Has Microsoft changed the expiration date for Client secrets to be max 2 years? It is not possible to select "Never" anymore?
Renew key for created app In the Configuration Manager console, go to the Administration workspace, expand Cloud Services, and select the Azure Active Directory Tenants node. On the Details pane, select the Azure AD tenant for the app. In the ribbon, select Renew Secret Key.
Credentials allow your application to authenticate as itself, requiring no interaction from a user at runtime. You can add both certificates and client secrets (a string) as credentials to your confidential client app registration.
Click Certificates & secrets. If you do not have a client secret, create one: Under Client secrets, click New client secret. Enter a name and an expiration date and click Add.
I just ran into this myself. You can set add a credential using Powershell which is more than 2 years. So I'm guessing it's a UI limitation.
$startDate = Get-Date
$endDate = $startDate.AddYears(98)
$aadAppsecret01 = New-AzureADApplicationPasswordCredential -ObjectId b09d3e1b-417d-425c-be05-9e46943d7207 -StartDate $startDate -EndDate $endDate
Could someone please indicates a link why and when this has been enforced by Microsoft? This is not really a security best practice and could have a serious impact on working applications.
This is not a password exposed front-end that could be leaked. There are secrets that are used only from servers back-end and are complex and at least 20 characters long. No way a brute force can break these nowadays. So in fact because there is no monitoring and alerting in place on Azure like for certificates, it's gone to be a nightmare for Azure users in 2 years.
Has Microsoft changed the expiration date for Client secrets to be max 2 years? It is not possible to select "Never" anymore?
That's correct. The new expiration age for the client secret can be 2 years maximum.
Looks like we got an official answer from Microsoft's team at Jun 08, 2021, according to this discussion: https://docs.microsoft.com/en-us/answers/questions/422538/future-plans-of-microsoft-with-the-maximum-expirat.html
This was the final answer from their engineering team:
There are plans to limit lifetimes of the secret administratively. However, there are no current timelines or ETAs of when this will happen. Removing the UX option to have never expiring secrets is a first step of that process (you can still create secrets that never expire with PowerShell, AZ CLI and Graph API).
So, I understood that, for a while, I can use PowerShell's method suggested by Daniel in the accepted answer above. However, we cannot rely on this forever because sooner or later the 'never' option may disappear completely if Microsoft's plans materialize. I hope it doesn't in this case. As some have said, I also foresee expiration problems in the coming years because of this limitation.
As of February 2022 it isn't possible anymore: https://devblogs.microsoft.com/microsoft365dev/client-secret-expiration-now-limited-to-a-maximum-of-two-years/
You can set the date through Azure Built in CLI. Open the Azure CLI in the browser. Then this command below. Note: If you don't pass a password, this will reset your existing password! The end-date is whatever you want it to be:
az ad sp credential reset --name {name of your AD app} --end-date 2035-03-04 --credential-description DescriptionHere
If you want to preserve the App Secret, which is what I needed, I already had created the secret and started using it, make sure to pass the existing password.
az ad sp credential reset --name {name of your AD app} --password {whatever password you want to keep} --end-date 2035-03-04 --credential-description AppAccess
--credential-description
is optional but if you don't pass one it will be blank on the UI which is not nice.
Further info: https://docs.microsoft.com/en-us/cli/azure/ad/app/credential?view=azure-cli-latest
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With