Extend expiry date of SharePoint Online Client ID and Secret Key (Powershell)

When we connect external applications to SharePoint via API, client ID and client secret are normally generated, to generate access tokens that authorize API calls. Just in case you do not know how to generate these credentials, you could read my previous blog post here, to learn how to do that.

Extend expiry date of SharePoint Online Client ID and Secret Key (Powershell)

 

After one year of utilizing the client Id and Secret key, it gets expired, and your application would be unauthorized when accessing SharePoint. This causes an error 401 like below:

The remote server returned an error: (401) Unauthorized. — {“error”:”invalid_client”,”error_description”:”AADSTS7000222: The provided client secret keys are expired. Visit the Azure Portal to create new keys for your app, or consider using certificate credentials for added security: https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials\r\nTrace

This is because by default SPO’s client secret key expires in 1 year from the day it was generated.

Sowhat do we do when this occurs?

Extend expiry date of SharePoint Online Client ID and Secret Key (Powershell)

Check the expiration date of Client Id

I advise you to do this so you can confirm the date before and after you extend the expiration time for your Client ID.

Open Powershell or Powershell ISE or SharePoint Management shell and ‘run as administrator’ (For this tutorial I am using Powershell ISE on windows 10)

  1. Install Microsoft Online Service
Install-Module MSOnline

2. Import MS Online service

Import-Module MSOnline

3. Connect to Tenant (using an account with Global administrator access is always preferable for me)

Connect-MSOLService

4. You can check the expiry date for a client id using the command (in this text b5189445–61e6–4008-af4f-78f0306f0200 is my client/app id, you should replace with yours):

(Get-MsolServicePrincipalCredential -AppPrincipalId b5189445-61e6-4008-af4f-78f0306f0200 -ReturnKeyValues $true).EndDate.ToShortDateString()| select -first 1

This command would show you your one-year expiry date as found here:

Renew or extend the expiration date of Client Id

Once you confirm the expiry date, then run the below script, to extend the date.

Note: The maximum year you can extend a client secret to is three years (3), at the time of writing this blog post. (I stand to be corrected 😀)

#import MS Online service
import-module MSOnline
#(provide the tenant administrator username and password)
Connect-MsolService
#Store the client id in a variable$clientId="b5189445-61e6-4008-af4f-78f0306f0200"#Generate a key with default expiration (one year).$bytes = New-Object Byte[] 32$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()$rand.GetBytes($bytes)$rand.Dispose()$newClientSecret = [System.Convert]::ToBase64String($bytes)New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Sign -Value $newClientSecretNew-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Verify -Value $newClientSecretNew-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Password -Usage Verify -Value $newClientSecret$newClientSecret#Generate the client secret with three years expiration#Including–EndDateparameter parameter on the three calls of the New-MsolServicePrincipalCredential cmdlet$bytes = New-Object Byte[] 32$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()$rand.GetBytes($bytes)$rand.Dispose()$newClientSecret = [System.Convert]::ToBase64String($bytes)$dtStart = [System.DateTime]::Now$dtEnd = $dtStart.AddYears(3)New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Sign -Value $newClientSecret -StartDate $dtStart –EndDate $dtEndNew-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Verify -Value $newClientSecret -StartDate $dtStart –EndDate $dtEndNew-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Password -Usage Verify -Value $newClientSecret -StartDate $dtStart –EndDate $dtEnd$newClientSecret

Then run this command to confirm your expiration date again:

(Get-MsolServicePrincipalCredential -AppPrincipalId b5189445-61e6-4008-af4f-78f0306f0200 -ReturnKeyValues $true).EndDate.ToShortDateString()| select -first 1

Conclusion

In this article, I have discussed SharePoint Client id/secret expiration date error, then how to check and extend the expiration date.

I hope you find it useful!!

This blog is part of SharePoint Week. Find more here.

About the Author:

SharePoint Developer | Javascript | Frontend Dev

Reference:

E, Adegor. (2022). Extend expiry date of SharePoint Online Client ID and Secret Key (Powershell). Available at: https://emmanueladegor.medium.com/extend-expiry-date-of-sharepoint-online-client-id-and-secret-key-powershell-ca7b02d338b7 [Accessed: 27th April 2022]. 

 
 
 
 
 
 
 
 

 

ESPC call for speakers 2024

 

When we connect external applications to SharePoint via API, client ID and client secret are normally generated, to generate access tokens that authorize API calls. Just in case you do not know how to generate these credentials, you could read my previous blog post here, to learn how to do that.

Extend expiry date of SharePoint Online Client ID and Secret Key (Powershell)

 

After one year of utilizing the client Id and Secret key, it gets expired, and your application would be unauthorized when accessing SharePoint. This causes an error 401 like below:

The remote server returned an error: (401) Unauthorized. — {“error”:”invalid_client”,”error_description”:”AADSTS7000222: The provided client secret keys are expired. Visit the Azure Portal to create new keys for your app, or consider using certificate credentials for added security: https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials\r\nTrace

This is because by default SPO’s client secret key expires in 1 year from the day it was generated.

Sowhat do we do when this occurs?

Extend expiry date of SharePoint Online Client ID and Secret Key (Powershell)

Check the expiration date of Client Id

I advise you to do this so you can confirm the date before and after you extend the expiration time for your Client ID.

Open Powershell or Powershell ISE or SharePoint Management shell and ‘run as administrator’ (For this tutorial I am using Powershell ISE on windows 10)

  1. Install Microsoft Online Service
Install-Module MSOnline

2. Import MS Online service

Import-Module MSOnline

3. Connect to Tenant (using an account with Global administrator access is always preferable for me)

Connect-MSOLService

4. You can check the expiry date for a client id using the command (in this text b5189445–61e6–4008-af4f-78f0306f0200 is my client/app id, you should replace with yours):

(Get-MsolServicePrincipalCredential -AppPrincipalId b5189445-61e6-4008-af4f-78f0306f0200 -ReturnKeyValues $true).EndDate.ToShortDateString()| select -first 1

This command would show you your one-year expiry date as found here:

Renew or extend the expiration date of Client Id

Once you confirm the expiry date, then run the below script, to extend the date.

Note: The maximum year you can extend a client secret to is three years (3), at the time of writing this blog post. (I stand to be corrected 😀)

#import MS Online service
import-module MSOnline
#(provide the tenant administrator username and password)
Connect-MsolService
#Store the client id in a variable$clientId="b5189445-61e6-4008-af4f-78f0306f0200"#Generate a key with default expiration (one year).$bytes = New-Object Byte[] 32$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()$rand.GetBytes($bytes)$rand.Dispose()$newClientSecret = [System.Convert]::ToBase64String($bytes)New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Sign -Value $newClientSecretNew-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Verify -Value $newClientSecretNew-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Password -Usage Verify -Value $newClientSecret$newClientSecret#Generate the client secret with three years expiration#Including–EndDateparameter parameter on the three calls of the New-MsolServicePrincipalCredential cmdlet$bytes = New-Object Byte[] 32$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()$rand.GetBytes($bytes)$rand.Dispose()$newClientSecret = [System.Convert]::ToBase64String($bytes)$dtStart = [System.DateTime]::Now$dtEnd = $dtStart.AddYears(3)New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Sign -Value $newClientSecret -StartDate $dtStart –EndDate $dtEndNew-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Verify -Value $newClientSecret -StartDate $dtStart –EndDate $dtEndNew-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Password -Usage Verify -Value $newClientSecret -StartDate $dtStart –EndDate $dtEnd$newClientSecret

Then run this command to confirm your expiration date again:

(Get-MsolServicePrincipalCredential -AppPrincipalId b5189445-61e6-4008-af4f-78f0306f0200 -ReturnKeyValues $true).EndDate.ToShortDateString()| select -first 1

Conclusion

In this article, I have discussed SharePoint Client id/secret expiration date error, then how to check and extend the expiration date.

I hope you find it useful!!

This blog is part of SharePoint Week. Find more here.

About the Author:

SharePoint Developer | Javascript | Frontend Dev

Reference:

E, Adegor. (2022). Extend expiry date of SharePoint Online Client ID and Secret Key (Powershell). Available at: https://emmanueladegor.medium.com/extend-expiry-date-of-sharepoint-online-client-id-and-secret-key-powershell-ca7b02d338b7 [Accessed: 27th April 2022]. 

Share this on...

Rate this Post:

Share: