Extend expiry date of SharePoint Online Client ID and Secret Key (Powershell)

Emmanuel Adegor
4 min readJan 11, 2022

--

When we connect external applications to SharePoint via API, client ID and client secret are normally generated, to generate access tokens that authorize API calls. Just in case you do not know how to generate these credentials, you could read my previous blog post here, to learn how to do that.

After one year of utilizing the client Id and Secret key, it gets expired, and your application would be unauthorized when accessing SharePoint. This causes an error 401 like below:

The remote server returned an error: (401) Unauthorized. — {“error”:”invalid_client”,”error_description”:”AADSTS7000222: The provided client secret keys are expired. Visit the Azure Portal to create new keys for your app, or consider using certificate credentials for added security: https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials\r\nTrace

This is because by default SPO’s client secret key expires in 1 year from the day it was generated.

So what do we do when this occurs?

Check the expiration date of Client Id

I advise you to do this so you can confirm the date before and after you extend the expiration time for your Client ID.

Open Powershell or Powershell ISE or SharePoint Management shell and ‘run as administrator’ (For this tutorial I am using Powershell ISE on windows 10)

  1. Install Microsoft Online Service
Install-Module MSOnline

2. Import MS Online service

Import-Module MSOnline

3. Connect to Tenant (using an account with Global administrator access is always preferable for me)

Connect-MSOLService

4. You can check the expiry date for a client id using the command (in this text b5189445–61e6–4008-af4f-78f0306f0200 is my client/app id, you should replace with yours):

(Get-MsolServicePrincipalCredential -AppPrincipalId b5189445-61e6-4008-af4f-78f0306f0200 -ReturnKeyValues $true).EndDate.ToShortDateString()| select -first 1

This command would show you your one-year expiry date as found here:

Renew or extend the expiration date of Client Id

Once you confirm the expiry date, then run the below script, to extend the date.

Note: The maximum year you can extend a client secret to is three years (3), at the time of writing this blog post. (I stand to be corrected 😀)

#import MS Online service
import-module MSOnline
#(provide the tenant administrator username and password)
Connect-MsolService
#Store the client id in a variable$clientId="b5189445-61e6-4008-af4f-78f0306f0200"#Generate a key with default expiration (one year).$bytes = New-Object Byte[] 32$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()$rand.GetBytes($bytes)$rand.Dispose()$newClientSecret = [System.Convert]::ToBase64String($bytes)New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Sign -Value $newClientSecretNew-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Verify -Value $newClientSecretNew-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Password -Usage Verify -Value $newClientSecret$newClientSecret#Generate the client secret with three years expiration#Including–EndDateparameter parameter on the three calls of the New-MsolServicePrincipalCredential cmdlet$bytes = New-Object Byte[] 32$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()$rand.GetBytes($bytes)$rand.Dispose()$newClientSecret = [System.Convert]::ToBase64String($bytes)$dtStart = [System.DateTime]::Now$dtEnd = $dtStart.AddYears(3)New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Sign -Value $newClientSecret -StartDate $dtStart –EndDate $dtEndNew-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Verify -Value $newClientSecret -StartDate $dtStart –EndDate $dtEndNew-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Password -Usage Verify -Value $newClientSecret -StartDate $dtStart –EndDate $dtEnd$newClientSecret

Then run this command to confirm your expiration date again:

(Get-MsolServicePrincipalCredential -AppPrincipalId b5189445-61e6-4008-af4f-78f0306f0200 -ReturnKeyValues $true).EndDate.ToShortDateString()| select -first 1

Possible Errors (Import-Module MSOnline or Import-Module AzureAD)

This error might be displayed to you for a couple of reasons. To avoid testing many resolutions that might not work, try confirming that you are running “Windows Powershell (x64)”. On Windows (I use windows 11), you usually have three(3) PowerShell versions installed.

Windows Powershell

Windows Powershell (x64) and

Windows Powershell (x86)

DO NOT assume that Windows Powershell is the same thing as Windows Powershell (x64).

Conclusion

In this article, I have discussed SharePoint Client id/secret expiration date error, then how to check and extend the expiration date.

I hope you find it useful!!

--

--

Emmanuel Adegor
Emmanuel Adegor

Written by Emmanuel Adegor

Principal Software Engineer/Architect ( M365 SharePoint | Teams | SPFX ) | Collaboration Platforms | Workflow Automation Expert