SharePoint Online: How to Register a Never Expiring App ID Secret with Azure AD?
Requirement: Register a never-expiring App for SharePoint Online using Azure AD.
Any App ID (or Client ID) registered through SharePoint Online has an expiry date of 1 year by default. How do I register an App ID client secret that’s never expiring? Well, You have to register the App through Azure AD! Here are the steps:
Step 1: Register an App from Azure AD
To register a client app and client secret in Azure AD, follow these steps:
- Log in to Azure Portal https://aad.portal.azure.com as an administrator.
- Navigate to Azure Active Directory >> Click on “App registrations” from the left navigation menu.
- Register a new app by clicking on the “New registration” link.
- Provide a name to your app, choose the account types and click on “Register”
- Once the app is created, Open the app >> Click on the “Certificates & secretes” link in the left navigation menu.
- Create the client secret by clicking on “New client secret” >> Provide a description and choose the Expires option to “Never” and click on “Add”.
- Copy the client secret generated and store it in a safe place.
Update: Things are changed a bit now. You can set the expiration date to Two-Years from web UI. Microsoft has removed the “Never” option to stop never expiring app secrets. However, You can use PowerShell to Add an app secret valid for 99 years!
#Parameters
$APPObjectID = "28ca09b5-7df2-4e2d-bc15-c4b27ea4af38"
$AppSecret ="Client Secret for Scripts"
#Connect to Azure AD
Connect-AzureAD
#Add App Secret - Valid for 99 Years
$StartDate = Get-Date
$EndDate = $StartDate.AddYears(99)
$AAdAppsecret = New-AzureADApplicationPasswordCredential -ObjectId $APPObjectID -StartDate $StartDate -EndDate $EndDate -CustomKeyIdentifier $AppSecret
#Get the Secret Set
Write-host $AAdAppsecret.Value
Step 2: Grant Necessary Permissions to the App ID
Once we have the App ID registered, the next step is to grant permissions to the App ID.
- Navigate to the URL https://crescent-admin.sharepoint.com/_layouts/15/appinv.aspx as a SharePoint Online Administrator to grant tenant-level permissions. Here I’m granting tenant-level permissions. So, I’ve to use the tenant admin URL!
- Enter the ID of the App you created in Step 1 and click on “Lookup”.
- Fill in other details on the page. I’ve entered the below Permission Request XML.
- Click on “Create” and then “Trust It” on the next page presented to complete the wizard. Permission XML:
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl" />
</AppPermissionRequests>
Now, your Client ID and Client Secret are ready to use to authenticate with SharePoint Online!
Never, ever do this. This is against all security best practices. Use a 3 month, better a 1 month expiration or better use managed identities instead of service principals.
This post should have a huge warning, because this should never be done in any production environment and can lead to big security risks.
Your `New-AzureADApplicationPasswordCredential` command is wrong. Should be the following:
$AAdAppsecret = New-AzureADApplicationPasswordCredential -ObjectId $APPObjectID -StartDate $StartDate -EndDate $EndDate -Value $AppSecret -CustomKeyIdentifier ‘Whatever you want the name of the key to be’