The cloud solution I am working with requires a multi-tenant app registration to be created and used for service-to-service authentication in a SaaS like pattern. The security team expressed concerns that a multi-tenant identity could be assign resources by another tenant (or external entity) without the security team's visibility or control. Assuming the App Registration is only used to configure the solution and its not used in the organization for any other purpose and it's fully protected in Azure Key Vault and not shared with any external entity, is this a legitimate concern? Could there be a way, just because it's a multi-tenant App Registration for it to be discovered and used in a harmful fashion?
1
votes
1 Answers
0
votes
As long as you use key vault to store the client secrets properly malicious entities won't have access to the tenant. In fact, an even better mechanism will be to use a certificate in place of a secret.
