M365Corner
M365 PowerShell

Find Entra Apps With Implicit Flow

In Microsoft Entra ID, Implicit Flow is an authentication mechanism traditionally used by browser-based applications (SPAs). However, this flow is now considered: Legacy authentication flow and Less secure compared to modern OAuth flows (Auth Code + PKCE). Because implicit flow exposes tokens directly in the browser, it increases the risk of token leakage and misuse.

This makes it extremely important for administrators to identify applications where implicit flow is still enabled and take corrective action. This script helps administrators detect Entra applications with implicit flow enabled and export the findings into a structured report.

Download this script from our M365Corner GitHub Repo: https://github.com/m365corner/M365Corner-Scripts/tree/main/Entra-Apps-Related-Scripts/Find-Entra-Apps-With-Implicit-Flow

🚀 Community Edition Released!

Try the M365Corner Microsoft 365 Reporting Tool — your DIY pack with 20+ out-of-the-box M365 reports for Users, Groups, and Teams.

The Script

                            
# Connect to Microsoft Graph
Connect-MgGraph -Scopes Application.Read.All

Write-Host "Scanning applications with Implicit Flow enabled..." -ForegroundColor Cyan

# Get applications with Web settings
$Applications = Get-MgApplication -All -Property Id,DisplayName,AppId,CreatedDateTime,Description,Web

$Results = @()

foreach ($App in $Applications) {

    $ImplicitIdToken     = $App.Web.ImplicitGrantSettings.EnableIdTokenIssuance
    $ImplicitAccessToken = $App.Web.ImplicitGrantSettings.EnableAccessTokenIssuance

    if ($ImplicitIdToken -eq $true -or $ImplicitAccessToken -eq $true) {

        # Console output (minimal)
        Write-Host "$($App.DisplayName) | $($App.AppId)" -ForegroundColor Yellow

        # Export object (detailed)
        $Results += [PSCustomObject]@{
            ApplicationName            = $App.DisplayName
            ApplicationId              = $App.Id
            ClientId                   = $App.AppId
            CreatedDate                = $App.CreatedDateTime
            Description                = $App.Description
            ImplicitIdTokenEnabled     = $ImplicitIdToken
            ImplicitAccessTokenEnabled = $ImplicitAccessToken
            ImplicitFlowStatus         = "Enabled"
        }
    }
}

# Export results
$ExportPath = "C:\Path\Apps_ImplicitFlow_Enabled_Report.csv"

$Results | Export-Csv $ExportPath -NoTypeInformation

Write-Host "Report exported to $ExportPath" -ForegroundColor Cyan


How the Script Works

Step Description
Connect to Graph Authenticates using Application.Read.All permission
Retrieve Applications Fetches all applications including Web configuration
Extract Implicit Settings Reads ImplicitGrantSettings from the app
Check ID Token Checks if ID token issuance is enabled
Check Access Token Checks if access token issuance is enabled
Identify Implicit Flow Flags apps where either setting is enabled
Build Report Creates structured output with implicit flow details
Export Results Saves report to CSV file

Further Enhancements

Enhancement Description
Add Redirect URIs Include Web.RedirectUris for deeper analysis
Combine With Owners Identify apps with implicit flow and no owners
Risk Tagging Mark implicit flow apps as "Legacy Risk"
Filter by App Type Focus only on SPA or web applications
Auto-Remediation Disable implicit flow via script (with caution)

Frequently Asked Questions

Question Answer
What is implicit flow? A legacy OAuth flow where tokens are returned directly to the browser.
Why is implicit flow insecure? Tokens can be exposed in browser URLs or intercepted
Is implicit flow deprecated? Yes, Microsoft recommends Auth Code Flow with PKCE
Should all implicit flow apps be removed? Not always—evaluate usage before disabling
Is this report useful? Yes, it helps identify legacy authentication risks

Admin Usecases

Use Case Description
Security Audit Identify apps using legacy authentication
Modernization Effort Migrate apps to secure OAuth flows
Compliance Checks Ensure adherence to security standards
Risk Identification Detect apps exposing tokens in browser
Governance Reporting Maintain visibility over authentication methods

Possible Errors & Solutions

Error Cause Solution
Insufficient privileges Missing Graph permission Use Application.Read.All
Null Web property App has no web config Add null checks if needed
Cmdlet not recognized Graph module missing Install using Install-Module Microsoft.Graph
Access token expired Session timeout Reconnect using Connect-MgGraph
Empty results No apps using implicit flow Verify tenant configuration

Conclusion

Implicit flow is a legacy and less secure authentication mechanism that should be carefully monitored and gradually phased out in modern Entra environments.

This Microsoft Graph PowerShell script provides a simple and effective way to identify applications with implicit flow enabled, helping administrators take proactive steps toward:

  • Improving security posture
  • Reducing token exposure risks
  • Migrating to modern authentication methods

By incorporating this script into regular audits, organizations can ensure they stay aligned with modern authentication best practices and maintain a secure Entra ID environment.

Table of Contents

X

Table of Contents

Graph PowerShell Explorer Widget

20 Graph PowerShell cmdlets with easily accessible "working" examples.


Permission Required

Example:


                            

                            

                            

                            

                            

                        

                    

                


                
            

        

    


    
    
  
    

        
© Created and Maintained by LEARNIT WELL SOLUTIONS. All Rights Reserved.