Table of Contents
When creating a Client Secret from the Microsoft Entra admin center, it typically has an expiration date of up to two years. However, managing and renewing the Client Secret every two years can be cumbersome. Imagine if it were possible to create a Client Secret that never expires. This article will guide you through the process of creating a non-expiring Client Secret in Entra ID using PowerShell.
Client Secret in Entra ID
Credentials enable an application to authenticate autonomously, eliminating the need for user interaction at runtime. Due to its simplicity, we will incorporate a Client Secret into the app registration as credentials.
There are two ways to create a client secret to an application:
- Client Secret in Entra ID valid for a maximum of 24 months
- Client Secret with PowerShell valid for unlimited time
If you possess a Client Secret for an application in Entra ID and require its renewal, there’s no necessity to generate a new one. A PowerShell script can be utilized to create a Client Secret without limitations.
Register an application in Entra ID
How to register an application in the Microsoft Entra admin center.
1. Go to the Microsoft Entra admin center then Sign in to Microsoft Azure with your admin credentials
2. Expand the Applications menu > Click App registrations > New registration.
3. Register an application
- Choose a name for your application that fits your requirements.
- Select Accounts in this organizational directory only – (Single tenant)
- Click Register
After creating the app, go to the Overview page and copy the Object ID. Paste this ID into Notepad, as it will be necessary later when using PowerShell to create an unlimited Client Secret.
Create a Client Secret for application in Entra ID (Optional)
To create a Client Secret for your application in Entra ID, follow these steps:
- Click on Certificates & secrets
- Click Client secrets > New client secret
- Type the description
- Select an expiration date
- Click Add
6. Copy the Client Secret Value and save it
Create a never-expired client secret with PowerShell
After registering an app, you can generate a Client Secret with an unlimited expiration date using PowerShell.
1. Launch Windows PowerShell (Terminal) with administrative privileges and execute the following command to install the necessary Microsoft Graph PowerShell module.
Install-Module Microsoft.Graph.Applications -Scope CurrentUser
2. Copy the script below and paste it into your preferred text editor. Remember to replace the Object ID you copied previously during the app registration process.
# Connect to Microsoft Graph
Connect-MgGraph -Scopes 'Application.ReadWrite.All'
# Parameters
$AppObjectId = "xxxxxxxx-xxxxxx-xxxx-xxxx-xxxxxxxxx"
$AppSecretDescription = "Never expired client secret"
$AppYears = "50"
$PasswordCred = @{
displayName = $AppSecretDescription
endDateTime = (Get-Date).AddYears($AppYears)
}
# Add App Client Secret - Valid for 50 years (change to 999 for unlimited years)
$Secret = Add-MgApplicationPassword -ApplicationId $AppObjectId -PasswordCredential $PasswordCred
# Write Client Secret value
$Secret | Format-List
3. Your code is ready, copy and paste your code into the PowerShell windows then sign in with your global administrator credentials.
4. Select Consent on behalf of your organization then Click the Accept button.
5. The PowerShell output displays the SecretText (Client Secret Value). Please copy the SecretText (Client Secret Value) and ensure it is securely saved.
PS C:\> $Secret | Format-List
CustomKeyIdentifier :
DisplayName : Never expired client secret
EndDateTime : 1/19/2074 3:00:18 AM
Hint : tFs
KeyId : 9fffb36d-788d-437f-b10b-f986e5fd0a47
SecretText : tFs8Q~VJBO8Yrgq6gFxexUfyLRWuIfAXin7jYbKl
StartDateTime : 1/19/2024 3:00:20 AM
AdditionalProperties : {[@odata.context,
https://graph.microsoft.com/v1.0/$metadata#microsoft.graph....]}
6. Go to the Microsoft Enter admin center to verify the secret has been created.
Your new Client Secret has been added and is set to expire after 50 years. You have successfully set up a Client Secret for an application in Microsoft Azure with no expiration.
Conclusion
This post aims to guide you through creating an unlimited Client Secret in Entra ID using PowerShell, eliminating the need to renew the Client Secret due to its lack of an expiration date.
Not a reader? Watch this related video tutorial: