Azure AD msal key shielding python

B3K 1 Reputation point

Can we please show that the Azure AD Microsoft Authentication Library (MSAL) is able employ a key shielding engine? (For example tpm 2.0.)

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
16,628 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 27,571 Reputation points Microsoft Employee

    In what capacity do you want to use a TPM with MSAL? I don't believe that this is currently supported.

    It sounds like you would want to use the Premium SKU of Azure Key Vault if you have a requirement that the private key never leaves the HSM. MSAL requires the private key be provided as a variable when signing the client certificate.

    Azure Key Vault and Azure Dedicate HSM would be good options to investigate.

    This blog post goes over a scenario that seems similar to what you describe, using Python with Azure Key Vault and a private key stored in the HSM. Azure Key Vault, Certificates, and Python, oh my!

    If you provide more details about your scenario and ideal architecture I may be able to provide additional guidance.

    0 comments No comments

  2. B3K 1 Reputation point

    Hi Marilee.
    The scenario in question is an edge laptop communicating with Azure. Can you please show that MSAL is able to make use of a shielded x.509 cert.

    0 comments No comments