I have followed Microsoft's instructions on setting up a Microsoft external login for ASP.Net Core, but I have directly pasted my Client Id and Client Secret in my code's Startup.cs. All works fine, but I am concerned about security. Is this bad practice / not recommended? Or should I definitely use Secret Manager and reference them from there?
I have researched and found the answer here: source
No, it is not mandatory but rather strongly recommended for security purposes.
Microsoft suggests to Never store passwords or other sensitive data in source code, which is common sense, but this resource as a whole incorporates client id's and secrets.
Also, the resource mentions Secret Manager to be used for Development purposes only. Storage of the Microsoft App Id (Client Id) and secrets for Production use can be done in Azure Key Vault (development too if you wish).