Is it OK to use single app registration for both end user log in and backend resource access? (as both public & confidential app)

Lili Xu 21 Reputation points Microsoft Employee

I have an app registration X and I want user to log in through X to my service with implicit grant flow (X as public application) and also have backend server use cert to auth with X and do client credentials flow to access internal storage(X as confidential app), X's SP in each tenant is granted storage accounts RBAC role.

In this case I am reuse the same app X for both purposes. Is it a good practice or is there any concern in terms of security of doing it?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,550 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,336 Reputation points Microsoft Employee

    Are you just hoping to give them access to your storage account? The recommended approach for this is to use Shared Access Signatures. A shared access signature (SAS) provides you with a way to grant limited access to objects in your storage account to other clients, without exposing your account key.

    If you follow that approach then there shouldn't be an issue with the single app registration.

    This is more of a Storage question than an Azure AD question so please let me know if I'm misunderstanding anything.

    1 person found this answer helpful.