The problem was: I entered the SECRET ID instead of the VALUE form Microsoft. Better naming matching can halp here. Please copy the exact same labels from Microsoft.
Fluent-Name: “Application Client Secret” == Microsoft-Name: “Value” … worse
Fluent-Name: “Application Client ID” == Microsoft-Name: Application-ID (Client) … ok
