Hello Bats,
Yes, it is a potential security issue if someone obtains the Application ID of a registered app with delegated permissions and uses it to create a new app with the same permissions. To avoid this scenario, you can use Azure Active Directory (Azure AD) Application Registration with a client secret instead of a public Application ID.
When using a client secret, the app needs to authenticate with Azure AD using a combination of its Application ID and a secret key. This secret key is known only to the app and the Azure AD tenant, and it is never shared or transmitted over the network. This provides an additional layer of security as an attacker would need to know the client secret to use the registered app's permissions, not just the Application ID.
To use client secrets, you will need to create an Azure AD Application Registration with a client secret and grant it the necessary permissions. Then, your app A will use the client secret to authenticate with Azure AD and access the required resources.
Overall, while public Application IDs themselves are not necessarily a security issue, it's important to implement strong security measures around your Azure AD applications to prevent unauthorized access and misuse.
If this answers your question, please be sure to le me know