Teams tab on Azure Static Web Apps. Should the Entra app registration's platform stay "Web" or move to "Mobile and Desktop Applications" to lock down browser access?
Our IT/security team wants to lock it down so it only works inside Teams. They asked if we should:
Delete the redirect URI from the Entra app registration
Change the platform type from "Web" to "Mobile and Desktop Applications"
When I went to research this, I got a bit lost. I get that Teams SSO is brokered through Teams itself and doesn't really need a redirect URI in the normal sense so that part makes sense. But switching the whole registration to "Mobile and Desktop Applications" feels wrong to me, mostly because we're using a client secret in the SWA config. Pretty sure "Mobile and Desktop" can't use a client secret? It's the public client type as far as I understand. The actual content of our tab is just HTML/JS running in a webview, not a native app. Even when Teams is running on a phone or as the desktop client, the tab content itself is still a browser context. The MS docs I found for Teams tab SSO seem to assume the Web platform. Same with the SWA custom auth docs...they say to use "Web". Nobody mentions Mobile and Desktop.
If we did want to go public client for some reason, isn't "Single-page application" the right pick for browser JS? That's how I read the docs but I'm not 100% sure.
Has anyone actually shipped a Teams-only Static Web App and what does your Entra registration look like? Want to make sure I'm pushing back for the right reasons before I go back to them with this.