How to Create an Unlimited Client Secret in Microsoft Entra ID

Creating a Client Secret in the Microsoft Entra admin center usually has an expiration date of up to two years. Managing and renewing this Client Secret every two years can be inconvenient. Setting up a Client Secret that never expires would make things much simpler. This article walks you through how to create a perpetual Client Secret in Entra ID using PowerShell.

Client Secret in Entra ID

Credentials allow an application to authenticate on its own, removing the need for user interaction during runtime. To keep things simple, a Client Secret will be used as the credential type and incorporated into the app registration.

You can create a client secret for an application by generating it in the application’s settings through the Azure portal or by using PowerShell for a more streamlined and automated approach.

In Entra ID, a Client Secret can have a maximum validity period of up to 24 months.
You can create a Client Secret with PowerShell for an unlimited duration by using a script that sets the expiration date to indefinite. This effectively bypasses the default 24-month limit set by the Microsoft Entra ID portal.

If you need to renew a Client Secret for an application in Entra ID, there’s no need to create a new one. You can easily generate a new Client Secret using a PowerShell script without any limitations.

Register an application in Entra ID

How to sign up an app in the Microsoft Entra admin center.

1. Go to the Microsoft Entra admin center Then sign in to Microsoft Azure using your admin credentials.

2. Expand the Applications menu > Click App registrations > New registration.

3. Register an application

Choose a name for your app that aligns with your needs.
Choose accounts exclusively within this organizational directory (single tenant).
Click on Register.

Once you’ve created the app, navigate to the Overview page and copy the Object ID. Save this ID in Notepad, as it will be needed later to generate an unlimited Client Secret using PowerShell.

Create a Client Secret for application in Entra ID (Optional)

Note Note:In Entra ID, Client Secrets have a maximum expiration period of 24 months (2 years), and it's not possible to select a longer duration when creating or renewing them. However, using PowerShell, you can set an expiration date without any limitations.

Follow these steps to create a Client Secret for your application in Entra ID:

Click on Certificates & secrets
Click Client secrets > New client secret
Type the description
Select an expiration date
Click Add

6. Be sure to copy the Client Secret value and keep it stored safely.

Note Note: Client secret values are only visible immediately after creation, so be sure to save them before navigating away from the page.

Create a never-expired client secret with PowerShell

Once you’ve registered an application, you can use PowerShell to generate a Client Secret with no expiration date.

1. Launch Windows PowerShell (Terminal) with administrative privileges, and execute the following command to install the necessary Microsoft Graph PowerShell module.

Install-Module Microsoft.Graph.Applications -Scope CurrentUser

2. Copy the script below and paste it into your favorite text editor. Don’t forget to replace the Object ID you copied earlier during the app registration process.

# Connect to Microsoft Graph
Connect-MgGraph -Scopes 'Application.ReadWrite.All'

# Parameters
$AppObjectId = "xxxxxxxx-xxxxxx-xxxx-xxxx-xxxxxxxxx"
$AppSecretDescription = "Never expired client secret"
$AppYears = "50"

$PasswordCred = @{
    displayName = $AppSecretDescription
    endDateTime = (Get-Date).AddYears($AppYears)
}

# Add App Client Secret - Valid for 50 years (change to 999 for unlimited years)
$Secret = Add-MgApplicationPassword -ApplicationId $AppObjectId -PasswordCredential $PasswordCred

# Write Client Secret value
$Secret | Format-List

3. The code is prepared. Just copy and paste it into the PowerShell window, then log in using your global administrator credentials.

4. Select Consent on behalf of your organization then Click the Accept button.

5. The PowerShell output will show the SecretText (Client Secret Value). Make sure to copy and securely store the SecretText (Client Secret Value).

PS C:\> $Secret | Format-List

CustomKeyIdentifier  :
DisplayName          : Never expired client secret
EndDateTime          : 1/19/2074 3:00:18 AM
Hint                 : tFs
KeyId                : 9fffb36d-788d-437f-b10b-f986e5fd0a47
SecretText           : tFs8Q~VJBO8Yrgq6gFxexUfyLRWuIfAXin7jYbKl
StartDateTime        : 1/19/2024 3:00:20 AM
AdditionalProperties : {[@odata.context,
                       https://graph.microsoft.com/v1.0/$metadata#microsoft.graph....]}

Note Note: Client secret values can only be accessed immediately after creation, so be sure to save them before closing the PowerShell window.

6. Go to the Microsoft Entra admin center to verify that the secret has been created successfully.

The new Client Secret has been created with a 50-year expiration period. You’ve successfully configured a Client Secret for your Microsoft Azure application without an expiration date.