Best practice for managing client Id and secret when developing Azure Web app

Hi all.

I don't know where the best place to ask this is, but I'm developing an integration with Azure for Sharepoint access via graph api and its not entirely clear to me what the best practice is on who holds the Enterprise App client ID and secret token used by the 3rd party application that an admin grants consent to.

If you've done a bunch of direct backend integrations you typically manually create the Enterprise App, and add a token, then hand the generated app ID, client ID and token to the integration application to direct you through the consent URI step. At the point its up to you to manage the app's token which can expire.

My understanding is when you seek to develop an official MS Gallery App, it's the developer/vendor that sets up their own Azure Entra and manages their application's access to Graph. When an admin that uses your application wants to integrate it with Azure for whatever it does, they would pick the Gallery App, and everything related to Graph access is handled by the vendor/developers.

I believe this is separate because the vendor/developer may want to manage their own SaaS service install separate from the customer/admin, and I believe Microsoft also can revoke the vendor/developer's account/tokens as well if they're being malicious.

The admin can control what the app accesses in their Azure via access permissions and of course removing the app.

Is this a best practice? Where can I find guidance on who and where the secret is managed? Please remember this is related to the developer of a Gallery App, not a direct integration. I understand the direct integration, it's not how I believe a Gallery App is supposed to work exactly.