The best you can currently do in Azure AD is leverage custom security attributes. You can granularity control who can see and modify them, and they are supported in both the portal UI and the API.
Storing Secrets in AAD Profile that are Only Accessible to that User
In the context of an application using AAD for SSO, I want to be able to store a user-specific secret in each user's AAD profile that only they (or perhaps an admin, but certainly not a standard user) can access via the Graph API after logging in through SSO. The secret will be used by the application as an additional layer of security.
The problem with extension attributes is that any directory user can read the values for any user using the Graph API.
What I basically need is the equivalent of the Windows Data Protection API, except for AAD instead of on-prem AD.
Is there any way to do this? Thanks.