Update replace-an-expiring-client-secret-in-a-sharepoint-add-in.md

We had a very nasty Sev 1 support case where the customer tried to simply replace the expiring client secret with the new one and it didn't work.  We told them to follow this article exactly but apparently it had been working in the past and there was absolutely no tolerance for downtime.  Finally we got the PG to state categorically that only one client secret can be active per App Principal.  This is different from a regular AAD Application.  We feel it is very important we include this information, although feel free to change the format.  We can save a lot of trouble, time and money for the customer and support by clearly documenting the expected behavior.  Thanks you very much and don't hesitate to contact me with any questions.

Author: adambu

docs/sp-add-ins/replace-an-expiring-client-secret-in-a-sharepoint-add-in.md

@@ -116,8 +116,6 @@ $newClientSecret
 
  **Tip**  By default, the add-in secret lasts one year. You can set this to a shorter or longer (up to 3 years maximum) by using the  **-EndDate** parameter on the three calls of the **New-MsolServicePrincipalCredential** cmdlet. The value of the parameter must be a [DateTime](http://msdn2.microsoft.com/EN-US/library/03ybds8y) object set to no longer than 3 years from **DateTime.Now**.
 
-
-
 ## Update the remote web application in Visual Studio to use the new secret
 
 
@@ -155,6 +153,8 @@ $newClientSecret
 </appSettings>
 ```
 
+***Important Note*** You will not be able to use the newly generated client secret until the current client secret expires.  Therefore, changing the ClientId key to the new client secret without the SecondaryClientSecret key present will NOT work.  You MUST follow the above procedure provided here and wait for the previous client secret to expire.  Then, you can remove the SecondaryClientSecret if you desire.
+
 4. If you changed to a new TokenHelper file, rebuild the project.