update replace client secret

Author: WHOIS: ldap_open failed

docs/sp-add-ins/replace-an-expiring-client-secret-in-a-sharepoint-add-in.md

@@ -1,14 +1,14 @@
 ---
 title: Replace an expiring client secret in a SharePoint Add-in
 description: Add a new client secret for a SharePoint Add-in that is registered with AppRegNew.aspx.
-ms.date: 06/13/2022
+ms.date: 06/21/2023
 ms.prod: sharepoint
 ms.localizationpriority: high
 ---
 
 # Replace an expiring client secret in a SharePoint Add-in
 
-Client secrets for SharePoint Add-ins that are registered by using the AppRegNew.aspx page expire after one year. This article explains how to add a new secret for the add-in, and how to create a new client secret that is valid for three years.
+Client secrets for SharePoint Add-ins that are registered by using the AppRegNew.aspx page expire after one year. This article explains how to add a new secret for the add-in, and how to create a new client secret that is valid for a customized date.
 
 > [!NOTE]
 > This article is about SharePoint Add-ins that are distributed through an organization catalog and registered with the AppRegNew.aspx page. If the add-in is registered on the Seller Dashboard, see [Create or update client IDs and secrets in the Seller Dashboard](/office/dev/store/create-or-update-client-ids-and-secrets).
@@ -25,72 +25,50 @@ Removing an expired secret from ACS before you remove it from the application co
 
 Ensure the following before you begin:
 
-- Microsoft Online Services Sign-In Assistant is installed on the development computer.
-- You can connect to Office 365 with PowerShell: [Connect to Office 365 PowerShell](/office365/enterprise/powershell/connect-to-office-365-powershell)
-- You're a tenant administrator for the Office 365 tenant (or a farm administrator on the farm) where the add-in was registered with the AppRegNew.aspx page.
+- You have installed Microsoft Graph Powershell SDK: [Install the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation)
+- You're a tenant administrator (or having `Application.ReadWrite.All` permission) for the Office 365 tenant where the add-in was registered with the AppRegNew.aspx page.
 
-## Find out the expiration dates of the SharePoint Add-ins installed to the Office 365 tenancy
+## Generate a new secret
 
-1. Open Windows PowerShell and run the following cmdlet:
+1. Create a client ID variable with the following line, using the client ID of the SharePoint Add-in as the parameter.
 
     ```powershell
-    Connect-MsolService
+    $clientId = 'client id of the add-in'
     ```
-
-1. At the sign-in prompt, enter tenant-administrator (or farm administrator) credentials for the Office 365 tenancy or farm where the add-in was registered with AppRegNew.aspx.
-1. Generate a report that lists each add-in and the date that its secret expires with the following lines. Note the following about this code:
-
-    - It first filters out Microsoft's own applications, add-ins still under development (and a now-deprecated type of add-in that was called autohosted).
-    - From the remainder, it filters out non-SharePoint add-ins and add-ins that use asymmetric keys, such as workflows.
+2. Connect to graph with `Application.ReadWrite.All` scope.
 
     ```powershell
-    $applist = Get-MsolServicePrincipal -all  |Where-Object -FilterScript { ($_.DisplayName -notlike "*Microsoft*") -and ($_.DisplayName -notlike "autohost*") -and  ($_.ServicePrincipalNames -notlike "*localhost*") }
-
-    foreach ($appentry in $applist) {
-        $principalId = $appentry.AppPrincipalId
-
-        Get-MsolServicePrincipalCredential -AppPrincipalId $principalId -ReturnKeyValues $false | Where-Object { $_.Type -eq "Password" } | ForEach-Object {
-            [PSCustomObject][Ordered]@{
-                PrincipalName = $appentry.DisplayName
-                PrincipalId = $principalId
-                KeyID = $_.KeyId
-                StartDate = $_.StartDate
-                EndDate = $_.EndDate
-            } | Export-Csv -Path C:\temp\appsec.csv -NoTypeInformation -Delimiter ';' -Append
-        }
-    }
+    Connect-MgGraph -Scopes "Application.ReadWrite.All" # Login with corresponding scope. Should be tenant admin or anyone have the permission.
     ```
-
-1. Open the file C:\temp\appsec.csv to see the report. Leave the Windows PowerShell window open for the next procedure, if any of the secrets are near expiration.
-
-## Generate a new secret
-
-1. Create a client ID variable with the following line, using the client ID of the SharePoint Add-in as the parameter.
+3. Generate a new client secret with the following lines:
 
     ```powershell
-    $clientId = 'client id of the add-in'
-    ```
+    $appPrincipal = Get-MgServicePrincipal -Filter "AppId eq '$clientId'" # Get principal id by AppId
+
+    $params = @{
+        PasswordCredential = @{
+            DisplayName = "NewSecret" # Replace with a firendly name.
+        }
+    }
 
-1. Generate a new client secret with the following lines:
+    $result = Add-MgServicePrincipalPassword -ServicePrincipalId $appPrincipal.Id -BodyParameter $params    # Update the secret
 
-    ```powershell
-    $bytes = New-Object Byte[] 32
-    $rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
-    $rand.GetBytes($bytes)
-    $rand.Dispose()
-    $newClientSecret = [System.Convert]::ToBase64String($bytes)
-    $dtStart = [System.DateTime]::Now
-    $dtEnd = $dtStart.AddYears(1)
-    New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Sign -Value $newClientSecret -StartDate $dtStart -EndDate $dtEnd
-    New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Verify -Value $newClientSecret -StartDate $dtStart -EndDate $dtEnd
-    New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Password -Usage Verify -Value $newClientSecret -StartDate $dtStart -EndDate $dtEnd
-    $newClientSecret
+    $result.SecretText # Print the new secret
+    $result.EndDateTime # Print the end date.
     ```
 
-1. The new client secret appears on the Windows PowerShell console. Copy it to a text file. You use it in the next procedure.
+4. The new client secret appears on the Windows PowerShell console. Copy it to a text file. You use it in the next procedure.
 
     > [!TIP]
-    > By default, the add-in secret lasts one year. You can set this to a shorter or longer by using the **-EndDate** parameter on the three calls of the **New-MsolServicePrincipalCredential** cmdlet.
+    > By default, the secret lasts two years if you didn't specifiy the EndDateTime. You can customize by leveraging the example below to specify the EndDateTime.
+    > ``` powershell
+    > $params = @{
+    >     PasswordCredential = @{
+    >         DisplayName = "NewSecret" # Replace with a firendly name.
+    >         EndDateTime = "2025-01-01T00:00:00Z" # Optional. Specify the end date you want. Using ISO 8601 format and is always in UTC time.
+    >     }
+    > }
+    > ```
 
 ## Update the remote web application in Visual Studio to use the new secret
 
@@ -133,55 +111,6 @@ Ensure the following before you begin:
 1. If you changed to a new TokenHelper file, rebuild the project.
 1. Republish the web application.
 
-## Create a client secret that is valid for three years
-
-For expired client secrets, first you must delete all of the expired secrets for a given **clientId**. You then create a new one with MSO PowerShell, wait at least 24 hours, and test the app with the new **clientId** and **ClientSecret** key.
-
-1. Connect to MSOnline using the tenant admin user with the following markup using SharePoint Windows PowerShell.
-
-    ```powershell
-    import-module MSOnline
-    $msolcred = get-credential
-    connect-msolservice -credential $msolcred
-    ```
-
-1. Get **ServicePrincipals** and keys. Printing **$keys** returns three records. You also see the **EndDate** of each key. Confirm whether your expired key appears there.
-
-    > [!NOTE]
-    > The **clientId** needs to match your expired **clientId**. It's recommended to delete all keys, both expired and unexpired, for this **clientId**.
-
-    ```powershell
-    $clientId = "27c5b286-62a6-45c7-beda-abbaea6eecf2"
-    $keys = Get-MsolServicePrincipalCredential -AppPrincipalId $clientId
-    $keys
-    ```
-
-1. Remove all keys once you have confirmed that they are indeed expired.
-
-    ```powershell
-    Remove-MsolServicePrincipalCredential -KeyIds $keys.KeyId -AppPrincipalId $clientId
-    ```
-
-1. Generate a new **ClientSecret** for this **clientID**. It uses the same **clientId** as set in the preceding step. The new **ClientSecret** is valid for three years.
-
-    ```powershell
-    $bytes = New-Object Byte[] 32
-    $rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
-    $rand.GetBytes($bytes)
-    $rand.Dispose()
-    $newClientSecret = [System.Convert]::ToBase64String($bytes)
-    $dtStart = [System.DateTime]::Now
-    $dtEnd = $dtStart.AddYears(3)
-    New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Sign -Value $newClientSecret -StartDate $dtStart  -EndDate $dtEnd
-    New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Verify -Value $newClientSecret   -StartDate $dtStart  -EndDate $dtEnd
-    New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Password -Usage Verify -Value $newClientSecret   -StartDate $dtStart  -EndDate $dtEnd
-    $newClientSecret
-    ```
-
-1. Copy the output of **$newClientSecret**.
-1. Replace the **Web.config** with this **ClientId** and **ClientSecret**. You don't need **SecondaryClientSecret** app settings.
-1. Wait at least 24 hours to propagate **ClientSecret** to SharePoint Office (SPO).
-
 ## See also
 
 - [Provider Hosted App fails on SPO](/archive/blogs/sharepointdevelopersupport/provider-hosted-app-fails-on-spo)