I'm getting up to speed with Azure and trying to follow best practices for securing my WPF and Xamarin.Forms apps.

I'm using Azure AD for authentication and Key Vault for my secrets.

What about my Client Id and Tenant settings? These are required to make the initial connection to Azure to log in.

The endpoint URI is also required to make a call to the Key Vault.

Are the Client Id, Tenant, Key Vault endpoint considered secrets or am I over thinking this. I understand without authenticating, no one can access or make use of these.

What about checking these into Source Control? Is this Ok?

Greatly appreciate your thoughts and insights.

Karl

TenantId is hardly a secret. You can get the tenant metadata of any Azure AD tenant using the following Url

https://login.microsoftonline.com/{tenantID/domain}/.well-known/openid-configuration

For example https://login.microsoftonline.com/microsoft.onmicrosoft.com/.well-known/openid-configuration

ClientId also travels in http Urls and thus is not that hard to find out. That's why the focus should be to effectively protect access to the app using either token validation or user assignment.

Managed identities for Azure resources is available to help avoid checking in any credentials in source control and is specially useful with KeyVault.