How to renew a Client Secret in SharePoint Online using PowerShell?

Requirement: Renew a client secret in SharePoint Online.

How to Extend the Validity of a Client Secret in SharePoint Online?

A client secret is an important part of the authentication process for a SharePoint Online app. It is used to grant the app access to SharePoint resources and verify its identity. In this tutorial, we will show you how to renew a client secret in SharePoint Online using PowerShell. You will learn how to connect to your tenant using PowerShell and update the client secret for your app.

Any Client ID (or App ID) and client secret registered through SharePoint Online’s /_layouts/15/AppRegNew.aspx has a validity of 1 year, and there are no ways to renew the client secret from the web user interface (as of today!). You may start to see 401 unauthorized errors if the given client secret is expired, and applications/add-ins that use the specific expired client secret will stop working!

how to renew client secret in sharepoint online

PowerShell to renew client secret SharePoint Online

Assuming you have the AzureAD PowerShell module installed, Here is the PowerShell script to extend the validity of a given App’s client secret by ten years. Few notes:

  • Login as a Tenant Administrator when prompted
  • Make sure you set the $AppName according to your requirement.
  • Set the $EndDate parameter to set when the client secret expires.
$AppName = "File Server Sync Utility"

#Connect to AzureAD
Connect-AzureAD -Credential (Get-Credential)

#Get the Client ID
$App = Get-AzureADServicePrincipal -All $true |  Where-Object {$_.DisplayName -eq $AppName} # Or {$_.AppID -eq '4562ff5a-568c-45a1-a4da-18d64c359ec2'}

#Get the Current Expiry Date
$CurrentExpiryDate = (Get-AzureADServicePrincipalPasswordCredential -ObjectId $App.ObjectId).EndDate
Write-host "Current Expiry Date:"$CurrentExpiryDate

#Extend the validity of the App by 10 years
$StartDate = Get-Date
$EndDate = $StartDate.AddYears(10)
New-AzureADServicePrincipalPasswordCredential -ObjectId $App.ObjectId -StartDate $StartDate -EndDate $EndDate

The above PowerShell extends the validity of the existing client secret! In other words, the same client secret will be generated with a new expiration date. What If you want to replace the current client secret (or Password) with a new one?

New-AzureADServicePrincipalPasswordCredential -ObjectId $App.ObjectId -StartDate $StartDate -EndDate $EndDate -Value "MyNewClientSecretGoesHere"

Now, You can validate the Client ID and Client Secret by connecting to SharePoint Online:

#Connect to PnP using Client ID and Client Secret
$SiteURL = ""
Connect-PnPOnline -ClientId "4562ff5a-568c-45a1-a4da-18d64c359ec2" -ClientSecret "h9+rJfADo72e3w6uW5qfgeVRO98vzDc0LrSbGemm=" -Url $SiteURL

#Get All Lists from the site

It’s important to keep your client secret secure, as it is used to authenticate your app and grant it access to SharePoint resources.


To conclude, renewing a client secret in SharePoint Online using PowerShell is a straightforward process that can be accomplished by following a few simple steps. First, connect to your Azure AD using the PowerShell Connect-AzureAD cmdlet. Next, use the Get-AzureADServicePrincipal cmdlet to get the app, specifying the app’s client ID and a new client secret. Finally, renew the app secret by using the New-AzureADServicePrincipalPasswordCredential cmdlet. By following these steps, you can easily renew the client secret for your SharePoint Online app, and ensure that it continues to have secure access to your tenant’s resources.

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

3 thoughts on “How to renew a Client Secret in SharePoint Online using PowerShell?

  • ***NOTE*** by default, the New-AzureADServicePrincipalPasswordCredential generates a new password (client secret) if one is not supplied. If you don’t want your client secret to change, use this command instead:

    New-AzureADServicePrincipalPasswordCredential -ObjectId $App.ObjectId -EndDate $EndDate -Value “CurrentClientSecret”

    (if StartDate paramter is not supplied, the current date will be used)

    • This still creates a new credential, it just happens to be same secret as the other. If you run Get-AzureADServicePrincipalPasswordCredential -ObjectId $App.ObjectId You’ll see an additional credential is indeed created with a new KeyID.

  • Can you run a report on each site to know which service principals in Azure map to credentials granting access to SPO sites?


Leave a Reply

Your email address will not be published. Required fields are marked *