You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/sp-add-ins/replace-an-expiring-client-secret-in-a-sharepoint-add-in.md
+70-75Lines changed: 70 additions & 75 deletions
Original file line number
Diff line number
Diff line change
@@ -20,101 +20,98 @@ Ensure the following before you begin:
20
20
-[Microsoft Online Services Sign-In Assistant](https://www.microsoft.com/en-us/download/details.aspx?id=39267) is installed on the development computer.
21
21
22
22
- Microsoft Online Services PowerShell Module ([32-bit](http://go.microsoft.com/fwlink/p/?linkid=236298); [64-bit](http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185)) is installed on the development computer.
23
-
23
+
24
24
- You are a tenant administrator for the Office 365 tenant (or a farm administrator on the farm) where the add-in was registered with the AppRegNew.aspx page.
25
-
26
25
27
26
## Find out the expiration dates of the SharePoint Add-ins installed to the Office 365 tenancy
28
27
29
28
1. Open Windows PowerShell and run the following cmdlet:
30
-
29
+
31
30
```powershell
32
-
Connect-MsolService
31
+
Connect-MsolService
33
32
```
34
33
35
34
2. At the sign-in prompt, enter tenant-administrator (or farm administrator) credentials for the Office 365 tenancy or farm where the add-in was registered with AppRegNew.aspx.
36
-
35
+
37
36
3. Generate a report that lists each add-in and the date that its secret expires with the following lines. Note the following about this code:
38
-
37
+
39
38
- It first filters out Microsoft's own applications, add-ins still under development (and a now-deprecated type of add-in that was called autohosted).
40
-
39
+
41
40
- From the remainder, it filters out non-SharePoint add-ins and add-ins that use asymmetric keys, such as workflows.
4. Open the file C:\temp\appsec.txt to see the report. Leave the Windows PowerShell window open for the next procedure, if any of the secrets are near expiration.
55
-
56
54
57
55
## Generate a new secret
58
56
59
57
1. Create a client ID variable with the following line, using the client ID of the SharePoint Add-in as the parameter.
60
-
58
+
61
59
```powershell
62
-
$clientId = 'client id of the add-in'
60
+
$clientId = 'client id of the add-in'
63
61
```
64
62
65
63
2. Generate a new client secret with the following lines:
3. The new client secret appears on the Windows PowerShell console. Copy it to a text file. You use it in the next procedure.
80
78
81
79
> [!TIP]
82
80
> By default, the add-in secret lasts one year. You can set this to a shorter or longer (up to 3 years maximum) by using the **-EndDate** parameter on the three calls of the **New-MsolServicePrincipalCredential** cmdlet. The value of the parameter must be a [DateTime](https://msdn.microsoft.com/EN-US/library/03ybds8y) object set to no longer than 3 years from **DateTime.Now**.
83
-
81
+
84
82
## Update the remote web application in Visual Studio to use the new secret
85
83
86
84
> [!IMPORTANT]
87
-
> If your add-in was originally created with a pre-release version of the Microsoft Office Developer Tools for Visual Studio, it may contain an out-of-date version of the TokenHelper.cs (or .vb) file. If the file does not contain the string "secondaryClientSecret", it is out of date and must be replaced before you can update the web application with a new secret. To obtain a copy of a release version of the file, you need Visual Studio 2012 or later. Create a new SharePoint Add-in project in Visual Studio. Copy the TokenHelper file from it to the web application project of your SharePoint Add-in.
88
-
85
+
> If your add-in was originally created with a pre-release version of the Microsoft Office Developer Tools for Visual Studio, it may contain an out-of-date version of the TokenHelper.cs (or .vb) file. If the file does not contain the string "secondaryClientSecret", it is out of date and must be replaced before you can update the web application with a new secret. To obtain a copy of a release version of the file, you need Visual Studio 2012 or later. Create a new SharePoint Add-in project in Visual Studio. Copy the TokenHelper file from it to the web application project of your SharePoint Add-in.
86
+
89
87
1. Open the SharePoint Add-in project in Visual Studio, and open the web.config file for the web application project. In the **appSettings** section, there are keys for the client ID and client secret. The following is an example:
90
-
91
-
```XML
92
-
<appSettings>
93
-
<addkey="ClientId"value="your client id here" />
94
-
<addkey="ClientSecret"value="your old secret here" />
95
-
... other settings may be here ...
96
-
</appSettings>
97
88
89
+
```XML
90
+
<appSettings>
91
+
<addkey="ClientId"value="your client id here" />
92
+
<addkey="ClientSecret"value="your old secret here" />
93
+
... other settings may be here ...
94
+
</appSettings>
98
95
```
99
96
100
97
2. Change the name of the **ClientSecret** key to `SecondaryClientSecret` as shown in the following example:
101
-
98
+
102
99
```XML
103
-
<addkey="SecondaryClientSecret"value="your old secret here" />
100
+
<addkey="SecondaryClientSecret"value="your old secret here" />
104
101
```
105
102
106
103
> [!NOTE]
107
104
> If you are performing this procedure for the first time, there is no **SecondaryClientSecret** property entry at this point in the configuration file. However, if you are performing the procedure for a subsequent client secret expiration (second or third), the property **SecondaryClientSecret** is already present and contains the initial or already expired old secret. In this case, delete the **SecondaryClientSecret** property first before renaming **ClientSecret**.
108
105
109
106
3. Add a new **ClientSecret** key and give it your new client secret. Your markup should now look like the following:
110
-
107
+
111
108
```XML
112
-
<appSettings>
113
-
<addkey="ClientId"value="your client id here" />
114
-
<addkey="ClientSecret"value="your new secret here" />
115
-
<addkey="SecondaryClientSecret"value="your old secret here" />
116
-
... other settings may be here ...
117
-
</appSettings>
109
+
<appSettings>
110
+
<addkey="ClientId"value="your client id here" />
111
+
<addkey="ClientSecret"value="your new secret here" />
112
+
<addkey="SecondaryClientSecret"value="your old secret here" />
113
+
... other settings may be here ...
114
+
</appSettings>
118
115
```
119
116
120
117
> [!IMPORTANT]
@@ -129,47 +126,45 @@ foreach ($appentry in $applist) {
129
126
For expired client secrets, first you must delete all of the expired secrets for a given **clientId**. You then create a new one with MSO PowerShell, wait at least 24 hours, and test the app with the new **clientId** and **ClientSecret** key.
130
127
131
128
1. Connect to MSOnline using the tenant admin user with the following markup using SharePoint Windows PowerShell.
132
-
129
+
133
130
```powershell
134
-
import-module MSOnline
135
-
$msolcred = get-credential
136
-
connect-msolservice -credential $msolcred
131
+
import-module MSOnline
132
+
$msolcred = get-credential
133
+
connect-msolservice -credential $msolcred
137
134
```
138
135
139
136
2. Get **ServicePrincipals** and keys. Printing **$keys** returns three records. Replace each **KeyId** in *KeyId1* , *KeyId2*, and *KeyId3*. You also see the **EndDate** of each key. Confirm whether your expired key appers there.
140
-
141
-
> [!NOTE]
137
+
138
+
> [!NOTE]
142
139
> The **clientId** needs to match your expired **clientId**. It's recommended to delete all keys, both expired and unexpired, for this **clientId**.
3. Generate a new **ClientSecret** for this **clientID**. It uses the same **clientId** as set in the preceding step. The new **ClientSecret** is valid for 3 years.
0 commit comments