Azure Resource Graph APIM With Basic Auth Enabled
Query
//https://github.com/bountyyfi/Azure-APIM-Cross-Tenant-Signup-Bypass
//Remove Basic authentication from APIM developer portals ASAP, insecure default!
resources
| where type == "microsoft.apimanagement/service/identityproviders"
| where name endswith "/basic"
| project apimInstance=tostring(split(id, "/providers/Microsoft.ApiManagement/service/")[1]), resourceGroup, subscriptionIdExplanation
This query is designed to identify Azure API Management (APIM) instances that are using Basic authentication in their developer portals, which is considered insecure. Here's a simple breakdown of what the query does:
-
Target Resource Type: It looks at resources of the type
microsoft.apimanagement/service/identityproviders. These are related to identity providers configured for API Management services. -
Filter for Basic Authentication: It filters these resources to find those whose names end with "/basic", indicating they are using Basic authentication.
-
Extract Information: For each of these resources, it extracts and displays:
- The name of the APIM instance (
apimInstance). - The resource group it belongs to (
resourceGroup). - The subscription ID associated with it (
subscriptionId).
- The name of the APIM instance (
The overall goal is to quickly identify and address any APIM instances that are using Basic authentication, which should be removed or replaced with a more secure method.
Details

Jay Kerai
Released: December 2, 2025
Tables
Keywords
Operators