What to use instead of Individual target application in Secure Store?

Copper Contributor

I am working on migrating a SharePoint 2016 on-prem solution to SharePoint Online.

In the on-prem solution we use Secure Store with a configured Individual target application to store individual users credentials for connecting to an external third-party API.

Now, since the Individual target application option is not available in Secure Store in SharePoint Online and the Secure Store doesn't seem accesible from CSOM, I need to find an alternative to this.

Has anyone got any suggestions on how to securely store and retrieve individual users credentials for connection from a provider-hosted add-in to a third-party API?


Thanks in advance,


2 Replies

Hey - great question!

I havent done anything like it, but I am guessing the answer would be to use an Azure service liek Key Vault (https://azure.microsoft.com/en-us/services/key-vault/) to store the encrypted credentials in.

I have only had the briefest of looks at it, but it does appear to have a REST API that you can call, and requires registering your client application etc in order to authenticate (https://docs.microsoft.com/en-gb/rest/api/index#register-your-client-application-with-azure-ad)


Would be very interested in hearing about what solution you come up with, and the pro's and con's as I am sure I will have to tackle this problem with some of the projects I have coming up




Thanks for the response!

I have also thought about Azure Key Vault but thought I would ask around first before digging into it.

A few things I have seen with Key Vault that is better handled when using individual target applications in Secure Store is (as far as I can tell right now with my limited experience with Key Vault):

  • We get no user mapping for the secrets, i.e. we have to create a secret for each user and handle the mapping ourselves so that our code would get the correct secret for the requesting user.
  • We can only store a name value pair. If we then think about the user mapping problem we would store the username in Name and the password in Value but what about when we have a different username in the third-party API. Maybe store a JSON object with the username and password for the API as the Value?
  • The Name of the secret can only contain alpha-numerics and dashes so we cannot set this to a standard SharePoint Online username to easily handle our own user mapping. Maybe we could do some encoding to get this in place.