Low severityauthentication
Power BI Error:
AADSTS700025
What does this error mean?
A public client app sent a client_secret or client_assertion to the token endpoint, which is only allowed for confidential clients.
Common causes
- 1App registration has 'Allow public client flows' enabled, but the calling code still passes a client_secret
- 2Same app registration is reused for both a desktop/CLI tool (public) and a service (confidential) — the public setting wins and breaks the service
- 3MSAL/ADAL code uses ConfidentialClientApplication while the app type in Entra ID is set to public/native
- 4Authority or redirect URI of type native (e.g. urn:ietf:wg:oauth:2.0:oob, http://localhost) combined with a client_secret in the body
- 5Copy-pasted token request from a confidential client sample into a device-code or ROPC flow that should not carry credentials
How to fix it
- 1In the Entra ID portal → App registrations → your app → Authentication, check the 'Allow public client flows' toggle. If the app is a backend/service, set it to No; if it's a desktop/CLI, leave it Yes and remove the credential from the request.
- 2Inspect the token request body: remove the client_secret and client_assertion parameters when calling as a public client (device code, auth code without PKCE secret, ROPC for public apps).
- 3If you need confidential client behavior (client credentials, on-behalf-of, secret-based auth code), switch your code to MSAL ConfidentialClientApplication and ensure the app registration is not marked as public client.
- 4Split the app registration: use one registration for the public/native client and a separate one for the confidential/service client — never mix both flows on the same appId.
- 5Re-test with the Microsoft authentication libraries (MSAL) instead of hand-rolled HTTP calls; MSAL picks the correct parameters per client type and avoids this mismatch.