That error means Azure AD is rejecting your request because it’s not receiving any credentials for the application (no client_secret or client_assertion) in the token request.

In OutSystems O11 this typically happens for one of these reasons:

1. Client secret not configured in Azure AD

   • In the Azure Portal, go to:
     • Azure Active Directory → App registrations → your app → Certificates & secrets → New client secret.
   • Copy the generated Value (this is your client_secret).
   • Then go to your OutSystems module (Azure AD Mobile Plugin / IDP / your custom connector) and:
     • Open Site Properties / Module configuration.
     • Paste:
       • ClientId = Application (client) ID from Azure.
       • ClientSecret = the secret value you just generated.
   • Publish and test again.

2. Secret exists but isn’t being sent in the request

   • In the action that calls Azure AD (e.g. ADALLogin, Custom REST “Get Token”, or IDP Login flow), open the REST / HTTP request and confirm:
     • HTTP Method = POST.
     • Request Body type = application/x-www-form-urlencoded.
     • The body includes the client_secret field along with the others, for example:
       • grant_type=authorization_code
       • client_id={ClientId}
       • client_secret={ClientSecret}
       • redirect_uri={RedirectURI}
       • code={AuthCode}
   • If you’re using client credentials flow, make sure the body includes (and is URL-encoded where needed) as described here: grant_type=client_credentials&client_id={ClientId}&client_secret={ClientSecret}&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default Consume Rest API.

3. Wrong flow / wrong app type

   • Ensure the app registration type matches the plugin/connector you’re using:
     • For mobile / SPA plugins using OAuth 2.0 code flow: app typically registered as “Web” or “SPA”, with the correct Redirect URI pointing to the OutSystems Callback page.
   • If you previously created the app without selecting Web/Native or used the wrong registration experience, recreate the registration and redo the configuration; similar issues were fixed this way in other cases "Unable to login" Azure AD Plugin.

4. Mismatched redirect URI

   • Even though your error is about client_secret, a mismatched redirect URI can also cause the token request to be rejected.
   • Double-check that the Redirect URI in Azure:
     • Exactly matches the one configured in your OutSystems plugin / IDP (including scheme, path, and trailing slash).
     • Is the same URI used by your login flow to obtain the authorization code.

Concrete steps to fix:

1. Generate a new client secret in Azure AD and copy its Value.
2. Update OutSystems configuration (Site Properties / Plugin config) with:
   • Client Id
   • Tenant Id (if applicable)
   • Client Secret
   • Redirect URI (matching Azure).
3. Open the REST / token request logic in OutSystems and confirm:
   • client_secret is being sent in the request body.
   • grant_type, client_id, redirect_uri, and code (or other required fields for your grant type) are present.

Once the secret is configured in both Azure and OutSystems and is being sent in the token request, the AADSTS7000218 error should disappear.