This message was deleted.

there's an "additionalSecretOutputs" or something property you can apply to each resource, that should do it

I was using the default Azure provider "pulumiprovidersazure::default_3_19_0". As I understand I have to create a custom Azure provider and specify the values as Pulumi secret:

import { clientId, clientSecret, environment, subscriptionId, tenantId } from "@pulumi/azure/config";
import { interpolate, secret } from "@pulumi/pulumi";
import { Provider } from "@pulumi/azure";

export const azProvider = new Provider("az-provider", {
  clientId: secret(interpolate`${clientId}`),
  clientSecret: secret(interpolate`${clientSecret}`),
  environment: secret(interpolate`${environment}`),
  subscriptionId: secret(interpolate`${subscriptionId}`),
  tenantId: secret(interpolate`${tenantId}`),
});