You have this multi-tenant application that is protected with Azure AD, great! How about the certificate you’re using as a client credential? If you followed the Microsoft samples it’s probably stored in the Azure Key Vault. This seems really secure, but there is one thing no one thought about Certificate Extraction.| svrooij.io
Managed identities are a great way to improve the security of your application. Microsoft “manages” the rotation of secrets and makes sure they cannot be extracted or used anywhere outside their platform. That is the reason I’m a big fan off Managed Identities! You should use managed identities wherever possible. It’s possible to use managed identities for accessing (custom) api’s, an that is exactly what I’ll be explaining in this post. At the and you will be able to call any Azu...| svrooij.io
Keeping your secrets secure, can be a huge challenge. And keeping secrets becomes a huge responsibility, especially if you’re in the business of building multi-tenant applications. Microsoft created managed identities to ease this responsibility, but according to the faq, you cannot use them to secure resources in other tenants. And that is exactly where we could use extra help is securing secrets.| svrooij.io