Is this a valid way to restrict Azure AD to only use client credentials flow?

Iammra 1 Reputation point

Hi Guys,

I'm currently using an Azure AD app registration with a generated secret provided to a third party application for client credentials flow when they try to access my .NET API application. I need to restrict access to only this third party application.

I've found a hacky way to do this by deleting Graph API from the entries under "API Permissions", and making sure there are no entries here. Now whenever someone tries to initiate the authorization code flow, they get an error saying "AADSTS650057: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration.".

However, when someone tries the client_credentials flow, they can still successfully obtain an access token.

Are there any holes in using this trick? Or have I successfully restricted to only client_credentials?


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,706 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. soumi-MSFT 11,776 Reputation points Microsoft Employee

    @Iammra , Thank you for reaching out. Based on the details shared above, that I understand is that you have a .NET web API published in your AAD tenant and some third party application is tries to access this Web API using the client_credentials flow.

    The other 3rd party application is not registered in your AAD tenant and it makes a call to your Web API using the client_credentails flow is because you have provided the clientId and clientSecret to that 3rd party application. Only applications that have access to your Web API's clientID and clientSecret, only those applications would be able to fetch an access-token for your app from AAD by submitting your web api's credentials. AAD doesn't have a way to check who is making this call, and it only checks if the provided clientID and clientSecret are valid or not, if they are valid an access-token is issued to that app that made the request.

    I did quite understand the hack way you mentioned above, it would be great if you can share some more details on that along with screenshots for us to understand that better and guide you accordingly.

    But the summary is, whoever has you web Api's clientID and clientSecret, they can obtain and access-token from AAD for your web api.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.