I am developing an application that runs on kubernetes in production and needs to access the Graph API with application permissions (i.e. not delegated). As such it needs to use some form of ClientCredential.

For production I have set up AKS Workload Identity and configured the app to use the injected assertion-file by setting "AzureAd:ClientCredentials:0:SourceType: "SignedAssertionFilePath". This works perfectly fine.

Now I want to improve the developer experience by providing some other form of ClientCredential for local development. Is there any way to avoid having to create and manage a ClientSecret just for that?

I have scoured both Microsoft Learn as well as this repository and its Wiki, but have not been able to find any information on this.

From the source and other issues here I have been able to glean that while Microsoft.Identity.Web uses DefaultAzureCredential under the hood for some scenarios, the developer specific credential sources like VisualStudio have been intentionally disabled.

I have posted this question on stackoverflow before asking here, but did not receive any answer as of now. Any help or recommendation or example would be appreciated.