Your organization is deploying a new line-of-business application on Azure App Service. The app must authenticate users from Microsoft Entra ID and also access a downstream API that requires a client secret. You need to recommend the most secure method for managing the client secret. What should you use?
Trap 1: Store the secret in the Azure AD app registration manifest.
The manifest does not store secrets; it defines app configuration.
Trap 2: Store the secret in an App Service application setting.
App Service settings are encrypted at rest but can be viewed by anyone with contributor access.
Trap 3: Store the secret in the application code as a constant.
Storing secrets in code is insecure and can be exposed in source control.
- A
Store the secret in the Azure AD app registration manifest.
Why wrong: The manifest does not store secrets; it defines app configuration.
- B
Store the secret in an App Service application setting.
Why wrong: App Service settings are encrypted at rest but can be viewed by anyone with contributor access.
- C
Store the secret in Azure Key Vault and use a Key Vault reference in App Service.
Key Vault provides centralized secret management with access policies and auditing.
- D
Store the secret in the application code as a constant.
Why wrong: Storing secrets in code is insecure and can be exposed in source control.