Hello, adding on @mirba-msft answer please take into consideration the following:
- You can use a client certificate which is more secure than a secret since you can remove the private key, protect it with a password or disable its exportation.
- Besides the risk of third party cookies being blocked, implicit flow is not as secure as authorization flow with PKCE which is currently supported by the latest MSAL for .NET and Javascript libraries.
- Application ID URI is only required when you are exposing your own scopes (as an API). Also it will be set when configuring SAML SSO (as enterprise application).
Please let me know if you need more help. If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.