![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 51%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
5,486 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 86%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
Hello tfs,
Thanks for reaching out!
As per my understanding, the use of client secrets in MSAL authentication for Graph API depends on authentication scenario and the permissions requested.
When your application needs to access graph APIs without user context (Client Credentials flow), then you need client secrets to authenticate your application to Azure AD and obtain an access token.
If your application requests Graph API permissions that requires high level access or admin consent, then you need to use Client credentials flow with a client secret. This is because admin consent requires a higher level of security to prevent unauthorized access to sensitive data. In other authentication scenarios like auth code flow or implicit flow, you don't need a client secret. Instead, you can authenticate your app using Client ID and by configuring redirect URIs to receive tokens after user signs in.
Hope this helps.
If the answer is helpful, please click Accept Answer and kindly upvote. If you have any further questions about this answer, please click Comment.