Services/Auth/AppRegistrationService.cs

@@ -47,7 +47,11 @@ public class AppRegistrationService : IAppRegistrationService
             displayName         = $"SP Toolbox — {tenantName}",
             signInAudience      = "AzureADMyOrg",
             isFallbackPublicClient = true,
-            web = new { redirectUris = new[] { redirectUri } },
+            // Register the redirect under the PUBLIC client platform so the connect
+            // flow can redeem the auth code with PKCE only (no client secret). A
+            // redirect under `web` makes Entra treat the app as confidential and the
+            // token exchange fails with AADSTS7000218 (secret required).
+            publicClient = new { redirectUris = new[] { redirectUri } },
             requiredResourceAccess = new[]
             {
                 new