What causes AADSTS700025?

App registration has 'Allow public client flows' enabled, but the calling code still passes a client_secret. Same app registration is reused for both a desktop/CLI tool (public) and a service (confidential) — the public setting wins and breaks the service. MSAL/ADAL code uses ConfidentialClientApplication while the app type in Entra ID is set to public/native. Authority or redirect URI of type native (e.g. urn:ietf:wg:oauth:2.0:oob, http://localhost) combined with a client_secret in the body. Copy-pasted token request from a confidential client sample into a device-code or ROPC flow that should not carry credentials

How do I fix AADSTS700025?

In the Entra ID portal → App registrations → your app → Authentication, check the 'Allow public client flows' toggle. If the app is a backend/service, set it to No; if it's a desktop/CLI, leave it Yes and remove the credential from the request.. Inspect the token request body: remove the client_secret and client_assertion parameters when calling as a public client (device code, auth code without PKCE secret, ROPC for public apps).. If you need confidential client behavior (client credentials, on-behalf-of, secret-based auth code), switch your code to MSAL ConfidentialClientApplication and ensure the app registration is not marked as public client.. Split the app registration: use one registration for the public/native client and a separate one for the confidential/service client — never mix both flows on the same appId.. Re-test with the Microsoft authentication libraries (MSAL) instead of hand-rolled HTTP calls; MSAL picks the correct parameters per client type and avoids this mismatch.

Low severityauthentication

Power BI Refresh Error:
AADSTS700025

What does this error mean?

A public client app sent a client_secret or client_assertion to the token endpoint, which is only allowed for confidential clients.

Common causes

1App registration has 'Allow public client flows' enabled, but the calling code still passes a client_secret
2Same app registration is reused for both a desktop/CLI tool (public) and a service (confidential) — the public setting wins and breaks the service
3MSAL/ADAL code uses ConfidentialClientApplication while the app type in Entra ID is set to public/native
4Authority or redirect URI of type native (e.g. urn:ietf:wg:oauth:2.0:oob, http://localhost) combined with a client_secret in the body
5Copy-pasted token request from a confidential client sample into a device-code or ROPC flow that should not carry credentials

How to fix it

1In the Entra ID portal → App registrations → your app → Authentication, check the 'Allow public client flows' toggle. If the app is a backend/service, set it to No; if it's a desktop/CLI, leave it Yes and remove the credential from the request.
2Inspect the token request body: remove the client_secret and client_assertion parameters when calling as a public client (device code, auth code without PKCE secret, ROPC for public apps).
3If you need confidential client behavior (client credentials, on-behalf-of, secret-based auth code), switch your code to MSAL ConfidentialClientApplication and ensure the app registration is not marked as public client.
4Split the app registration: use one registration for the public/native client and a separate one for the confidential/service client — never mix both flows on the same appId.
5Re-test with the Microsoft authentication libraries (MSAL) instead of hand-rolled HTTP calls; MSAL picks the correct parameters per client type and avoids this mismatch.

Frequently asked questions

What does AADSTS700025 mean?

Client is public so neither 'client_

How do I fix this error?

Check your application registration, token configuration, and user permissions in the Azure portal. Review Conditional Access policies if the error is policy-related.

Source · learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes