[APIM] Add security note about managed identity policy and Contributor role

nimakamoosi · Copilot · nimakamoosi · commit f79d6a3d0037 · 2026-04-14T14:34:12.000-04:00
Add IMPORTANT admonitions to the managed identity how-to guide and the
authentication-managed-identity policy reference page. The notes clarify
that users with API Management policy editing permissions (e.g., the
API Management Service Contributor role) can use the managed identity
policy to authenticate as the service's managed identity, and recommend
following the principle of least privilege for both managed identity
role assignments and policy editing access.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/articles/api-management/api-management-howto-use-managed-service-identity.md b/articles/api-management/api-management-howto-use-managed-service-identity.md
@@ -26,6 +26,12 @@ You can grant two types of identities to an API Management instance:
 - A *system-assigned identity* is tied to your service and is deleted if your service is deleted. The service can have only one system-assigned identity.
 - A *user-assigned identity* is a standalone Azure resource that you can assign to your service. The service can have multiple user-assigned identities.
 
+> [!IMPORTANT]
+> **Security consideration:** Users with permissions to edit API Management policies (for example, users assigned the [API Management Service Contributor](/azure/role-based-access-control/built-in-roles#api-management-service-contributor) role) can use the [`authentication-managed-identity`](authentication-managed-identity-policy.md) policy to authenticate as the service's managed identity. When you assign roles or permissions to the managed identity, be aware that any user who can edit policies may be able to access those same resources through the managed identity. To mitigate risk:
+> - Follow the [principle of least privilege](/entra/identity-platform/secure-least-privileged-access) when assigning roles to managed identities.
+> - Only grant the API Management Contributor role or policy editing permissions to trusted users.
+> - Regularly review and audit managed identity role assignments and who has access to edit API Management policies.
+
 > [!NOTE]
 > - Managed identities are specific to the Microsoft Entra tenant in which your Azure subscription is hosted. They don't get updated if you move a subscription to a different directory. If you move a subscription, you need to recreate and reconfigure the identities.  
 > - API Management managed identities are also specific to the Azure subscription in which the service is hosted. If you move the service to a different subscription in the same tenant, you need to recreate and reconfigure the identities.
diff --git a/articles/api-management/authentication-managed-identity-policy.md b/articles/api-management/authentication-managed-identity-policy.md
@@ -20,6 +20,9 @@ Both system-assigned identity and any of the multiple user-assigned identities c
 
 [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
 
+> [!IMPORTANT]
+> **Security consideration:** Any user with permissions to edit API Management policies (for example, users assigned the [API Management Service Contributor](/azure/role-based-access-control/built-in-roles#api-management-service-contributor) role) can use this policy to authenticate as the service's managed identity. This effectively grants that user access to any resource for which the managed identity has permissions. Ensure that you follow the [principle of least privilege](/entra/identity-platform/secure-least-privileged-access) both when assigning permissions to the managed identity and when granting users the ability to edit API Management policies. For more information, see [How to use managed identities in Azure API Management](api-management-howto-use-managed-service-identity.md).
+
   
 ## Policy statement  
   
