Local Credentials Without Client Secret or Certificate

[acrow59]

We're using the GraphServiceClient to authenticate our Blazor UX application and call downstream APIs, however our company has restricted the use of certificates and secrets with Entra Apps, so we are only able to authenticate using Managed Identity/Federate Identity Credentials. This works fine for our deployed services since our App Services have an assigned managed identity that's connected to our Entra App, so everything runs normally in the cloud.

However, we are unable to run our app locally. Since Visual Studio does not support managed identities, our only options for authenticating on our local machine is either certificate or client secret, both of which are blocked by company policy. It seems this is an outstanding issue, but there has not been any update since it's creation in June 2024.

Is there any way to authenticate locally without a secret or somehow use DefaultCredentials? Since we can no longer run our app locally, it has made development extremely difficult since we have to deploy to our Azure Dev environment just to test.

Any help is greatly appreciated!

[jmprieur]

If your app registration allows neither certificates nor client secret, the only option is to have another app registration in another test tenant to test your code.

Would it be possible that the app registration allows for certificates generated by KeyVault from a certification authority?
This way in your appsettings.json you could have two CredentialDescription:

1. FIC+MSI for the production (when deployed)
2. your certificate (that you would get from KeyVault using DefaultCredentials, or that you would have locally). This would be only for the tests.