Archive Manager Autodiscover Fails with Error AADSTS7000218: The request body must contain ‘client_assertion’ or ‘client_secret’ (4381257)

Archive Manager fails to authenticate to Exchange Online during Autodiscover or EWS connection attempts.

The AM log shows:

Microsoft.Identity.Client.MsalServiceException: A configuration issue is preventing authentication.

AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.

Correlation ID: <ID>

Timestamp: <Date Time>

Symptoms include:

• Autodiscover test fails
• EWS login test fails
• Indexing job cannot retrieve mailbox items
• Authentication attempts fail immediately at MSAL level

The Azure App Registration used by Archive Manager is configured as a Public Client, but the setting Allow Public Client Flows is disabled.

Archive Manager uses the ROPC (Resource Owner Password Credentials) authentication flow, which only works if Azure permits public client flows.
When this setting is disabled, Azure requires a client_secret, which AM does not provide, resulting in error AADSTS7000218.

Step 1 — Enable Public Client Flows in Azure

1. Open Azure Portal

Link: https://entra.microsoft.com/

2. Go to App registrations > All application > ArchiveManager > Authentication
3. Under Advanced settings, enable:

Allow public client flows

Enable the following mobile and desktop flows: →YES

4. Click Save

Step 2 — Retry Autodiscover / EWS in Archive Manager

1. Open Archive Manager Configuration
2. Go to Autodiscover / Modern Authentication settings
3. Click Test
4. Ensure the authentication completes successfully

Step 3 — Restart Archive Manager Services (if needed)

If indexing or search is already running, restart:

• AM Indexing Service
• AM Search Service

• 

Result:

After enabling public client flows, Archive Manager successfully authenticates using modern auth, resolving error AADSTS7000218, and mailbox processing resumes normally.