Merge pull request #677 from Ugonnaak1/akaliugonna/deprecateRopcFlow

Dickson-Mwendia · web-flow · commit 7d48f27fd66b · 2025-07-10T16:35:09.000+03:00
Update docs to reflect deprecation of ROPC flow
diff --git a/msal-dotnet-articles/acquiring-tokens/desktop-mobile/username-password-authentication.md b/msal-dotnet-articles/acquiring-tokens/desktop-mobile/username-password-authentication.md
@@ -18,7 +18,7 @@ ms.custom: sfi-image-nochange
 In your desktop applications you can use the username and password flow (also known as Resource Owner Password Credentials, or ROPC) to acquire a token silently. No UI is required when using the application.
 
 >[!WARNING]
-> The ROPC flow is **not recommended** as the application will be asking a user for their password directly, which is an insecure pattern. For more information about the risks and challenges the ROPC flow poses, refer to ["What’s the solution to the growing problem of passwords? You, says Microsoft"](https://news.microsoft.com/features/whats-solution-growing-problem-passwords-says-microsoft/). The preferred flow for acquiring a token silently on Windows is using the [Windows authentication broker](wam.md). Alternatively, developers can also use the [Device code flow](../desktop-mobile/device-code-flow.md) on devices without access to the web browser.
+> The ROPC flow has been deprecated due to security risks, use a more secure flow. Follow [this guide](https://aka.ms/msal-ropc-migration) for migration guidance. For more information about the risks and challenges the ROPC flow poses, refer to ["What’s the solution to the growing problem of passwords? You, says Microsoft"](https://news.microsoft.com/features/whats-solution-growing-problem-passwords-says-microsoft/). The preferred flow for acquiring a token silently on Windows is using the [Windows authentication broker](wam.md). Alternatively, developers can also use the [Device code flow](../desktop-mobile/device-code-flow.md) on devices without access to the web browser.
 
 Although the ROPC flow is useful in limited cases where developers want to provide their own UI for credential acquisition, there are a number of important trade-offs. By using the flow, developers are giving up a number of things:
 
