Should Implicit Flows Be Used When Registering An App In Azure AD?

Should Implicit Flows be used when registering an app in Azure AD ?

Issue/Query: Should Implicit flows be used when authenticating the app in Azure AD platform ?

Resolution: Note that scenarios that required implicit flow can now use Auth code flow to reduce the risk of compromise associated with implicit flow misuse. Under Authentication for the application in the Azure portal, a platform must be selected for the application and then the Access tokens (used for implicit flows) property can be set.

Consider the following guidance related to implicit flow:

  • Understand if implicit flow is required. Do not use implicit flow unless explicitly required.
  • If the application was configured to receive access tokens using implicit flow, but does not actively use them, turn off the setting to protect from misuse.
  • Use separate applications for valid implicit flow scenarios.