Hi Guys,
I'm currently using an Azure AD app registration with a generated secret provided to a third party application for client credentials flow when they try to access my .NET API application. I need to restrict access to only this third party application.
I've found a hacky way to do this by deleting Graph API from the entries under "API Permissions", and making sure there are no entries here. Now whenever someone tries to initiate the authorization code flow, they get an error saying "AADSTS650057: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration.".
However, when someone tries the client_credentials flow, they can still successfully obtain an access token.
Are there any holes in using this trick? Or have I successfully restricted to only client_credentials?
Thanks.