This blog post shows how a user with Reader-level access to an Azure API Management resource actually had the equivalent of Contributor-level access, allowing the user to read, modify and even delete configurations of the resource via the Direct Management API. This was possible because a regular user with read access to the Azure APIM resource was allowed to read the keys of any APIM user via the Azure Resource Manager Rest API. The keys can be used to generate SharedAccessSignatures to authenticate to the Direct Management API, giving access to perform any management operation on the API Management resource.