Pass client secret more securely
At the moment the client secret gets passed to az login on the commandline, which is insecure. az login doesn't yet support putting it in environment variables (based on the discussion in https://github.com/Azure/azure-cli/issues/10241 . Other sources say that we can set AZURE_CLIENT_SECRET, AZURE_CLIENT_ID, AZURE_TENANT_ID and AZURE_SUBSCRIPTION_ID - but that certainly doesn't work for me.)