Azure App registration Client secrets expiration

Question

Has Microsoft changed the expiration date for Client secrets to be max 2 years? It is not possible to select "Never" anymore?

Answer 1

I just ran into this myself. You can set add a credential using Powershell which is more than 2 years. So I'm guessing it's a UI limitation.

$startDate = Get-Date
$endDate = $startDate.AddYears(98)
$aadAppsecret01 = New-AzureADApplicationPasswordCredential -ObjectId b09d3e1b-417d-425c-be05-9e46943d7207 -StartDate $startDate -EndDate $endDate

Answer 2

Could someone please indicates a link why and when this has been enforced by Microsoft? This is not really a security best practice and could have a serious impact on working applications.

This is not a password exposed front-end that could be leaked. There are secrets that are used only from servers back-end and are complex and at least 20 characters long. No way a brute force can break these nowadays. So in fact because there is no monitoring and alerting in place on Azure like for certificates, it's gone to be a nightmare for Azure users in 2 years.

Answer 3

Has Microsoft changed the expiration date for Client secrets to be max 2 years? It is not possible to select "Never" anymore?

That's correct. The new expiration age for the client secret can be 2 years maximum.

Answer 4

Looks like we got an official answer from Microsoft's team at Jun 08, 2021, according to this discussion: https://docs.microsoft.com/en-us/answers/questions/422538/future-plans-of-microsoft-with-the-maximum-expirat.html

This was the final answer from their engineering team:

There are plans to limit lifetimes of the secret administratively. However, there are no current timelines or ETAs of when this will happen. Removing the UX option to have never expiring secrets is a first step of that process (you can still create secrets that never expire with PowerShell, AZ CLI and Graph API).

So, I understood that, for a while, I can use PowerShell's method suggested by Daniel in the accepted answer above. However, we cannot rely on this forever because sooner or later the 'never' option may disappear completely if Microsoft's plans materialize. I hope it doesn't in this case. As some have said, I also foresee expiration problems in the coming years because of this limitation.

Answer 5

As of February 2022 it isn't possible anymore: https://devblogs.microsoft.com/microsoft365dev/client-secret-expiration-now-limited-to-a-maximum-of-two-years/

Answer 6

You can set the date through Azure Built in CLI. Open the Azure CLI in the browser. Then this command below. Note: If you don't pass a password, this will reset your existing password! The end-date is whatever you want it to be:

az ad sp credential reset --name {name of your AD app} --end-date 2035-03-04 --credential-description DescriptionHere

If you want to preserve the App Secret, which is what I needed, I already had created the secret and started using it, make sure to pass the existing password.

az ad sp credential reset --name {name of your AD app} --password {whatever password you want to keep} --end-date 2035-03-04 --credential-description AppAccess

--credential-description is optional but if you don't pass one it will be blank on the UI which is not nice.

Further info: https://docs.microsoft.com/en-us/cli/azure/ad/app/credential?view=azure-cli-latest