Should we store ClientID (ApplicationID) as Secret name in azure key vault?

Question

Should we store ClientID (ApplicationID) as Secret name in azure key vault?

Subhash Kumar Mahato 265

Hi,

We want to store the app registration secret value in Azure Key Vault and I’m looking for best practices regarding this. In addition, I have the following question:

Should we store the app registration client ID as the secret name in Azure Key Vault?

Additionally, we can use the client ID (Application ID) as the secret name, so is that advisable? What are the recommended practices for naming conventions and structuring secrets in Azure Key Vault?

Thank you for your assistance

Accepted answer

0 additional answers

Your answer

Answer 1

Deepanshu katara 17,025 MVP Moderator

Hello Subash , Welcome to MS Q&A

Answer to 1st question -->Storing the app registration client ID as the secret name in Azure Key Vault is not recommended. Instead, you should use Azure Key Vault to store sensitive information such as client application secrets, connection strings, and passwords. The client ID itself is not a secret and is typically used to identify the application rather than to secure it.

For best practices, it's advisable to store secrets in a secure manner and avoid exposing sensitive information unnecessarily.

Answer to 2nd question -->Using the client ID (Application ID) as the secret name in Azure Key Vault is not advisable. It's important to avoid using easily identifiable information as secret names, as this can expose sensitive data and increase the risk of unauthorized access. Instead, consider using more generic or non-identifiable names for secrets to enhance security.

Answer to 3rd question-->

Storing app registration secret values in Azure Key Vault involves several best practices:

Use Key Vault for Secrets: Store all sensitive information like app registration secrets in Azure Key Vault instead of hardcoding them in your application. This enhances security by centralizing secret management.

Naming Conventions: Adopt a consistent naming convention for your secrets. This can include the application name, environment (e.g., dev, test, prod), and the type of secret. For example, MyApp_Prod_AppSecret helps in identifying the secret's purpose and context easily.

Structuring Secrets: For complex secrets, such as those containing multiple values (e.g., username and password), consider storing them as a JSON object or a connection string. This allows for easier management and retrieval.

Tags for Management: Use tags to store additional metadata about your secrets, such as rotation schedules or the purpose of the secret, to facilitate management.

By following these practices, you can effectively secure and manage your app registration secrets in Azure Key Vault.

please go through this for detailed steps https://stackoverflow.com/questions/47245232/storing-azure-vault-client-id-and-client-secret

References:

Please let us know if you have further question

kindly accept answer if it helps

Thanks

Deepanshu

sumit rodge 0 Reputation points

2024-10-22T10:04:53.79+00:00

Hi Deepanshu

I'm using a Client ID and Client Secret to obtain a bearer token for authorization to retrieve secrets from the Key Vault. How can I securely store this Client ID and Client Secret?

I'm using REST calls because .NET 4.5 does not have an SDK available for Key Vault integration.
Deepanshu katara 17,025 Reputation points MVP Moderator

2024-10-22T11:32:25.1833333+00:00
Hi Sumit,

Then you can Use managed identities to simplify deployment and security – Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. Applications can use managed identities to obtain Microsoft Entra ID app-only tokens without having to manage credentials. This can remove many of the complexities associated with secret management, while increasing your security and resiliency. If you’re using managed identities, most, if not all of the following best practices are already taken care of for you.

Use Azure Managed Identities (Preferred if Applicable)

If you are running your .NET 4.5 application on an Azure resource (e.g., Azure VMs, App Services), you can use Managed Identities. This approach eliminates the need for storing secrets in your code. Managed identities allow Azure resources to authenticate to Key Vault without needing a client ID and secret.

Steps: Enable a Managed Identity for your Azure resource.
Assign the necessary Key Vault access policies to the managed identity. When making REST calls, obtain a token from the managed identity endpoint using the `MSI_ENDPOINT` and `MSI_SECRET` environment variables. > Example: `http://169.254.169.254/metadata/identity/oauth2/token`

This method securely handles the authentication process.

Ref doc --> https://learn.microsoft.com/en-us/entra/identity-platform/msal-client-applications?wt.mc_id=knwlserapi_inproduct_azportal#confidential-clients-best-practices-for-managing-secrets

the exposure of sensitive credentials such as the Client ID and Client Secret, enhancing the overall security of your application
Subhash Kumar Mahato 265 Reputation points

2024-10-23T06:41:15.6066667+00:00

Hi Deepanshukatara-6769,

Thank you for your response!

Can you please suggest how can we store the client ID and Client secret value in the same secret inside a key vault?

Thanks.
Deepanshu katara 17,025 Reputation points MVP Moderator

2024-10-23T06:49:50.9066667+00:00

Hi Subash ,

No , I mean we should have two secrets each for client ID and client secret , please go through this for detailed steps https://stackoverflow.com/questions/47245232/storing-azure-vault-client-id-and-client-secret
sumit rodge 0 Reputation points

2024-10-23T09:41:48.3266667+00:00

Hi Deepanshu,

I really appreciate your response; I wasn't aware that this endpoint existed to obtain the access token.

Thank you for your help.
Deepanshu katara 17,025 Reputation points MVP Moderator

2024-10-23T09:47:24.2333333+00:00

Sumit , can you please accept answer, I have included that in answer Thanks

Share via

Should we store ClientID (ApplicationID) as Secret name in azure key vault?

0 additional answers

Your answer