Is it OK to use single app registration for both end user log in and backend resource access? (as both public & confidential app)

Lili Xu 21 Reputation points Microsoft Employee
2020-07-02T17:05:27.023+00:00

I have an app registration X and I want user to log in through X to my service with implicit grant flow (X as public application) and also have backend server use cert to auth with X and do client credentials flow to access internal storage(X as confidential app), X's SP in each tenant is granted storage accounts RBAC role.

In this case I am reuse the same app X for both purposes. Is it a good practice or is there any concern in terms of security of doing it?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,550 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,336 Reputation points Microsoft Employee
    2020-07-08T21:48:57.347+00:00

    Are you just hoping to give them access to your storage account? The recommended approach for this is to use Shared Access Signatures. A shared access signature (SAS) provides you with a way to grant limited access to objects in your storage account to other clients, without exposing your account key.

    https://stackoverflow.com/questions/55250113/application-registered-in-aad-is-denied-azure-storage-account-access

    If you follow that approach then there shouldn't be an issue with the single app registration.

    This is more of a Storage question than an Azure AD question so please let me know if I'm misunderstanding anything.

    1 person found this answer helpful.