Forum Discussion
Best practice for managing client Id and secret when developing Azure Web app
Hi all. I don't know where the best place to ask this is, but I'm developing an integration with Azure for Sharepoint access via graph api and its not entirely clear to me what the best practice ...
I believed you are in the right track:
- Use Azure Key Vault: Store your client secrets securely in Azure Key Vault. This ensures that sensitive information is encrypted and managed centrally. You can then access these secrets from your application without hardcoding them into your code.
- Rotate Secrets Regularly: Regularly rotate your secrets to minimize the risk of exposure. Azure Key Vault supports automated secret rotation, which can help you manage this process efficiently.
- Least Privilege Access: Ensure that only the necessary applications and services have access to the secrets. Use Azure role-based access control (RBAC) to grant minimal permissions required for the application to function.
- Monitor and Audit: Enable monitoring and auditing for access to secrets. This helps in detecting any unauthorized access and maintaining a secure environment.
- Centralize Identity Management: Integrate your on-premises and cloud directories for centralized identity management. This simplifies the management of credentials and access controls.
Best practices for secrets management - Azure Key Vault | Microsoft Learn