Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Are Azure Subscription ID, AAD Tenant ID, and AAD App Client ID considered secret/PII?

Tags:

logging

azure

azure-active-directory

telemetry

pii

I would like to log the following in my telemetry for diagnostic and usage purposes:

  • Azure Subscription ID
  • AAD Tenant ID
  • AAD App Client ID

Should I treat them as secrets/PII and hash/encrypt them?

(it goes without saying I will not be retaining the client secret in any way shape or form)

like image 927
Ohad Schneider Avatar asked Aug 13 '17 13:08

Ohad Schneider

People also ask

What is tenant ID and Client ID in Azure?

Tenant Id - this is the unique identifier of the Azure Active Directory instance. Client Id - this identifier will be assigned when Seq is set up as an application in the directory instance (the new Azure portal calls this Application Id) Client Key - this is the secret key Seq will use when communicating with AAD.

Is tenant ID same as subscription ID in Azure?

a tenant is associated with a single identity (person, company, or organization) and can own one or several subscriptions. a subscription is linked to a payment setup and each subscription will result in a separate bill.

Video Answer

1 Answers

Ultimately, you should determine what to log and how, from a compliance/privacy/security perspective, based on official and compliance/privacy/security reviews and certifications within your company or by 3rd parties.

That disclaimer aside:

  • Tenant ID and App Client ID aren't generally considered PII nor secrets.
    • Not PII because, by themselves, they won't tell you who the user is.
    • Not secrets because they are very easy to obtain. Anyone attempting to log in to your application will be exposed to these as they are included in the authorization request.
  • Azure Subscription ID isn't generally considered PII though depending on your sensitivity, could be considered a secret
    • Not PII because, by itself, it doesn't tell you who the user is.
    • Could be a secret because it's not easily available publicly to everyone. Could be considered NOT a secret because nothing can be done with it without also having a token from an authorized user or application.

Do note that some companies and privacy reviews often consider these 3 data points as Organization Identifiable Information (OII) and sometimes have policies for handling those (less stringent that PII though).

like image 105
Saca Avatar answered Sep 21 '22 20:09

Saca
Sign in to Comment

Related questions

What is the azure table storage query equivalent of T-sql's LIKE command?
Azure Website slow to serve static JS/CSS but not binary
Azure Functions - Limiting parallel execution
How to get Redis running on Azure? [closed]
"Object reference not set to an instance of an object" when building my cloud project
Cosmos DB - Deleting a document
How to download a file to browser from Azure Blob Storage
Azure Blob Storage "Authorization Permission Mismatch" error for get request with AD token
with azure brokeredmessage get the body without knowing the type
Uploading blockblob and setting contenttype
Difference between Azure Container Service and Web App for Containers
How to Import project code from local machine to Azure Repos?
View content of an Azure Service Bus queue
How to validate Azure AD security token?
SQL Azure - copy table between databases
Forcing EventProcessorHost to re-deliver failed Azure Event Hub eventData's to IEventProcessor.ProcessEvents method
How to set Azure Max Spending Limit or Cost CAP $ amount?
Could not load file or assembly 'Microsoft.Data.Edm'
Why are Azure Resource Groups associated with a specific region?
How to configure ELMAH to work with Windows Azure? I get a 404 on Elmah.axd

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!