Hi Felix,
thank you for your reply and for your insights!

I have just checked, the client_credentials method is still working — and it should! Have you followed all the required steps? I have not detailed them in this post, as they can be found in many other documentation already:
— register the web app in Azure AD
— grant permissions in Azure AD and generate key
— register an “application user” in Dynamics 365 for this app
— provide a security role for this new user in D365, best if it has it’s own security role, but for test Sys Admin (or any existing) can be used

As for the resource owner way: have you changed the “grant_type” parameter in the request as in my code snippet? I have just run a quick test and it is not asking — as it should not — for any client secret in that way, as it is impersonating a user signing in, not a client. Just as a quick reminder: this way your registered app in Azure should be a “native app”, which does not have any secrets at all.