It is discouraged to associate Azure AD SPA Application Registrations with Passwords or Certificate credentials. Client-side frameworks deliver all of their source code to the end user. Where defined, exposed secrets can allow malicious actors to sign in and act as the application.

This code reveals potentially misconfigured SPA applications. Those that have a client password defined with at least one redirection not to localhost (implying that the source code appears deployed).

PowerShell Code

Note: This code requires the Microsoft Graph SDK for PowerShell.

Updated: