Are Azure Subscription ID, AAD Tenant ID, and AAD App Client ID considered secret/PII?

Question

I would like to log the following in my telemetry for diagnostic and usage purposes:

• Azure Subscription ID
• AAD Tenant ID
• AAD App Client ID

Should I treat them as secrets/PII and hash/encrypt them?

(it goes without saying I will not be retaining the client secret in any way shape or form)

Answer 1

Ultimately, you should determine what to log and how, from a compliance/privacy/security perspective, based on official and compliance/privacy/security reviews and certifications within your company or by 3rd parties.

That disclaimer aside:

• Tenant ID and App Client ID aren't generally considered PII nor secrets.
  • Not PII because, by themselves, they won't tell you who the user is.
  • Not secrets because they are very easy to obtain. Anyone attempting to log in to your application will be exposed to these as they are included in the authorization request.
• Azure Subscription ID isn't generally considered PII though depending on your sensitivity, could be considered a secret
  • Not PII because, by itself, it doesn't tell you who the user is.
  • Could be a secret because it's not easily available publicly to everyone. Could be considered NOT a secret because nothing can be done with it without also having a token from an authorized user or application.

Do note that some companies and privacy reviews often consider these 3 data points as Organization Identifiable Information (OII) and sometimes have policies for handling those (less stringent that PII though).