How to Create an Unlimited Client Secret in Microsoft Entra ID

Creating a Client Secret in the Microsoft Entra admin center usually comes with an expiration date of up to two years. Managing and renewing this Client Secret biennially can be a tedious task. It would be convenient if one could create a Client Secret that does not expire. This article will walk you through the steps to create a perpetual Client Secret in Entra ID using PowerShell.

Client Secret in Entra ID

Credentials allow an application to authenticate on its own, removing the necessity for user interaction during runtime. For its simplicity, a Client Secret will be integrated into the app registration as the form of credentials.

To create a client secret for an application, you can either generate it through the application’s settings in the Azure portal or use PowerShell for a more automated approach.

The validity period for a Client Secret in Entra ID is capped at a maximum of 24 months.
Creating a Client Secret with PowerShell for an unlimited duration is possible. To achieve this, you must use a PowerShell script that sets the expiration date to an indefinite period, bypassing the standard 24-month limitation set by the Microsoft Entra ID portal.

If you have a Client Secret for an application in Entra ID and need to renew it, there is no need to create a new one. A PowerShell script can be used to generate a Client Secret without any limitations.

Register an application in Entra ID

How to register an application in the Microsoft Entra admin center.

1. Go to the Microsoft Entra admin center then Sign in to Microsoft Azure with your admin credentials

2. Expand the Applications menu > Click App registrations > New registration.

3. Register an application

Choose a name for your application that meets your criteria.
Select Accounts in this organizational directory only – (Single tenant)
Click Register

Once the app is created, navigate to the Overview page and copy the Object ID. Then, paste this ID into Notepad; you will need it later for creating an unlimited Client Secret using PowerShell.

Create a Client Secret for application in Entra ID (Optional)

Note Note: The expiration date for a Client Secret is capped at 24 months (2 years). In Entra ID, it's not possible to select an expiration period beyond this when creating or renewing a Client Secret. However, using PowerShell allows for the setting of an expiration date without any limit..

To generate a Client Secret for your application in Entra ID, you should perform the following steps:

Click on Certificates & secrets
Click Client secrets > New client secret
Type the description
Select an expiration date
Click Add

6. Copy the Client Secret value and ensure it is securely stored.

Note Note: Client secret values cannot be viewed except immediately after creation. Remember to save the secret when created before leaving the page.

Create a never-expired client secret with PowerShell

Once you have registered an application, it is possible to generate a Client Secret that has no expiration date by utilizing PowerShell.

1. Launch Windows PowerShell (Terminal) with administrative privileges and execute the following command to install the necessary Microsoft Graph PowerShell module.

Install-Module Microsoft.Graph.Applications -Scope CurrentUser

2. Copy the script below and paste it into your preferred text editor. Remember to replace the Object ID you copied previously during the app registration process.

# Connect to Microsoft Graph
Connect-MgGraph -Scopes 'Application.ReadWrite.All'

# Parameters
$AppObjectId = "xxxxxxxx-xxxxxx-xxxx-xxxx-xxxxxxxxx"
$AppSecretDescription = "Never expired client secret"
$AppYears = "50"

$PasswordCred = @{
    displayName = $AppSecretDescription
    endDateTime = (Get-Date).AddYears($AppYears)
}

# Add App Client Secret - Valid for 50 years (change to 999 for unlimited years)
$Secret = Add-MgApplicationPassword -ApplicationId $AppObjectId -PasswordCredential $PasswordCred

# Write Client Secret value
$Secret | Format-List

3. Your code is ready, copy and paste your code into the PowerShell windows then sign in with your global administrator credentials.

4. Select Consent on behalf of your organization then Click the Accept button.

5. The PowerShell output will show the SecretText (Client Secret Value). Make sure to copy the SecretText (Client Secret Value) and save it in a secure location.

PS C:\> $Secret | Format-List

CustomKeyIdentifier  :
DisplayName          : Never expired client secret
EndDateTime          : 1/19/2074 3:00:18 AM
Hint                 : tFs
KeyId                : 9fffb36d-788d-437f-b10b-f986e5fd0a47
SecretText           : tFs8Q~VJBO8Yrgq6gFxexUfyLRWuIfAXin7jYbKl
StartDateTime        : 1/19/2024 3:00:20 AM
AdditionalProperties : {[@odata.context,
                       https://graph.microsoft.com/v1.0/$metadata#microsoft.graph....]}

Note Note: Client secret values are only visible immediately after their creation. Ensure you save the secret before closing the PowerShell window.

6. Go to the Microsoft Enter admin center to verify the secret has been created.

The new Client Secret has been created and will expire after 50 years. You have successfully configured a Client Secret for your Microsoft Azure application that does not have an expiration date.

Conclusion

This guide will walk you through the process of creating a non-expiring Client Secret in Entra ID using PowerShell, thus removing the necessity to renew the Client Secret periodically.