How to find the Exchange Server URLs? Why do you need to find the Exchange…
Renew Client Secret in Microsoft Entra ID
How to renew the Client Secret for the Microsoft Entra ID application? There are two ways to renew a Client Secret in Microsoft Entra ID. One way is to use the Microsoft Entra ID admin center, and the other is PowerShell. In this article, we will show how to renew the Client Secret in Microsoft Entra ID in both ways.
Table of contents
Renew Client Secret in Microsoft Entra admin center
To renew the Client Secret in Microsoft Entra ID admin center, follow these steps:
- Sign in to the Microsoft Entra admin center
- Expand Identity > Applications > App registrations
- Click on Owned applications
- Select the application
- Click on Certificate & secrets > Client secrets > New client secret
- Give a description and an expiration for the Client Secret
- Click Add
Note: The maximum Client Secret expiration date is 24 months. Even if you select the Custom option, the maximum is 2 years. But with PowerShell, there is no maximum, and you can set any date.
- Copy the value
Note: Client secret values cannot be viewed, except for immediately after creation. Be sure to save the Client Secret value when created before leaving the page.
Renew Client Secret in Microsoft Entra ID with PowerShell
To renew the Client Secret with PowerShell, follow the below steps:
- Go to the application overview
- Copy the Object ID and paste it into Notepad (you will need it later)
- Run PowerShell as administrator and Install the Microsoft Graph PowerShell module
Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -Force
Important: Always install the Microsoft Graph PowerShell and Microsoft Graph Beta PowerShell modules. That’s because some cmdlets are not yet available in the final version, and they will not work. Update both modules to the latest version before you run a cmdlet or script to prevent errors and incorrect results.
- Copy and paste the below script into PowerShell.
Note: The script creates a new Client Secret from the day you run the script and the added years. You can adjust it to 999 for unlimited days.
- Paste the Object ID you copied from the previous step on line 5
- Fill in the Client Secret description on line 6
- Fill in the Client Secret expiration years on line 7
- Run the PowerShell script and sign in with your global administrator credentials
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Application.ReadWrite.All"
# Parameters
$AppObjectId = "14cb53ee-d574-4d43-bbd6-421d51c699e0"
$AppSecretDescription = "PilotNewUnlimited"
$AppYears = "10"
$PasswordCred = @{
displayName = $AppSecretDescription
endDateTime = (Get-Date).AddYears($AppYears)
}
# Add App Client Secret - Valid for 10 years (change to 999 for unlimited years)
$Secret = Add-MgApplicationPassword -ApplicationId $AppObjectId -PasswordCredential $PasswordCred
# Write Client Secret value
$Secret | Format-List
- After you run the script, it will show the SecretText value as output
CustomKeyIdentifier :
DisplayName : PilotNewUnlimited
EndDateTime : 28/02/2034 16:19:26
Hint : at8
KeyId : 9e978668-f554-49a9-88c3-6438ad151612
SecretText : at88Q~L2d-pQ2_YyefjthuRGYN69_zdhGcdedccs
StartDateTime : 28/02/2024 16:19:27
AdditionalProperties : {[@odata.context, https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.passwordCredential]}
- Go to the Client Secrets tab and verify that the new client secret appears
That’s it!
Note: If you want to know the Client Secrets expire status, read the article Export Entra ID app registrations Certificates and Secrets expiry report.
Read more: Configure Exchange Online Certificate Based Authentication for unattended scripts »
Conclusion
You learned how to renew the Client Secret in Microsoft Entra ID. There is no renewal option, and you must create a new Client Secret. Once done, copy and use the Client Secret value in your PowerShell scripts or applications. Remember to delete the Client Secret that is expired or going to expire.
Did you enjoy this article? You may also like How to Restrict access to Microsoft Entra admin center. Don’t forget to follow us and share this article.
Hello,
Thank you for sharing this amazing post. It seems that some commands are outdated, could you please re-update the powershell?
The commands are the newest, and I just tried them; they work perfectly.
Ensure you follow the step in the article to install the latest Microsoft Graph PowerShell module.
Can I change an existing secret expiration date so programs do not need to be updated?
No, that’s not possible.
I get the error “Updates to converged applications are not allowed in this version”. Anyone know why?
Hi,
I noticed that some owners are unable to generate secret and it is giving following error:
Failed to add password. Error detail: Unsupported token. Unable to initialize the authorization context.
I am able to generate secret but end-user who is owner cannot generate. They were able to do before. I created another app registration and they are able to create secret in another app.
@Hasan, I had the same error. I just skipped the description and created new secret then it worked. Seems bugged