For latest updates on HVE, please see this post as well as this post.
Today we’re thrilled to announce the public preview of High Volume Email (HVE) for Microsoft 365. HVE is a new service designed...
Updated May 06, 2025
Version 5.0
Blog Post
Peter_Holdridge I am reading the comments but didn't see anything addressing what I asked. The client secret is just a password so I didn't really see it as a gain of any kind. I guess even with what you said, basic auth only a concern if authenticating to EXO, I'm not so sure about that either. It seems like something that can hang in the wind and receive password sprays. It would be necessary and I don't know if this is already the case, to expose failed client secret attempts by the app/Spn (maybe signIns already capture this). So you could know when one of the apps is being targeted for abuse.
There are other things that rely on apps/spns which refuse client secret and instead insist on certificate client credential, so again everything seems to suggest basic and client secret are inferior security choices.
I guess I'll just leave it at that, it's more of a wonder than an actual concern. Again, a lot of time was spent on making basic auth known to be bad bad bad, and now we're back and using it for latest and greatest new stuff, so I think it was a merited question.