Cannot retrieve the grant type(s) used by an OIDC app integrated with Azure AD

Question

I'm trying to retrieve the configuration of the apps integrated with Azure AD.

I used Microsoft Graph API trying to get that piece of information, and also the Azure AD Powershell cmdlet, but all I can deduce is if the application uses the Implicit Flow, and if ROPC or Device Code Flow have been enabled.

The application type can also be retrieved, so we can deduce the grant type used. But I noticed that any application may use the Client Credentials flow, how can we identify the application that are actually using it (and that should be categorized as Services) ?
I tried to identify them by checking if the application has an Identifier Uri and OAuth2 Permissions, but this does not seem to get all the applications that are services. Furthermore, with this method, I have to sort between those truely using Client Credentials flow and those using On-Behalf Flow.

Then I tried with the sign-in logs, but there is no information about the URL called, nor the grant type used.

Are there any way to retrieve that information? Am I missing something?

Answer 1

Hi @Etienne Duhamel ,

You could try to use implicitGrantSettings as these settings are unique to Client Credentials Flow to distinguish between OBO and Client Credentials Flow. You can Both enableAccessTokenIssuance and enableIdTokenIssuance have to be set to true for an app which will work as Client Credential Flow.

You can use Get Application Graph API, GET https://graph.microsoft.com/v1.0/applications/{id} .

"implicitGrantSettings": { "enableAccessTokenIssuance": true,
"enableIdTokenIssuance": true
}

Please refer to the documentation - implicitGrantSettings resource type

Thanks
Saurabh