Requirement: Register a never-expiring App for SharePoint Online using Azure AD.
Any App ID (or Client ID) registered through SharePoint Online has an expiry date of 1 year by default. How do I register an App ID client secret that’s never expiring? Well, You have to register the App through Azure AD! Here are the steps:
Step 1: Register an App from Azure AD
To register a client app and client secret in Azure AD, follow these steps:
Navigate to Azure Active Directory >> Click on “App registrations” from the left navigation menu.
Register a new app by clicking on the “New registration” link.
Provide a name to your app, choose the account types and click on “Register”
Once the app is created, Open the app >> Click on the “Certificates & secretes” link in the left navigation menu.
Create the client secret by clicking on “New client secret” >> Provide a description and choose the Expires option to “Never” and click on “Add”.
Copy the client secret generated and store it in a safe place.
Update: Things are changed a bit now. You can set the expiration date to Two-Years from web UI. Microsoft has removed the “Never” option to stop never expiring app secrets. However, You can use PowerShell to Add an app secret valid for 99 years!
#Parameters
$APPObjectID = "28ca09b5-7df2-4e2d-bc15-c4b27ea4af38"
$AppSecret ="Client Secret for Scripts"
#Connect to Azure AD
Connect-AzureAD
#Add App Secret - Valid for 99 Years
$StartDate = Get-Date
$EndDate = $StartDate.AddYears(99)
$AAdAppsecret = New-AzureADApplicationPasswordCredential -ObjectId $APPObjectID -StartDate $StartDate -EndDate $EndDate -CustomKeyIdentifier $AppSecret
#Get the Secret Set
Write-host $AAdAppsecret.Value
Step 2: Grant Necessary Permissions to the App ID
Once we have the App ID registered, the next step is to grant permissions to the App ID.
Navigate to the URL https://crescent-admin.sharepoint.com/_layouts/15/appinv.aspx as a SharePoint Online Administrator to grant tenant-level permissions. Here I’m granting tenant-level permissions. So, I’ve to use the tenant admin URL!
Enter the ID of the App you created in Step 1 and click on “Lookup”.
Fill in other details on the page. I’ve entered the below Permission Request XML.
Click on “Create” and then “Trust It” on the next page presented to complete the wizard. Permission XML:
Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!
2 thoughts on “SharePoint Online: How to Register a Never Expiring App ID Secret with Azure AD?”
Never, ever do this. This is against all security best practices. Use a 3 month, better a 1 month expiration or better use managed identities instead of service principals.
This post should have a huge warning, because this should never be done in any production environment and can lead to big security risks.
Your `New-AzureADApplicationPasswordCredential` command is wrong. Should be the following:
$AAdAppsecret = New-AzureADApplicationPasswordCredential -ObjectId $APPObjectID -StartDate $StartDate -EndDate $EndDate -Value $AppSecret -CustomKeyIdentifier ‘Whatever you want the name of the key to be’
Never, ever do this. This is against all security best practices. Use a 3 month, better a 1 month expiration or better use managed identities instead of service principals.
This post should have a huge warning, because this should never be done in any production environment and can lead to big security risks.
Your `New-AzureADApplicationPasswordCredential` command is wrong. Should be the following:
$AAdAppsecret = New-AzureADApplicationPasswordCredential -ObjectId $APPObjectID -StartDate $StartDate -EndDate $EndDate -Value $AppSecret -CustomKeyIdentifier ‘Whatever you want the name of the key to be’