Share via

Renewing SharePoint Client Secrets

  • Article

Introduction

To register your add-in with Azure ACS, you specify the following information:

  • A GUID for the add-in, called a client ID.
  • A password for the add-in, called a client secret.

Normally, Client secrets of Addin for SharePoint that are registered using the AppRegNew.aspx page expires after one year. We will discover the expiring Client secrets and look how to renew them.

Identify Expiring Client Secrets

$cred = get-credential<br>connect-msolservice -credential $cred
$now = Get-Date<br>$cutoff = $now.AddMonths(3)
$msolPrincipal = Get-MsolServicePrincipal 
foreach($p in  $msolPrincipal) {
     Get-MsolServicePrincipalCredential -AppPrincipalId $p.AppPrincipalId -ReturnKeyValues $false | Where-Object {($_.EndDate    -le $cutoff) -and ($_.Type -ne "Other")} | % {Write-Host $p.AppPrincipalId $_.KeyId - $_.EndDate - $p.DisplayName - $p.ServicePrincipalNames}
}

Prerequisites for refreshing Client Secrets

  • Microsoft Online Services Sign-In Assistant is installed on the development computer.
  • Microsoft Online Services PowerShell Module (32-bit; 64-bit) is installed on the development computer.
  • You are a tenant administrator for the Microsoft Office 365 tenant (or a farm administrator on the farm) where the app was registered with the AppRegNew.aspx page.

Renew Client Secret

$msolcred = get-credential
connect-msolservice -credential $msolcred
$clientId = 'your client id that is  about to expire‘
$bytes = New-Object Byte[] 32
$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$rand.GetBytes($bytes)
$rand.Dispose()
$newClientSecret = [System.Convert]::ToBase64String($bytes)
New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Password -Usage Verify -Value $newClientSecret
New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Sign -Value $newClientSecret
New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Verify -Value $newClientSecret
$newClientSecret  

The above code prints the new Client Secret, note it down securely.

Refresh Client Secret with 3-years validity

By default, the New-MsolServicePrincipalCredential command will create a secret that’s valid for one year but there’s the option to set the end date today + 3 years as maximum value

-EndDate <DateTime>
 The effective end date of the credential usage. The default  end date value is  one year from today.  For an "asymmetric"  type credential, this must be set to on or before the date that the X509 certificate  is  valid until, otherwise an OAuth token will not be issued for this  application.
         
        Required?                    false
        Position?                    named
        Default value                Today + 1 year
        Accept pipeline input?       true  (ByPropertyName)
        Accept wildcard characters?  false

Update Configuration

In the case of ASP.net based SharePoint provider hosted addin, update the web.config.

<appSettings>
  <add key="ClientId" value="your client id here" />
  <add key="ClientSecret" value="your new secret here" />
  <add key="SecondaryClientSecret" value="your old secret here" />
</appSettings>

For other languages, update the corresponding configuration where the Client Secrets are stored.