This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 41%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKD%3C/text%3E%3C/svg%3E)
I recently created an Azure AD B"C application and noticed the property allowPublicClient default to null after creation by looking in the manifest. On the Authentication page for the application in Azure UI it shows as having the value "No" under Allow public client flows.
I was using it to log in to my application using MSal 2.0 (msal browser) using oauth PKCE and it worked, if I set it to true it also works but if I set it to false I get the error: AADB2C90058: The provided application is not configured to allow public clients.
My question is: Why can i log in with allowPublicClient = null when it shows as false in the ui? If null is false, I should get the error AADB2C90058 just like when its actually set to false.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 32%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJR%3C/text%3E%3C/svg%3E)
By default the setting is set to No (confidential client). Changing to ‘Yes’ converts the default client type to public client. In the application manifest file, this setting is “allowPublicClient” which can be set to true for public client and false or null for confidential client.
This setting is not about the Identity Provider (Azure AD)’s security feature. It is about the client application’s design flow and the environment the application is used in. Changing the type does not cause Azure AD to provide any more or less security protection for the application than the other setting. It only changes what Azure AD expects from the client application during authentication. A confidential client is expected to provide a secret (or assertion) when authenticating to Azure AD while a public client does not have to provide this parameter.
Please follow this document for more information:- https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 32%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EET%3C/text%3E%3C/svg%3E)
This would mean that setting the value to null is the the same as setting it to false? As you say both would result in the default client type being set to confidential client. The question asks why setting the value to null results in a different behaviour than setting it to false.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 90%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPW%3C/text%3E%3C/svg%3E)
Sorry but is a mess guys. I agree with @Erling Tømte . Who can explain why null and false is not equal? Why boolean has no just 2 states but 3?