High

Applications using implicit grant flow

Identifies app registrations using the deprecated implicit grant OAuth flow.

Category: Application Security
Default severity: High
Rule key: CHECK_APP_IMPLICIT_GRANT
Last updated: February 20, 2026

How to fix it

Migrate applications from implicit grant to authorization code flow with PKCE. Implicit grant is deprecated and less secure.

Required Microsoft Graph permissions

EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:

Application.Read.All

Further reading

Microsoft documentation →

Run this check on your tenant

EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.

Get started — free first scan →