This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 45%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENK%3C/text%3E%3C/svg%3E)
Hello,
Could anyone please tell me any valid way to secure an Azure AD application that is operated via client_credentials flow?
Is there any way to restrict access by IP?
I store my credentials in Azure Key Vault. But if the credentials were stolen, at least an IP restriction policy for the applicaion could help a bit.
Thanks in advance!
That's all on the roadmap. For the time being, pray :D Or use certificate instead, as you can restrict the use of the private key to specific machines only.
@Vasil Michev Hi! :) Do you know if any other method has appeared? (besides using the certificate) Or should I continue praying? :D
We do have Conditional access support for for workload identities now: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/workload-identity
@Vasil Michev Thank you! :)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 92%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAH%3C/text%3E%3C/svg%3E)
Hi Vasil, James and anyone else who cares to weigh in :)
I am trying to do the same thing as the OP. I found that application identities have been added to the identities that can be restricted by IP range, but only for single tenant apps... and mine is multitenant.
Can you please say a few words about how to restrict use of the private key to specific machines only? It sounds like this may be enough to satisfy my requirements but I am drawing a blank with google/ stack overflow alone.
Hi @Nikita Krivets , I can't speak on the roadmap but I concur with @Vasil Michev about using a certificate. Thanks for your help @Vasil Michev !