SharePoint Online: How to Register a Never Expiring App ID Secret with Azure AD?

Requirement: Register a never-expiring App for SharePoint Online using Azure AD.

Any App ID (or Client ID) registered through SharePoint Online has an expiry date of 1 year by default. How do I register an App ID client secret that’s never expiring? Well, You have to register the App through Azure AD! Here are the steps:

Step 1: Register an App from Azure AD

To register a client app and client secret in Azure AD, follow these steps:

  1. Log in to Azure Portal https://aad.portal.azure.com as an administrator.
  2. Navigate to Azure Active Directory >> Click on “App registrations” from the left navigation menu.
    add new app registration in azure ad
  3. Register a new app by clicking on the “New registration” link.
  4. Provide a name to your app, choose the account types and click on “Register”
    register app in azure ad
  5. Once the app is created, Open the app >> Click on the “Certificates & secretes” link in the left navigation menu.
  6. Create the client secret by clicking on “New client secret” >>  Provide a description and choose the Expires option to “Never” and click on “Add”.
    never expiring app client secret
  7. Copy the client secret generated and store it in a safe place.

Update: Things are changed a bit now. You can set the expiration date to Two-Years from web UI. Microsoft has removed the “Never” option to stop never expiring app secrets. However, You can use PowerShell to Add an app secret valid for 99 years!

#Parameters
$APPObjectID = "28ca09b5-7df2-4e2d-bc15-c4b27ea4af38"
$AppSecret ="Client Secret for Scripts"

#Connect to Azure AD
Connect-AzureAD

#Add App Secret - Valid for 99 Years
$StartDate = Get-Date
$EndDate = $StartDate.AddYears(99)
$AAdAppsecret = New-AzureADApplicationPasswordCredential -ObjectId $APPObjectID -StartDate $StartDate -EndDate $EndDate -CustomKeyIdentifier $AppSecret

#Get the Secret Set
Write-host $AAdAppsecret.Value

Step 2: Grant Necessary Permissions to the App ID

Once we have the App ID registered, the next step is to grant permissions to the App ID.

  1. Navigate to the URL https://crescent-admin.sharepoint.com/_layouts/15/appinv.aspx as a SharePoint Online Administrator to grant tenant-level permissions. Here I’m granting tenant-level permissions. So, I’ve to use the tenant admin URL!
  2. Enter the ID of the App you created in Step 1 and click on “Lookup”.
  3. Fill in other details on the page. I’ve entered the below Permission Request XML.
  4. Click on “Create” and then “Trust It” on the next page presented to complete the wizard.
    grant permissions to app id in sharepoint online
    Permission XML:
<AppPermissionRequests AllowAppOnlyPolicy="true">
       <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>

Now, your Client ID and Client Secret are ready to use to authenticate with SharePoint Online!

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

2 thoughts on “SharePoint Online: How to Register a Never Expiring App ID Secret with Azure AD?

  • Never, ever do this. This is against all security best practices. Use a 3 month, better a 1 month expiration or better use managed identities instead of service principals.
    This post should have a huge warning, because this should never be done in any production environment and can lead to big security risks.

    Reply
  • Your `New-AzureADApplicationPasswordCredential` command is wrong. Should be the following:

    $AAdAppsecret = New-AzureADApplicationPasswordCredential -ObjectId $APPObjectID -StartDate $StartDate -EndDate $EndDate -Value $AppSecret -CustomKeyIdentifier ‘Whatever you want the name of the key to be’

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *