Replace an Expiring Client Secret

Introduction

The Client Secret for an app in Office 365 is typically valid for a year. After this, the Client Secret expires and the app can no longer be used. You can only extend your Wizdom/Enterprise app before it expires.

In this article, we’ll walk you through how to extend a Client Secret for your app before the it expires.

 

Before you start, you’ll need the following:

1) You have installed Microsoft Graph Powershell SDK: Install the Microsoft Graph PowerShell SDK

2) A global administrator user for the Office 365 tenant (or a farm administrator on the farm) where the add-in was registered.
App registration page: '/_layouts/15/AppRegNew.aspx'

 

Generate a new secret

1) Create a Client ID variable with the following line, using the Client ID of the SharePoint Add-in as the parameter:

$clientId = 'client id of the add-in'

The Client ID can be found in the Azure Web App hosting the Enterprise application:

2) Connect to Microsoft Graph with Application.ReadWrite.All, Directory.ReadWrite.All scope.

Connect-MgGraph -Scopes "Application.ReadWrite.All,Directory.ReadWrite.All" # Login with corresponding scope. Should the tenant admin or anyone else have the permission.

3) Generate a new client secret with the following lines:

$appPrincipal = Get-MgServicePrincipal -Filter "AppId eq '$clientId'" # Get principal id by AppId
$params = @{
  PasswordCredential = @{
    DisplayName = "NewSecret" # Replace with a friendly name.
  }
}
$result = Add-MgServicePrincipalPassword -ServicePrincipalId $appPrincipal.Id -BodyParameter $params # Update the secret
$base64Secret = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($result.SecretText)) # Convert to base64 string.
$app = Get-MgServicePrincipal -ServicePrincipalId $appPrincipal.Id # get existing app information
$existingKeyCredentials = $app.KeyCredentials # read existing credentials
$dtStart = [System.DateTime]::Now # Start date
$dtEnd = $dtStart.AddYears(2) # End date (equals to secret end date)
$keyCredentials = @( # construct keys
  @{
    Type = "Symmetric"
    Usage = "Verify"
    Key = [System.Text.Encoding]::ASCII.GetBytes($result.SecretText)
    StartDateTime = $dtStart
    EndDateTIme = $dtEnd
  },
  @{
    type = "Symmetric"
    usage = "Sign"
    key = [System.Text.Encoding]::ASCII.GetBytes($result.SecretText)
    StartDateTime = $dtStart
    EndDateTIme = $dtEnd
  }
) + $existingKeyCredentials # combine with existing
Update-MgServicePrincipal -ServicePrincipalId $appPrincipal.Id -KeyCredentials $keyCredentials # Update keys
$base64Secret # Print base64 secret
$result.EndDateTime # Print the end date.

The new client secret appears on the Windows PowerShell console. Copy it to a text file.

 

 

1) Go back to the ‘Application settings’ of the Wizdom Azure website.

2) You have 1 entry for a Client Secret key, like this:

3) Rename this setting to 'SecondaryClientSecret':

Your setup will look like this:

5) Click ‘Save’.

6) Restart the App Service for the new changes to take effect.

 

 

1) Delete the 'SecondaryClientSecret' key

2) Change the name of the ClientSecret key to ‘SecondaryClientSecret’ as shown in the following screen shot:

Now you have extended your Client Secret for another 2 years.

Remember to replace your Client Secret again before it expires. A good practice is to note the date of expiration and plan for replacing the Client Secret already now.

 

See also

https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/replace-an-expiring-client-secret-in-a-sharepoint-add-in