Interacting with Azure AD OAuth without storing the client secret

Question

For Azure Active Directory, I created an app registration for my web app to enable SSO/OAuth 2.0 login for end users and to do AD lookups using the AD graph apis.

That requires me to use a client id and client secret and I have the requirement to not store the secret on the system when running inside of Azure VMs.

Is there a way using managed identities to either fetch the application secret or generate a token that can be used with the login.microsoftonline.com OAuth end points?

Answer 1

When you say "Web App" I'm making the assumption you are using something along the lines of an Azure App Service,

If the issue is with storing the client secret locally on the machine, the more secure way is to store the secrets in Azure KeyVault.

This stackoverflow post goes over why KeyVault is secure : Why is Azure Key Vault secure?

And the official docs provide a good overview/quickstart on getting started with Azure Keyvault. https://learn.microsoft.com/en-us/azure/key-vault/quick-create-portal

And this is a tutorial on using KeyVault with an Azure Web App: https://learn.microsoft.com/en-us/azure/key-vault/tutorial-net-create-vault-azure-web-app

Essentially secrets stay in Azure so that they're never exposed in code or on the development machine. And by using MSI, you won't need to keep track of credentials to access the keyvault. Keeping all important information in Azure.