Storing Secrets in AAD Profile that are Only Accessible to that User

Peter N. Moore 0 Reputation points
2023-01-25T21:54:48.7466667+00:00

In the context of an application using AAD for SSO, I want to be able to store a user-specific secret in each user's AAD profile that only they (or perhaps an admin, but certainly not a standard user) can access via the Graph API after logging in through SSO. The secret will be used by the application as an additional layer of security.

The problem with extension attributes is that any directory user can read the values for any user using the Graph API.

What I basically need is the equivalent of the Windows Data Protection API, except for AAD instead of on-prem AD.

Is there any way to do this? Thanks.

Microsoft Graph Users API
Microsoft Graph Users API
A Microsoft API that allows you to build compelling app experiences based on users, their relationships with other users and groups, and the resources they access for example their mails, calendars, files, administrative roles, group memberships.
548 questions
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,642 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Vasil Michev 61,906 Reputation points Microsoft MVP
    2023-01-26T07:59:28.6433333+00:00

    The best you can currently do in Azure AD is leverage custom security attributes. You can granularity control who can see and modify them, and they are supported in both the portal UI and the API.

    No comments