Tip #1404: App secrets that last longer than 2 years

Using service principals is the great way to ensure that Dataverse connections in your Power Automate flows are not user-dependent and nothing is going to break when the original creator’s account gets disabled. These are good step-by-step instructions: How to setup a Common Data Service Application User (and why) (I’ll give Nick Doelman a separate Spießrutenlaufen later on for granting permissions nobody needs).

One of the steps is to create a secret and as of lately, the maximum expiration date can only be up to 2 years in the future. (And no, using custom is not going to help). But what if we want to last longer?

Azure dialog to add a client secret. Expiration date dropdown is expanded showing that the maximum expiration date can only be up to 2 years in the future

Yes, it’s a good idea to rotate your secrets. No, it’s not a good idea to do so until there are tools to automatically update all connections / connection references in your environment to use the new secret (managed identities / Azure Vaults, anyone?). I was indirectly told that Isaac Stephens figured it all out and it is indeed possible. Turns out, it’s not that complicated.

  1. Navigate to your app registration in Azure portal. (I trust you know how to do that as you presumably created that registration before, right?)
  2. Get your object id. (I knew it’ll come handy one day!)
    Screenshot of app registration properties in Azure portal. Object ID property is highlighted.
  3. Open Azure CLI prompt and sign in. I like using in-place prompt.
    Screenshot of Azure portal page with an arrow pointing to the icon that launches Azure CLI prompt directly in browser.
  4. Enter this command to regenerate a secret that expires in 42 years.
    az ad app credential reset --id 42937242-dead-beef-dead-42d833e1cb42 --years 42
  5. Don’t forget to copy the generated secret from the output – that will be displayed only once!

For additional syntax see az ad app credential | Microsoft Docs.

Cover photo by Osama Elsayed on Unsplash

2 thoughts on “Tip #1404: App secrets that last longer than 2 years

  1. […] the Azure CLI prompt in the Azure portal. As described on Tip #1404 of CRM Tip of the […]

  2. John says:

    This is a good tip, and of course I agree with the disclaimer that rotation of client secrets and passwords is a good idea. I just wanted to point out that this is not specifically a feature of the CLI. The 2-year limitation is a limitation of the Azure Portal itself. You can also use Microsoft Graph to create a client secret that expires whenever you want (addPassword, it’s called)

Leave a Reply

Your email address will not be published. Required fields are marked *