Storing Secrets in AAD Profile that are Only Accessible to that User

Peter N. Moore 0 Reputation points
2023-01-25T21:54:48.7466667+00:00

In the context of an application using AAD for SSO, I want to be able to store a user-specific secret in each user's AAD profile that only they (or perhaps an admin, but certainly not a standard user) can access via the Graph API after logging in through SSO. The secret will be used by the application as an additional layer of security.

The problem with extension attributes is that any directory user can read the values for any user using the Graph API.

What I basically need is the equivalent of the Windows Data Protection API, except for AAD instead of on-prem AD.

Is there any way to do this? Thanks.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,468 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,311 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 94,206 Reputation points MVP
    2023-01-26T07:59:28.6433333+00:00

    The best you can currently do in Azure AD is leverage custom security attributes. You can granularity control who can see and modify them, and they are supported in both the portal UI and the API.

    0 comments No comments