Renewing SharePoint Online Provider add-ins client secret

Figure 1 — Renewing SharePoint Add-ins client secret article mind map.


When you create a provider add-in you need to create a client ID and client secret in SharePoint. In SharePoint, you will access the page appregnew.aspx in a site.

By default, the client secret that is generated for you is valid for one year only. The client secret must be renewed otherwise the application will stop working. I will describe the steps required to renew the client secret and make the client secret valid for three years.


To create a new client secret, you must delete the old keys before generating a new client secret. The best approach is to perform these actions using PowerShell. For this reason, you will need the following components on your local machine:

  1. PowerShell (Latest Version)
  2. Microsoft Online Services Sign-In Assistant
  3. Microsoft Online Services PowerShell Module

When is the end date?

To get the end date of when the client secret will expire you have to query the application keys using the client ID.

We use a command Connect-MsolService which will authenticate you to your Office 365 tenant. At the login prompt, enter tenant administrator credentials for the Office 365 tenancy where the add-in is registered.

To query the end date open Windows PowerShell and run the following cmdlet:

$clientID = “d65cdd2b-9e19–4076–901f-9f9031080339”
Get-MsolServicePrincipal -AppPrincipalId $clientID
Get-MsolServicePrincipalCredential -AppPrincipalId $clientID -ReturnKeyValues $false | Where-Object { ($_.Type -ne “Other”) -and ($_.Type -ne “Asymmetric”) }

You will see the result as similar as below:

Figure 2 — Results of querying SharePoint Online add-in keys expiration end date.

Creating a new secret

The following steps will guide you how to generate a new client secret. It is broken down into four steps:

  1. Query the add-in keys to confirm the right client ID is being used.
  2. Remove current keys used for client secret.
  3. Create a new client secret.
  4. Confirm the new end date of the client secret.

Connect to your tenant using the tenant admin user with the below markup using SharePoint Windows PowerShell. Get the ServicePrincipals and keys. Printing $keys return three records. You will also see the EndDate of each key. Confirm whether your expired key appears there.

## Step 1
# Get keys
$clientID = “9825a06f-61de-461d-9efa-a28a9c3b1917” # Update to application client ID
Get-MsolServicePrincipal -AppPrincipalId $clientID
$keys = Get-MsolServicePrincipalCredential -AppPrincipalId $clientID -ReturnKeyValues $true

Remove the existing keys by replacing each KeyID in KeyID1, KeyID2, and KeyID3.

## Step 2
# Remove keys
Remove-MsolServicePrincipalCredential -KeyIds @(“KeyID1”,”KeyID2",”KeyID3") -AppPrincipalId $clientID

Generate a new ClientSecret for this clientID. It uses the same clientID as set in the above step. The new ClientSecret is valid for 3 years.

## Step 3 — Recommended to wait 24 hours before creating new keys
# Create new keys for three years
$bytes = New-Object Byte[] 32
$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$newClientSecret = [System.Convert]::ToBase64String($bytes)
$dtStart = [System.DateTime]::Now
$dtEnd = $dtStart.AddYears(3)
New-MsolServicePrincipalCredential -AppPrincipalId $clientID -Type Symmetric -Usage Sign -Value $newClientSecret -StartDate $dtStart -EndDate $dtEnd
New-MsolServicePrincipalCredential -AppPrincipalId $clientID -Type Symmetric -Usage Verify -Value $newClientSecret -StartDate $dtStart -EndDate $dtEnd
New-MsolServicePrincipalCredential -AppPrincipalId $clientID -Type Password -Usage Verify -Value $newClientSecret -StartDate $dtStart -EndDate $dtEnd

Copy the output of $newClientSecret and update the respective Web.config of the add-in with the new ClientSecret. Wait at least 24 hours for the ClientSecret to propagate in SharePoint Office (SPO).

To confirm the new end dates execute the following commands:

## Step 4
# Confirm new end dates
Get-MsolServicePrincipal -AppPrincipalId $clientID
$keys = Get-MsolServicePrincipalCredential -AppPrincipalId $clientID -ReturnKeyValues $true


The steps are straight forward. I recommend that you perform these steps immediately when you deploy your SharePoint provider add-in. This will ensure the client secret is valid for three years rather than the default one year.

If you find that this will be too much of a hassle. I would then suggest to stop developing SharePoint Provider add-ins. Rather develop an application that you register in Azure Active Directory which you can manage through the Azure Portal. In a future article post, I will compare SharePoint Provider add-ins versus Azure Active Directory Applications.

If you enjoyed this article, please let me know and share the article. If you have questions or need more information, please let me know.

Extra resources