Renewing SharePoint Online Provider add-ins client secret

Image for post
Image for post
Figure 1 — Renewing SharePoint Add-ins client secret article mind map.


When you create a provider add-in you need to create a client ID and client secret in SharePoint. In SharePoint, you will access the page appregnew.aspx in a site.


By default, the client secret that is generated for you is valid for one year only. The client secret must be renewed otherwise the application will stop working. I will describe the steps required to renew the client secret and make the client secret valid for three years.


To create a new client secret, you must delete the old keys before generating a new client secret. The best approach is to perform these actions using PowerShell. For this reason, you will need the following components on your local machine:

  1. PowerShell (Latest Version)

When is the end date?

To get the end date of when the client secret will expire you have to query the application keys using the client ID.

We use a command Connect-MsolService which will authenticate you to your Office 365 tenant. At the login prompt, enter tenant administrator credentials for the Office 365 tenancy where the add-in is registered.

To query the end date open Windows PowerShell and run the following cmdlet:

Connect-MsolService$clientID = “d65cdd2b-9e19–4076–901f-9f9031080339”Get-MsolServicePrincipal -AppPrincipalId $clientIDGet-MsolServicePrincipalCredential -AppPrincipalId $clientID -ReturnKeyValues $false | Where-Object { ($_.Type -ne “Other”) -and ($_.Type -ne “Asymmetric”) }

You will see the result as similar as below:

Image for post
Image for post
Figure 2 — Results of querying SharePoint Online add-in keys expiration end date.

Creating a new secret

The following steps will guide you how to generate a new client secret. It is broken down into four steps:

  1. Query the add-in keys to confirm the right client ID is being used.

Connect to your tenant using the tenant admin user with the below markup using SharePoint Windows PowerShell. Get the ServicePrincipals and keys. Printing $keys return three records. You will also see the EndDate of each key. Confirm whether your expired key appears there.

## Step 1
# Get keys
Connect-MsolService$clientID = “9825a06f-61de-461d-9efa-a28a9c3b1917” # Update to application client IDGet-MsolServicePrincipal -AppPrincipalId $clientID$keys = Get-MsolServicePrincipalCredential -AppPrincipalId $clientID -ReturnKeyValues $true$keys

Remove the existing keys by replacing each KeyID in KeyID1, KeyID2, and KeyID3.

## Step 2
# Remove keys
Remove-MsolServicePrincipalCredential -KeyIds @(“KeyID1”,”KeyID2",”KeyID3") -AppPrincipalId $clientID

Generate a new ClientSecret for this clientID. It uses the same clientID as set in the above step. The new ClientSecret is valid for 3 years.

## Step 3 — Recommended to wait 24 hours before creating new keys
# Create new keys for three years
$bytes = New-Object Byte[] 32
$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$newClientSecret = [System.Convert]::ToBase64String($bytes)
$dtStart = [System.DateTime]::Now
$dtEnd = $dtStart.AddYears(3)
New-MsolServicePrincipalCredential -AppPrincipalId $clientID -Type Symmetric -Usage Sign -Value $newClientSecret -StartDate $dtStart -EndDate $dtEndNew-MsolServicePrincipalCredential -AppPrincipalId $clientID -Type Symmetric -Usage Verify -Value $newClientSecret -StartDate $dtStart -EndDate $dtEndNew-MsolServicePrincipalCredential -AppPrincipalId $clientID -Type Password -Usage Verify -Value $newClientSecret -StartDate $dtStart -EndDate $dtEnd$newClientSecret

Copy the output of $newClientSecret and update the respective Web.config of the add-in with the new ClientSecret. Wait at least 24 hours for the ClientSecret to propagate in SharePoint Office (SPO).

To confirm the new end dates execute the following commands:

## Step 4
# Confirm new end dates
Get-MsolServicePrincipal -AppPrincipalId $clientID$keys = Get-MsolServicePrincipalCredential -AppPrincipalId $clientID -ReturnKeyValues $true$keys


The steps are straight forward. I recommend that you perform these steps immediately when you deploy your SharePoint provider add-in. This will ensure the client secret is valid for three years rather than the default one year.

If you find that this will be too much of a hassle. I would then suggest to stop developing SharePoint Provider add-ins. Rather develop an application that you register in Azure Active Directory which you can manage through the Azure Portal. In a future article post, I will compare SharePoint Provider add-ins versus Azure Active Directory Applications.

If you enjoyed this article, please let me know and share the article. If you have questions or need more information, please let me know.

Extra resources

Written by

Passion for Software and Enterprise Architecture. I like to play with Azure and programming languages (C#, Rust, JavaScript and Angular).

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store