How to Extend 3 years expiration period for Azure App-Secret - Netwoven

How to Extend 3 years expiration period for Azure App-Secret

By Subhendu Das  •  January 15, 2019  •  11357 Views

How to Extend 3 years expiration period for Azure App-Secret

Your Azure applications were working fine till yesterday, but suddenly you are unable to login to the hosted application and drilling down you found errors like “Invalid client secret is provided” or “Invalid issuer or signature” in error logs. This means the App-secret key has expired and you want to create and extend the expired App-Secret. Further you want to extend it say; for 3 years, before or after expiration, and this is the tricky part.

This article will guide you through the steps to perform Azure App-Secret Replacement, extending 3 years expiration period, where default is 1 year.

Get expiration dates of the SharePoint Add-ins installed to the Office 365

  • Connect to Office 365 Tenant with PowerShell ISE
Connect-MsolService
How to Extend 3 years expiration period for Azure App
  • When prompted Login with Global Admin Credential
How to Extend 3 years expiration period for Azure App
How to Extend 3 years expiration period for Azure App
  • Once logged in to Office 365 tenant Keep the PS windows open for upcoming step
  • Now create a PS1 script which will filter out MS own applications and add-ins under development. Also, exclude non-SharePoint add-ins and add-ins that use asymmetric keys and save the rest in a text file, Say for instance appsec.txt

Syntax :

$applist = Get-MsolServicePrincipal -all | Where-Object -FilterScript { ($_.DisplayName -notlike "*Microsoft*") -and ($_.DisplayName -notlike "autohost*") -and  ($_.ServicePrincipalNames -notlike "*localhost*") }
foreach ($appentry in $applist)
{
   $principalId = $appentry.AppPrincipalId
   $principalName = $appentry.DisplayName

   Get-MsolServicePrincipalCredential -AppPrincipalId $principalId -ReturnKeyValues $false | Where-Object { ($_.Type -ne "Other") -and ($_.Type -ne "Asymmetric") }

   $date = get-date
   Write-Host "$principalName;$principalId;$appentry.KeyId;$appentry.type;$date;$appentry.Usage"

} 
  • Go to Script Path Say c:\temp and run the script followed by > c:\temp\appsec.txt to save the result in text file
    How to Extend 3 years expiration period for Azure App-Secret
  • Once the script is executed, collect the txt file and look if any of the secrets are near expiration or already expired. Or simple copy the result from PowerShell Screen.
    How to Extend 3 years expiration period for Azure App-Secret
  • Now we got the APP ID (e.g. DemoApp For App Secret Replacement; fe897d22-cebd-4ea7-8d36-9ff257ab848d
  • Keep the information safe for next step

Verify the application

  • Open your O365 tenant URL with < Your Tenant URL>/_layouts/15/AppInv.aspx
    For example : https://XXXXXXXXXXXXXXX.sharepoint.com/_layouts/15/AppInv.aspx
How to Extend 3 years expiration period for Azure App
How to Extend 3 years expiration period for Azure App

Generate a New App Secret for Three Years

  • Open the PowerShell ISE console and create client ID variable with the following line,
  • Import PowerShell module for O365
import-module MSOnline
 $msolcred = get-credential
 connect-msolservice -credential $msolcred
  • Below script, returns three records. Replace each KeyIdin KeyId1KeyId2, and KeyId3. You also see the EndDate of each key. Confirm whether your expired key appears there.
$clientId = fe897d22-cebd-4ea7-8d36-9ff257ab848d
 $keys = Get-MsolServicePrincipalCredential -AppPrincipalId $clientId
 Remove-MsolServicePrincipalCredential -KeyIds @("KeyId1"," KeyId2"," KeyId3") -AppPrincipalId $clientId

Note: Only valid for already expired App Secret

  • Create and then run below PS script “PS1” to generate a new client Secret

Syntax:

$clientId = fe897d22-cebd-4ea7-8d36-9ff257ab848d
$bytes = New-Object Byte[] 32
 $rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
 $rand.GetBytes($bytes)
 $rand.Dispose()
 $newClientSecret = [System.Convert]::ToBase64String($bytes)
 $dtStart = [System.DateTime]::Now
 $dtEnd = $dtStart.AddYears(3)
 New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Sign -Value $newClientSecret -StartDate $dtStart  -EndDate $dtEnd
 New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Verify -Value $newClientSecret   -StartDate $dtStart  -EndDate $dtEnd
 New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Password -Usage Verify -Value $newClientSecret   -StartDate $dtStart  -EndDate $dtEnd
 $newClientSecret

Note: In demo app shown here, throws some exception as the App-secret is not yet expired. Please ignore if you want to simply extend the App-Secret expiration period from (default) 1 year to number of years you want.

How to Extend 3 years expiration period for Azure App
  • Tested by comparing pre-captured old with new app secret for our demo app

New App Secret:   Q3UchZSmHGpZnVJCnGIpsKLTRSQtlS6QuMlYYhV8xzI=

Old App secret:   eWBG4M0CaaQhloPQ/OGg8zQhieTURZTVNMA4jqCFiMs=

Make change in Web.Config

  • Go to your application system and locate config file
  • Open with Admin privilege in notepad
  • Search for “appsettings” and replace the configwith this ClientId and ClientSecret. You don’t need SecondaryClientSecret app settings.

Example:

<appSettings>
   <add key="ClientId" value="your client id here" />
        ... other settings may be here ...
</appSettings>

Ensure the App ID have full permission

  • Go to URL < Your Tenant URL>/_layouts/15/AppInv.aspx
    E.g. https://XXXXXXXXXXXXX.sharepoint.com/_layouts/15/AppInv.aspx
  • Verify below XML fragment in the text box “App’s Permission Request XML
  • Your URL would differ from demo URL
<AppPermissionRequests AllowAppOnlyPolicy="true"><AppPermissionRequest Scope="https://XXXXXXXXX.com" Right="FullControl"/></AppPermissionRequests>

Note : If XML entry not, present or FullControl not mentioned, then you need to enter and click on create again to update permission

How to Extend 3 years expiration period for Azure App

Hope, this will help you on the context. Please keep on visiting our Blog for more interesting contents.

Subhendu Das

Subhendu Das

Subhendu Das is a technically competent IT Professional offering a distinguished career donning leadership roles for over 18 years primarily in IT Infrastructure Services along with a 12 years’ experience in IT Education Industry as a lead Educationalist. Subhendu has been working as a Senior Manager – IT Infrastructure with Netwoven and he is driving a team of IT Administrators and building sound IT Infrastructure for developers and remote servers in US. He is also actively involved with various client infrastructure migration, SharePoint, Exchange and Office 365 projects. Subhendu holds a Bachelor of Science from Calcutta University and also is a graduate from National Institute of Information Technology. He is a Microsoft Certified professional with certifications in MCSE, MCITP, MOS, MCTS, MCSA.

2 comments

Leave a comment

Your email address will not be published. Required fields are marked *

Dublin Chamber of Commerce
Microsoft Partner
Microsoft Partner
Microsoft Partner
Microsoft Partner
Microsoft Partner
Microsoft Partner
Microsoft Fast Track
Microsoft Partner
Microsoft Fabric
MISA
MISA
Unravel The Complex
Stay Connected

Subscribe and receive the latest insights

Netwoven Inc. - Microsoft Solutions Partner

Get involved by tagging Netwoven experiences using our official hashtag #UnravelTheComplex