In the context of an application using AAD for SSO, I want to be able to store a user-specific secret in each user's AAD profile that only they (or perhaps an admin, but certainly not a standard user) can access via the Graph API after logging in through SSO. The secret will be used by the application as an additional layer of security.
The problem with extension attributes is that any directory user can read the values for any user using the Graph API.
What I basically need is the equivalent of the Windows Data Protection API, except for AAD instead of on-prem AD.
Is there any way to do this? Thanks.