This has been discussed enough in the past!
It’s not in the primary responsibility to decide and to enforce, if a user has access to a client or not. The PEP (policy enforcement point) is still the client/application!
Additionally: Depending on the implementation of the clients and the whole environment, there are ways around this. So, this is not a complete security feature, but more a convenience feature.
And before you come with something like “but MS Entra ID can do this”…
- MS and Entra ID is not what the world calls standard
- Just because MS is doing something, it’s not necessarily the proper solution
- It’s not Entra ID, it’s the whole integrated Azure platform. Keycloak is an IdP, not a platform!