Share via

Allow public client flows

Spkn 41 Reputation points
2023-10-09T14:02:09.99+00:00

Hey,

I am reaching out regarding an adjustment I intend to make to our application, which currently utilizes the Graph API to import mail from our users.

Specifically, I am interested in modifying the "Allow public client flows" setting to 'Yes.' Before proceeding with this change, I wanted to seek clarification on its potential impact, particularly in relation to already granted authorizations.

Could you kindly advise if changing this setting could potentially disrupt or affect the functionality for clients that are currently using this application? It is crucial for us to ensure a seamless transition and minimal disruption for our users.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,226 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,907 questions
Microsoft Entra
0 comments
Accepted answer
  1. Shweta Mathur 29,776 Reputation points Microsoft Employee
    2023-10-10T12:41:37.1066667+00:00

    Hi @Spkn

    Thank you for reaching out.

    The "Allow public client flows" setting is related to the OAuth 2.0 client credentials flow, which is used by confidential client applications to authenticate and obtain access tokens from the Microsoft identity platform.

    When this setting is enabled, public client applications (such as mobile or desktop applications) can also use this flow to obtain access tokens. This can be useful in scenarios where the client application cannot keep a client secret confidential, such as in a native mobile application.

    If you change the default value to "Yes" for the "Allow public client flows" option in the advanced setting, the application registration is a public client application and a certificate or secret isn't required. The "Yes" value is useful when you want to use the client application in your mobile app or a JavaScript app where you don't want to store any secrets.

    Regarding your question, changing this setting to "Yes" should not affect the functionality of clients that are currently using your application, as long as they are using confidential client applications. However, if any of your clients are using public client applications, they will need to update their application to use the client credentials flow to obtain access tokens.

    It is important to note that enabling public client flows can increase the risk of unauthorized access to your application's resources. Therefore, it is recommended to only enable this setting if it is necessary for your scenario and if you have implemented appropriate security measures to mitigate the increased risk.

    Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    3 people found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.