Best practices for deploying passwords and other sensitive data to ASP.NET and Azure App Service

by Rick Anderson

Warning

• Never store passwords or other sensitive data in source code, including configuration files.
• Never use production secrets in development and test.

We recommend using the most secure secure authentication option. For Azure services, the most secure authentication is managed identities. For many apps, the most secure option is to use the Azure Key Vault.

Avoid Resource Owner Password Credentials Grant because it:

• Exposes the user's password to the client.
• Is a significant security risk.
• Should only be used when other authentication flows are not possible.

Managed identities are a secure way to authenticate to services without needing to store credentials in code, environment variables, or configuration files. Managed identities are available for Azure services, and can be used with Azure SQL, Azure Storage, and other Azure services:

• Managed identities in Microsoft Entra for Azure SQL
• Managed identities for App Service and Azure Functions
• Secure authentication flows

When the app is deployed to a test server, an environment variable can be used to set the connection string to a test database server. For more information, see Configuration. An environment variable should NEVER be used to store a production connection string.

For more information, see:

• Managed identity best practice recommendations
• Connecting from your application to resources without handling credentials in your code
• Azure services that can use managed identities to access other services
• IETF OAuth 2.0 Security Best Current Practice