Are Azure Subscription ID, AAD Tenant ID, and AAD App Client ID considered secret/PII?

后端 未结 1 1933
南笙
南笙 2021-02-04 01:51

I would like to log the following in my telemetry for diagnostic and usage purposes:

  • Azure Subscription ID
  • AAD Tenant ID
  • AAD App Client ID
  • <
相关标签:
1条回答
  • 2021-02-04 02:29

    Ultimately, you should determine what to log and how, from a compliance/privacy/security perspective, based on official and compliance/privacy/security reviews and certifications within your company or by 3rd parties.

    That disclaimer aside:

    • Tenant ID and App Client ID aren't generally considered PII nor secrets.
      • Not PII because, by themselves, they won't tell you who the user is.
      • Not secrets because they are very easy to obtain. Anyone attempting to log in to your application will be exposed to these as they are included in the authorization request.
    • Azure Subscription ID isn't generally considered PII though depending on your sensitivity, could be considered a secret
      • Not PII because, by itself, it doesn't tell you who the user is.
      • Could be a secret because it's not easily available publicly to everyone. Could be considered NOT a secret because nothing can be done with it without also having a token from an authorized user or application.

    Do note that some companies and privacy reviews often consider these 3 data points as Organization Identifiable Information (OII) and sometimes have policies for handling those (less stringent that PII though).

    0 讨论(0)
提交回复
热议问题