict monitoring and logging for API calls, as well as enforce least-privilege access policies to further reduce exposure.