question

EtienneDuhamel-2769 avatar image
0 Votes"
EtienneDuhamel-2769 asked SaurabhSharma-msft commented

Cannot retrieve the grant type(s) used by an OIDC app integrated with Azure AD

I'm trying to retrieve the configuration of the apps integrated with Azure AD.

I used Microsoft Graph API trying to get that piece of information, and also the Azure AD Powershell cmdlet, but all I can deduce is if the application uses the Implicit Flow, and if ROPC or Device Code Flow have been enabled.

The application type can also be retrieved, so we can deduce the grant type used. But I noticed that any application may use the Client Credentials flow, how can we identify the application that are actually using it (and that should be categorized as Services) ?
I tried to identify them by checking if the application has an Identifier Uri and OAuth2 Permissions, but this does not seem to get all the applications that are services. Furthermore, with this method, I have to sort between those truely using Client Credentials flow and those using On-Behalf Flow.

Then I tried with the sign-in logs, but there is no information about the URL called, nor the grant type used.

Are there any way to retrieve that information? Am I missing something?

azure-ad-openid-connectazure-ad-app-management
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@etienneduhamel-2769 Thanks for using Microsoft Q&A !!

To my knowledge you cannot identity if the application is using a client credentials flow with any application properties. However, I am checking internally with the team and get back to you on the same.

Thanks
Saurabh

1 Vote 1 ·

1 Answer

SaurabhSharma-msft avatar image
0 Votes"
SaurabhSharma-msft answered SaurabhSharma-msft commented

Hi @etienneduhamel-2769,

You could try to use implicitGrantSettings as these settings are unique to Client Credentials Flow to distinguish between OBO and Client Credentials Flow. You can Both enableAccessTokenIssuance and enableIdTokenIssuance have to be set to true for an app which will work as Client Credential Flow.

You can use Get Application Graph API, GET https://graph.microsoft.com/v1.0/applications/{id} .



"implicitGrantSettings": { "enableAccessTokenIssuance": true,
"enableIdTokenIssuance": true
}

Please refer to the documentation - implicitGrantSettings resource type

Thanks
Saurabh

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @etienneduhamel-2769,

I have not heard back from you. Did my answer solve your issue? If so, please mark as accepted answer. If not, please let me know how I may better assist.

Thanks
Saurabh

0 Votes 0 ·