Hi Rick, let's tackle your two questions clearly based on Azure AD and Microsoft Graph best practices:

Short answer: No, Microsoft Graph API doesn’t provide a way to get a unique, user-app combination secret for encryption purposes.

Here’s why:

• Microsoft Graph is built to access and manage Azure AD/M365 resources, not generate user-specific encryption secrets tied to your application.
• The "secrets" you might encounter in Graph API (like via POST /applications/{id}/addPassword) are application-level client secrets — these belong to your app itself, not individual users, and are used for app authentication, not user data encryption.
• There’s no built-in resource in Graph API that generates or exposes a unique encryption key per user-app pair.

If you’re generating your own encryption keys for users, here are actionable, secure ways to store them in accessible user profiles:

• Encrypt secrets before storing in Azure AD user extensions
  You can create custom user extension properties via Graph API (using extensionProperties on the application resource) to store encrypted secret blobs. Always encrypt the secret first with a master key stored in Azure Key Vault — never store plaintext. This ensures even if the extension data is accessed, the secret remains unreadable without the vault key.

• Leverage Azure Key Vault for user-specific key storage
  Instead of storing the secret in a user profile, create a key or secret in Azure Key Vault for each user, then store a reference (like the secret name) in the user’s profile. Use Azure AD RBAC or Key Vault access policies to restrict access: only allow the authenticated user (or your service acting on their behalf) to retrieve their specific secret/key. This keeps the actual secret out of user profile storage entirely.

• Encrypt secrets in your own user database
  If you maintain your own user database, encrypt each user’s secret with a master encryption key (secured in Azure Key Vault). Store only the encrypted blob in the user’s record. This separates the encryption key from the encrypted data, following the principle of least privilege.

• Critical best practices to follow

  • Never store plaintext secrets anywhere, whether in Graph API user attributes or your own storage.
  • Use authenticated encryption algorithms (like AES-GCM) to ensure both confidentiality and integrity of the secret.
  • Rotate your master encryption keys regularly (Azure Key Vault supports automatic key rotation).
  • If using Azure AD B2C, use its built-in custom user attributes (with encryption enabled) to store the encrypted secret blob.

Hope this helps you implement a secure solution for your user data encryption needs!

内容的提问来源于stack exchange，提问作者Rick Goud