Microsoft Graph - All Azure AD SPA Registrations With Passwords

It is discouraged to associate Azure AD SPA Application Registrations with Passwords or Certificate credentials.

Client-side frameworks deliver all of their source code to the end user. Where defined, exposed secrets can allow malicious actors to sign in and act as the application.

This code reveals potentially misconfigured SPA applications. Those that have a client password defined with at least one SPA redirection not to localhost (implying that the source code appears deployed) and may contain a secret key.

PowerShell Code

Note: This code requires the Microsoft Graph SDK for PowerShell.