Table of Contents
Creating a Client Secret in the Microsoft Entra admin center typically comes with an expiration date of up to two years. Renewing and managing this Client Secret every two years can be a hassle. It would be much easier if you could create a Client Secret that never expires. This article explains how to set up a perpetual Client Secret in Entra ID using PowerShell.
Client Secret in Entra ID
Credentials enable an application to authenticate independently, eliminating the need for user interaction during runtime. For simplicity, a Client Secret will be used as the credential type and integrated into the app registration.
You can create a client secret for an application by either generating it through the application’s settings in the Azure portal or using PowerShell for a more automated method.
- The maximum validity period for a Client Secret in Entra ID is limited to 24 months.
- It is possible to create a Client Secret with PowerShell for an unlimited duration. This can be done using a PowerShell script that sets the expiration date to an indefinite period, effectively bypassing the default 24-month limit imposed by the Microsoft Entra ID portal.
If you need to renew a Client Secret for an application in Entra ID, there’s no need to create a new one. You can use a PowerShell script to generate a Client Secret without any restrictions.
Register an application in Entra ID
How to register an app in the Microsoft Entra admin center.
1. Go to the Microsoft Entra admin center then Sign in to Microsoft Azure with your admin credentials
2. Expand the Applications menu > Click App registrations > New registration.
3. Register an application
- Pick a name for your app that fits your requirements.
- Select accounts in this organizational directory only (single tenant).
- Click on Register.
After creating the app, go to the Overview page and copy the Object ID. Save this ID in Notepad, as you’ll need it later to create an unlimited Client Secret with PowerShell.
Create a Client Secret for application in Entra ID (Optional)
To create a Client Secret for your application in Entra ID, follow these steps:
- Click on Certificates & secrets
- Click Client secrets > New client secret
- Type the description
- Select an expiration date
- Click Add
6. Make sure to copy the Client Secret value and store it securely.
Create a never-expired client secret with PowerShell
After registering an application, you can use PowerShell to create a Client Secret that doesn’t have an expiration date.
1. Open Windows PowerShell (Terminal) as an administrator and run the following command to install the required Microsoft Graph PowerShell module.
Install-Module Microsoft.Graph.Applications -Scope CurrentUser2. Copy the script below and paste it into your preferred text editor. Make sure to replace the Object ID you copied earlier during the app registration process.
# Connect to Microsoft Graph
Connect-MgGraph -Scopes 'Application.ReadWrite.All'
# Parameters
$AppObjectId = "xxxxxxxx-xxxxxx-xxxx-xxxx-xxxxxxxxx"
$AppSecretDescription = "Never expired client secret"
$AppYears = "50"
$PasswordCred = @{
displayName = $AppSecretDescription
endDateTime = (Get-Date).AddYears($AppYears)
}
# Add App Client Secret - Valid for 50 years (change to 999 for unlimited years)
$Secret = Add-MgApplicationPassword -ApplicationId $AppObjectId -PasswordCredential $PasswordCred
# Write Client Secret value
$Secret | Format-List3. The code is ready. Simply copy and paste it into the PowerShell window, then sign in using your global administrator credentials.
4. Select Consent on behalf of your organization then Click the Accept button.
5. The PowerShell output will display the SecretText (Client Secret Value). Be sure to copy the SecretText (Client Secret Value) and store it in a secure location.
PS C:\> $Secret | Format-List
CustomKeyIdentifier :
DisplayName : Never expired client secret
EndDateTime : 1/19/2074 3:00:18 AM
Hint : tFs
KeyId : 9fffb36d-788d-437f-b10b-f986e5fd0a47
SecretText : tFs8Q~VJBO8Yrgq6gFxexUfyLRWuIfAXin7jYbKl
StartDateTime : 1/19/2024 3:00:20 AM
AdditionalProperties : {[@odata.context,
https://graph.microsoft.com/v1.0/$metadata#microsoft.graph....]}6. Head over to the Microsoft Enter admin center to confirm that the secret has been successfully created.
The new Client Secret has been created and is set to expire in 50 years. You’ve successfully set up a Client Secret for your Microsoft Azure application with no expiration date.
Conclusion
This guide explains how to create a non-expiring Client Secret in Entra ID using PowerShell, eliminating the need for periodic renewals.
Not a reader? Watch this related video tutorial:
