Azure AD msal key shielding python

B3K 1 Reputation point
2022-02-13T15:07:01.85+00:00

Can we please show that the Azure AD Microsoft Authentication Library (MSAL) is able employ a key shielding engine? (For example tpm 2.0.)

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,826 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,846 Reputation points Microsoft Employee
    2022-02-16T23:56:04.063+00:00

    In what capacity do you want to use a TPM with MSAL? I don't believe that this is currently supported.

    It sounds like you would want to use the Premium SKU of Azure Key Vault if you have a requirement that the private key never leaves the HSM. MSAL requires the private key be provided as a variable when signing the client certificate.

    Azure Key Vault and Azure Dedicate HSM would be good options to investigate.

    This blog post goes over a scenario that seems similar to what you describe, using Python with Azure Key Vault and a private key stored in the HSM. Azure Key Vault, Certificates, and Python, oh my!

    If you provide more details about your scenario and ideal architecture I may be able to provide additional guidance.

    0 comments No comments

  2. B3K 1 Reputation point
    2022-02-28T13:15:28.017+00:00

    Hi Marilee.
    The scenario in question is an edge laptop communicating with Azure. Can you please show that MSAL is able to make use of a shielded x.509 cert.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.