Renew Client Secret in Microsoft Entra ID

How to renew the Client Secret for the Microsoft Entra ID application? There are two ways to renew a Client Secret in Microsoft Entra ID. One way is to use the Microsoft Entra ID admin center, and the other is PowerShell. In this article, we will show how to renew the Client Secret in Microsoft Entra ID in both ways.

Table of contents

Renew Client Secret in Microsoft Entra admin center

To renew the Client Secret in Microsoft Entra ID admin center, follow these steps:

  1. Sign in to the Microsoft Entra admin center
  2. Expand Identity > Applications > App registrations
  3. Click on Owned applications
  4. Select the application
Renew Client Secret in Microsoft Entra ID app registrations
  1. Click on Certificate & secrets > Client secrets > New client secret
Renew Client Secret in Microsoft Entra ID before
  1. Give a description and an expiration for the Client Secret
  2. Click Add

Note: The maximum Client Secret expiration date is 24 months. Even if you select the Custom option, the maximum is 2 years. But with PowerShell, there is no maximum, and you can set any date.

Renew Client Secret in Microsoft Entra ID 24 months
  1. Copy the value

Note: Client secret values cannot be viewed, except for immediately after creation. Be sure to save the Client Secret value when created before leaving the page.

Renew Client Secret in Microsoft Entra ID added

Renew Client Secret in Microsoft Entra ID with PowerShell

To renew the Client Secret with PowerShell, follow the below steps:

  1. Go to the application overview
  2. Copy the Object ID and paste it into Notepad (you will need it later)
Renew Client Secret in Microsoft Entra ID object ID
  1. Run PowerShell as administrator and Install the Microsoft Graph PowerShell module
Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -Force

Important: Always install the Microsoft Graph PowerShell and Microsoft Graph Beta PowerShell modules. That’s because some cmdlets are not yet available in the final version, and they will not work. Update both modules to the latest version before you run a cmdlet or script to prevent errors and incorrect results.

  1. Copy and paste the below script into PowerShell.

Note: The script creates a new Client Secret from the day you run the script and the added years. You can adjust it to 999 for unlimited days.

  1. Paste the Object ID you copied from the previous step on line 5
  2. Fill in the Client Secret description on line 6
  3. Fill in the Client Secret expiration years on line 7
  4. Run the PowerShell script and sign in with your global administrator credentials
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Application.ReadWrite.All"

# Parameters
$AppObjectId = "14cb53ee-d574-4d43-bbd6-421d51c699e0"
$AppSecretDescription = "PilotNewUnlimited"
$AppYears = "10"

$PasswordCred = @{
    displayName = $AppSecretDescription
    endDateTime = (Get-Date).AddYears($AppYears)
}

# Add App Client Secret - Valid for 10 years (change to 999 for unlimited years)
$Secret = Add-MgApplicationPassword -ApplicationId $AppObjectId -PasswordCredential $PasswordCred

# Write Client Secret value
$Secret | Format-List
  1. After you run the script, it will show the SecretText value as output
CustomKeyIdentifier  : 
DisplayName          : PilotNewUnlimited
EndDateTime          : 28/02/2034 16:19:26
Hint                 : at8
KeyId                : 9e978668-f554-49a9-88c3-6438ad151612
SecretText           : at88Q~L2d-pQ2_YyefjthuRGYN69_zdhGcdedccs
StartDateTime        : 28/02/2024 16:19:27
AdditionalProperties : {[@odata.context, https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.passwordCredential]}
  1. Go to the Client Secrets tab and verify that the new client secret appears

That’s it!

Note: If you want to know the Client Secrets expire status, read the article Export Entra ID app registrations Certificates and Secrets expiry report.

Read more: Configure Exchange Online Certificate Based Authentication for unattended scripts »

Conclusion

You learned how to renew the Client Secret in Microsoft Entra ID. There is no renewal option, and you must create a new Client Secret. Once done, copy and use the Client Secret value in your PowerShell scripts or applications. Remember to delete the Client Secret that is expired or going to expire.

Did you enjoy this article? You may also like How to Restrict access to Microsoft Entra admin center. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

X TwitterLinkedIn

What Others Are Reading

This Post Has 7 Comments

  1. Hello,
    Thank you for sharing this amazing post. It seems that some commands are outdated, could you please re-update the powershell?

    Reply

  3. I get the error “Updates to converged applications are not allowed in this version”. Anyone know why?

    Reply

  4. Hi,

    I noticed that some owners are unable to generate secret and it is giving following error:

    Failed to add password. Error detail: Unsupported token. Unable to initialize the authorization context.

    I am able to generate secret but end-user who is owner cannot generate. They were able to do before. I created another app registration and they are able to create secret in another app.

    Reply

    1. @Hasan, I had the same error. I just skipped the description and created new secret then it worked. Seems bugged

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *