Renewing SharePoint Akumina App Secret Using PowerShell

Overview

There is a way to renew an existing SharePoint app using PowerShell. This process keeps the existing Client ID and simply renews the Secret. In addition, this process allows you to:

• Renew the Secret for multiple years
• Renew the app before it expires by keeping both the old Secret and new Secret which automatically uses the new Secret once the old Secret expires, allowing for no down time.
• Renew without needing to replace the existing app in the site contents

Requirements

In order to use this process the user renewing the app must:

• Be a tenant administrator
• Have MSOnline installed
  • This can be done with the steps listed here: Install MSOnline

Renewing the Client Secret

Confirm the current Client ID

There are 2 ways to do this:

1. From 'web.config' on the AppManager server
2. From SharePoint app in App Catalog
   1. Navigate to Admin> Admin Centers (more features)> SharePoint > Apps > App Catalog 
   2. Navigate to “Apps for SharePoint”, and locate the existing “Akumina InterChange” App and download (3 ellipses> 3 ellipses > Download)
   3. Once downloaded, navigate to file in your Windows file explorer. 
   4. Rename the downloaded file by adding the “.zip” file extension. 
   5. Extract all files to a new folder. 
   6. Open the “AppManifest” file with a program like Notepad. 

Install MSOnline

Install MSOnline by running the following commands in PowerShell (running as Administrator) or order, one by one.

Install-Module MSOnline
Install-Module AzureAD
Import-Module AzureAD

If you already have MSOnline installed,  you can skip to the next step.

Connect to MSOnline

Connect to MSOnline using the tenant admin user with the following command using Windows PowerShell.

Connect-MsolService

Create a Client ID Variable

Create a client ID variable with the following line, using the client ID of the SharePoint app as the parameter. Enter the below statement (with the Client ID replaced) into  your PowerShell console.

$clientId = 'Client_ID'

Generate a new Client Secret

Generate a new Client Secret with the following command lines (copy this entire block and run as is):

$bytes = New-Object Byte[] 32
$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$rand.GetBytes($bytes)
$rand.Dispose()
$newClientSecret = [System.Convert]::ToBase64String($bytes)
$dtStart = [System.DateTime]::Now
$dtEnd = $dtStart.AddYears(3)
New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Sign -Value $newClientSecret -StartDate $dtStart  -EndDate $dtEnd
New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Verify -Value $newClientSecret   -StartDate $dtStart  -EndDate $dtEnd
New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Password -Usage Verify -Value $newClientSecret   -StartDate $dtStart  -EndDate $dtEnd
$newClientSecret

• After running the above commands, the new client secret appears in the PowerShell console. You'll need to copy it to a text file to use in the next step.

Update AppManager with new Client Secret

For SharePoint Classic and Self-Hosted clients

1. Open the web.config file for the web application project. In the appSettings section, there are keys for the client ID and client secret.
   1. The following is an example before changes are made:

      • <appSettings>
          <add key="ClientId" value="your client id here" />
          <add key="ClientSecret" value="your old secret here" />
          <!-- ... other settings may be here ... -->
        </appSettings>

2. Add the "SecondaryClientSecret" property and set it to your old client secret that is about to expire. Then, set the "ClientSecret" value to the new Client Secret from the previous step (from PowerShell).

   • <appSettings>
       <add key="ClientId" value="your client id here" />
       <add key="ClientSecret" value="your NEW secret here" />
       <add key="SecondaryClientSecret" value="your OLD secret here" />
       <!-- ... other settings may be here ... -->
     </appSettings>

For Akumina-Hosted and Cloud-Hosted clients:

You'll need to provide your new Client Secret to Akumina Support to update for you.

Additional Recommendations

• Once you renew your Client Secret, it is up to you to document and track the new expiration date.
• If you allow your Client Secret to expire, all users will lose access to the AppManager.
• Renewing an expired Client Secret using this process requires a 24 hour waiting period before the new Client Secret starts working. This is a limitation from Microsoft.