Let’s Renew Secret Keys using SCCM Console. Guide to renew One or more Azure AD App Secrets used by cloud services. Let’s understand the meaning of the Configuration Manager notification message One or more Azure AD app secrets used by Cloud Services will expire soon and Renew to avoid service disruption.
Also, we will see how to fix it. When the security key on the app expires, you have to renew all the security keys if you have more than one.
Azure AD applications are used for many cloud-connected functions within Configuration Manager. ConfigMgr is connected to the cloud and uses different Azure services that require distinct configurations. Azure AD apps are created for each of these services.
Can’t Delete or Remove Azure AD Apps (used for Cloud Services) from SCCM Console? Here is the guide to removing those from MEMCM using WMI | WBEMTEST https://www.anoopcnair.com/remove-azure-ad-apps-from-sccm-using-wmi-delete/
The Azure AD apps are required for services like Azure AD User Discovery, Cloud Management Gateway, Tenant Attach, Co-Management, etc… You can use a single or distinct Azure AD application(s) for more than one service.
Renew Secret Key Using SCCM Console
First thing, don’t get confused about the Azure AD App security key and secret key. Both refer to the same thing.
Recently, I received the notification to “Renew Azure AD app secrets“. Let’s go through the process to renew the secret keys for Azure AD Applications.
The following are the two secrets that are of immediate concern (expires in a month). These secret keys (highlighted in yellow) need to be renewed to avoid any service disturbance.
- Click on the Hyperlink ( Renew secret key close to expiry) in the Console notification alert or
- Navigate to \Administration\Overview\Cloud Services\Azure Active Directory Tenants – Applications.
- Find out the apps that are going to expire soon.
- The expiry date – Check the column Secret Key Expiry (UTC).
Click on the application that you want to renew (the secret key close to expiry). From the Ribbon – Applications tab, click on the Renew Secret Key button.
Sign in to Azure AD with appropriate permissions on Azure AD tenant (Azure AD Apps) – https://docs.microsoft.com/en-us/mem/configmgr/core/servers/deploy/configure/azure-services-wizard#about-azure-ad-apps.
NOTE! – For more information about the required app permissions and configurations for each service, see the relevant SCCM article in Available services (Microsoft Docs). https://docs.microsoft.com/en-us/mem/configmgr/core/servers/deploy/configure/azure-services-wizard#available-services
The Secret key successfully renewed for the Azure AD User discovery option.
Results
Once the Azure AD App secret keys/Security keys are renewed successfully, you can confirm the extended secret key expiry date. Also, confirm the ConfigMgr services are working fine after renewing the secret key.
Resources
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with over 17 years of experience (calculation done in 2018). He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…..…
When I try to renew secret key for two app I have this error:
“Failed to renew the secret key for AAD server application. Failed to get server app”
This because I have deleted these apps from Azure.
Now, how can I delete also from SCCM to hide expired secret key notification on top of console?
Thank you.
I have created a blog for you Can’t Delete or Remove Azure AD Apps (used for Cloud Services) from SCCM Console? Here is the guide to remove those from MEMCM using WMI | WBEMTEST https://www.anoopcnair.com/remove-azure-ad-apps-from-sccm-using-wmi-delete/
after renewing the secret key in SCCM, i see the updated key in SCCM. In Azure, I see the new key (identified by the new expiry date.) But I also see the old key. is this normal? can i safely remove the old key?
If the old key is expired then it’s of no use I preseume.
What do you do if the key already expired? I can’t seem to renew it now.
Failed to renew the secret key for AAD Server application. Failed to get server app
Hi
I have similar to Carl lee, “after renewing the secret key in SCCM, i see the updated key in SCCM. In Azure, I see the new key (identified by the new expiry date.) But I also see the old key. is this normal? can i safely remove the old key?”
The Entry within SCCM, *Client ID* of the SCCM Entry is now renewed , but in Azure a New key has been added automatically with a different Client ID, but the old key with the same as SCCM client ID is still showing with the old expire date.
Has anyone else had this?? and is this renewed ?? even if the client ID of the new Azure key being different
When I click on Renew Secret Key, the login window pops up. I log in successfullly. Then nothing happens. No message and the key is not renewed. Any thoughts?
Having the same issues as Mark. Anyone else seeing this?