@Muhammad Izzuan Ariffin I would recommend creating a new thread for different issues so that more community members can provide their views.
State could be any random string that you can generate, it will be returned in the token response so you can use it to check for cross-site request forgery attacks.
You can include it in the request as shown below.
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read%20api%3A%2F%2F
&state=12345
&code_challenge=YTFjNjI1OWYzMzA3MTI4ZDY2Njg5M2RkNmVjNDE5YmEyZGRhOGYyM2IzNjdmZWFhMTQ1ODg3NDcxY2Nl
&code_challenge_method=S256
----------
If an answer or comment is helpful, please "Accept answer" or "Up-Vote" which might help other community members reading this thread.