Update replace-an-expiring-client-secret-in-a-sharepoint-add-in.md

akkomats · web-flow · commit 9e99b7cf8f96 · 2024-09-09T22:32:06.000+09:00
Since Azure AD PowerShell was deprecated on March 30, 2024 (https://techcommunity.microsoft.com/t5/microsoft-entra-blog/important-azure-ad-graph-retirement-and-powershell-module/ba-p/3848270), we need to change the sample scripts to Microsoft Graph PowerShell SDK. The commit 020d3e0 (SharePoint@020d3e0) changed the scripts from Microsoft Graph PowerShell SDK to Auzre AD PowerShell on Sep 13, 2023. I've reverted this again.
diff --git a/docs/sp-add-ins/replace-an-expiring-client-secret-in-a-sharepoint-add-in.md b/docs/sp-add-ins/replace-an-expiring-client-secret-in-a-sharepoint-add-in.md
@@ -1,7 +1,7 @@
 ---
 title: Replace an expiring client secret in a SharePoint Add-in
 description: Add a new client secret for a SharePoint Add-in that is registered with AppRegNew.aspx.
-ms.date: 09/26/2023
+ms.date: 09/09/2024
 ms.localizationpriority: high
 ms.service: sharepoint
 ---
@@ -27,8 +27,8 @@ Removing an expired secret from ACS before you remove it from the application co
 
 Ensure the following before you begin:
 
-- You have installed Azure Active Directory PowerShell 2.0: [Install Azure Active Directory PowerShell for Graph](/powershell/azure/active-directory/install-adv2)
-- You're a tenant administrator for the Microsoft 365 tenant where the add-in was registered with the **AppRegNew.aspx** page.
+- You have installed Microsoft Graph Powershell SDK: [Install the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation)
+- You're a tenant administrator (or having `Application.ReadWrite.All` permission) for the Microsoft 365 tenant where the add-in was registered with the **AppRegNew.aspx** page.
 
 ## Generate a new secret
 
@@ -38,35 +38,60 @@ Ensure the following before you begin:
     $clientId = 'client id of the add-in'
     ```
 
-1. Connect to AzureAD PowerShell.
+2. Connect to graph with `Application.ReadWrite.All, Directory.ReadWrite.All` scope.
 
     ```powershell
-    $AzureAdCred = Get-Credential
-    Connect-AzureAD -Credential $AzureAdCred # Login to AzureAD
+    Connect-MgGraph -Scopes "Application.ReadWrite.All,Directory.ReadWrite.All" # Login with corresponding scope. Should be tenant admin or anyone have the permission.
     ```
     
-1. Generate a new client secret with the following lines:
+3. Generate a new client secret with the following lines:
 
     ```powershell
-    $endDate = (Get-Date).AddYears(1)
-    $app = Get-AzureADServicePrincipal -Filter "AppId eq '$clientId'"
-    $objectId = $app.ObjectId
-
-    $base64secret = New-AzureADServicePrincipalPasswordCredential -ObjectId $objectId -EndDate $endDate
-    New-AzureADServicePrincipalKeyCredential -ObjectId $objectId -EndDate $endDate -Type Symmetric -Usage Verify -Value $base64secret.Value
-    New-AzureADServicePrincipalKeyCredential -ObjectId $objectId -EndDate $endDate -Type Symmetric -Usage Sign -Value $base64secret.Value
-
-    [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($base64secret.Value))
-    $base64secret.EndDate # Print the end date.
+    $appPrincipal = Get-MgServicePrincipal -Filter "AppId eq '$clientId'" # Get principal id by AppId
+    $params = @{
+        PasswordCredential = @{
+            DisplayName = "NewSecret" # Replace with a friendly name.
+        }
+    }
+    $result = Add-MgServicePrincipalPassword -ServicePrincipalId $appPrincipal.Id -BodyParameter $params    # Update the secret
+    $base64Secret = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($result.SecretText)) # Convert to base64 string.
+    $app = Get-MgServicePrincipal -ServicePrincipalId $appPrincipal.Id # get existing app information
+    $existingKeyCredentials = $app.KeyCredentials # read existing credentials
+    $dtStart = [System.DateTime]::Now # Start date
+    $dtEnd = $dtStart.AddYears(2) # End date (equals to secret end date)
+    $keyCredentials = @( # construct keys
+        @{
+            Type = "Symmetric"
+            Usage = "Verify"
+            Key = [System.Text.Encoding]::ASCII.GetBytes($result.SecretText)
+            StartDateTime = $dtStart
+            EndDateTIme = $dtEnd
+        },
+        @{
+            type = "Symmetric"
+            usage = "Sign"
+            key = [System.Text.Encoding]::ASCII.GetBytes($result.SecretText)
+            StartDateTime = $dtStart
+            EndDateTIme = $dtEnd
+        }
+    ) + $existingKeyCredentials # combine with existing
+    Update-MgServicePrincipal -ServicePrincipalId $appPrincipal.Id -KeyCredentials $keyCredentials # Update keys
+    $base64Secret # Print base64 secret
+    $result.EndDateTime # Print the end date.
     ```
 
-1. The new client secret appears on the Windows PowerShell console. Copy it to a text file. You use it in the next procedure.
+4. The new client secret appears on the Windows PowerShell console. Copy it to a text file. You use it in the next procedure.
 
     > [!TIP]
-    > By default, the secret lasts one year. You can customize by leveraging the example below to specify the EndDateTime.
+    > By default, the secret lasts two years if you didn't specify the EndDateTime. You can customize by leveraging the example below to specify the EndDateTime.
     > 
     > ``` powershell
-    > $endDate = (Get-Date).AddYears(2) # 2 year.
+    > $params = @{
+    >     PasswordCredential = @{
+    >         DisplayName = "NewSecret" # Replace with a firendly name.
+    >         EndDateTime = "2025-01-01T00:00:00Z" # Optional. Specify the end date you want. Using ISO 8601 format.
+    >     }
+    > }
     > ```
 
 ## Update the remote web application in Visual Studio to use the new secret
