Refresh a Client Secret of a SharePoint (Online) Addin

Yesterday I wrote a recipe on how to [Retrieve data from SharePoint Online without user interaction] and this morning I noticed that I had not saved the app identifier. So I navigated to https://your-tentant.sharepoint.com/sites/my-site-collection/_layouts/15/apprincipals.aspx to lookup the Client Id. But still I was missing the Client Secret. Since (I believe that there) is no way to unveil the existing Client Secret, I was lucky to find the following blog post [https://medium.com/@cecildt/renewing-sharepoint-online-provider-add-ins-client-secret-ba2828a49e7] that I blatantly repeat here for the matter of completeness of my own Office 365 cookbook.

Connect to Office 365

Connect-MsolService
$clientID = "your Client Id goes here"
Get-MsolServicePrincipal -AppPrincipalId $clientID

This will show the Service Principal properties, similar to the example below:

ExtensionData         : System.Runtime.Serialization.ExtensionDataObject
AccountEnabled        : True
Addresses             : {Microsoft.Online.Administration.RedirectUri}
AppPrincipalId        : 164aa109-...
DisplayName           : my-sharepoint-addin-title
ObjectId              : 72973037-...
ServicePrincipalNames : {https://your-tenant.onmicrosoft.com/73bad0ce-...,
                        164aa109-...}
TrustedForDelegation  : False

Now let’s first deleting the previous Client Secret.

Get-MsolServicePrincipalCredential -AppPrincipalId $clientID -ReturnKeyValues $true

This may or may not show you a list of up to three application keys. However, in my case nothing showed. I guess this could be related to the fact that I had registered my app locally (to a Site Collection). However, if in your case keys are listed, you should delete them. Simply replace the placeholders “KeyID1” … “KeyID3” with the KeyId’s listed on your screen.

Remove-MsolServicePrincipalCredential -KeyIds @("KeyID1","KeyID2","KeyID3") -AppPrincipalId $clientID

Now you can generate the new Client Secret.

$bytes = New-Object Byte[] 32
$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$rand.GetBytes($bytes)
$rand.Dispose()

$newClientSecret = [System.Convert]::ToBase64String($bytes)
$dtStart = [System.DateTime]::Now
$dtEnd = $dtStart.AddYears(3)

New-MsolServicePrincipalCredential -AppPrincipalId $clientID -Type Symmetric -Usage Sign -Value $newClientSecret -StartDate $dtStart -EndDate $dtEnd

New-MsolServicePrincipalCredential -AppPrincipalId $clientID -Type Symmetric -Usage Verify -Value $newClientSecret -StartDate $dtStart -EndDate $dtEnd

New-MsolServicePrincipalCredential -AppPrincipalId $clientID -Type Password -Usage Verify -Value $newClientSecret -StartDate $dtStart -EndDate $dtEnd

$newClientSecret

The last line will show you the new Client Secret.

Final thoughts

  1. Client Secrets have a limited life time of max. 3 years. So sooner or later we all will need to come back to this recipe and refresh the Client Secrets
  2. In my case I needed to re-grant permissions previously granted via https://my-tenant.sharepoint.com/sites/my-site-collection/_layouts/15/appinv.aspx

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: