Skip to content

Refreshing Expired Secrets

Jump to bottom
Alex Clark edited this page Aug 18, 2021 · 2 revisions

From time to time you may need to update/refresh the client secret used in the Azure AD application of Request-a-team.

When you deploy Request-a-team, the secret generated for the Azure AD app has a default expiry of 1 year from the date the deployment script was executed.

It is advisable to note down the date when the secret will expire as once this has expired, the Logic Apps for creating teams will fail until a new secret is created and the key vault updated.

Refreshing the Secret

When the secret expires or shortly before this period, follow this process to create a new secret and update Request-a-team to use the new value:

  1. Open the Azure Portal.
  2. Navigate to Azure Active Directory.
  3. Click 'App registrations' on the left menu.
  4. Click 'All applications'.
  5. Locate your Request-a-team application and click on it.
  6. Click 'Certificates and secrets' on the left menu.
  7. Click 'New cient secret' under Client secrets.
  8. Enter a description for the secret and choose an expiry date.
  9. Copy the value of the secret. **Once you leave this blade, the value will be permanently hidden. **
  10. Execute the 'refreshclientsecret.ps1' PowerShell script.

The script requires the following parameters:

  • ClientId - Id of the request-a-team Azure AD Application. You can obtain this in the App registrations blade (copy the Application ID).

  • ClientSecret - Secret value that you copied earlier.

  • SubscriptionId - Azure subscription where request-a-team is deployed.

  • Location - Azure region you chose when deploying request-a-team. The internal name should be used e.g. uksouth. See Valid Azure Locations.

  • TenantId - Id of the tenant where request-a-team is deployed. (If you are not sure how to get Tenant ID, please check Azure Active Directory in Azure Portal. Under Manage, click Properties. The tenant ID is shown in the Directory ID box).

  • ResourceGroupName - Name for the resource group where request-a-team is deployed.

  • KeyVaultName - Name of your key vault that is used for request-a-team.

.\refreshclientsecret.ps1 -ClientId "xxxxxxxx-xxxx-xxx-xxxxxxxxxxx" -ClientSecret "xxxxxxxx-xxxx-xxx-xxxxxxxxxxx" -SubscriptionId 7ed1653b-228c-4d26-a0c0-2cd164xxxxxx -Location "westus" -TenantId "xxxxxxxx-xxxx-xxx-xxxxxxxxxxx" -ResourceGroupName "teamsgovernanceapp-rg" -KeyVaultName "requestateam-kv"

The script will prompt for authentication during execution. Please login using a Global Administrator account.

Once the script is complete, Request-a-team is now using the updated secret and will continue to operate as normal.

Clone this wiki locally