How to Renew Secret keys in SCCM console

Renew Secret keys in SCCM console

While working in my SCCM lab recently, I realised the secret key for one of my Entra App registrations was expired. I received a console notification with the following message: “One or more Entra app secrets used by Cloud Services have expired. Renew to avoid service disruptions.”

Configuration Manager allows you to renew the secret key for an Entra app with a few easy steps. You can also renew client secrets for apps in the Microsoft Entra admin center, which I will cover in a separate guide.

You must renew the Microsoft Entra app’s secret key before the end of its validity period. If you let the key expire, Configuration Manager can’t authenticate with Microsoft Entra ID, which will cause your connected Azure/Entra services to stop working.

Install and Update Third Party Applications with Patch My PC
Install and Update Third Party Applications with Patch My PC

In this tutorial, I will walk you through the procedure of renewing secret keys using SCCM console. You need to have at least the “Cloud Application Administrator” Microsoft Entra role assigned to be able to renew the key.

Creating Entra ID apps in Configuration Manager

You can use Configuration Manager to directly create the apps in Microsoft Entra ID. For instance, the Entra ID apps are created when you set up CMG in SCCM, Azure AD user discovery, Tenant attach, etc.

One or more Entra app secrets used by Cloud Services have expired

Starting in version 2006 and later, the Configuration Manager console displays notifications for the following circumstances:

  • One or more Microsoft Entra app secret keys will expire soon
  • One or more Microsoft Entra app secret keys have expired

To resolve the above issues, you must renew the secret key; otherwise, the cloud services configured with SCCM will cease to function properly.

If you’re new to console notifications, learn how to configure SCCM console notifications.

Whenever the Entra app’s secret key is expired, the following notification appears when you launch the SCCM console:

One or more Entra app secrets used by Cloud Services have expired. Renew to avoid service disruptions

You can dismiss the alert and carry on with your work, but when you open the console, it reappears. Remember that Microsoft Entra ID is the new name for Azure AD. The names Azure Active Directory, Azure AD, and AAD are replaced with Microsoft Entra ID.

One or more Entra app secrets used by Cloud Services have expired
One or more Entra app secrets used by Cloud Services have expired

Renew Secret keys in SCCM console

Follow the below steps to renew the secret key of an Entra app in the SCCM console:

Step 1: Launch the Configuration Manager console. Navigate to Administration workspace, expand Cloud Services, and select the Microsoft Entra tenants node. Now select the tenant name, and you’ll find the applications that are configured in SCCM.

Renew Secret keys in SCCM console
Renew Secret key of Entra App in SCCM console

Step 2: Right-click the Entra app whose secret key is expired and select the option “Renew Secret Key“.

Renew Secret keys in SCCM console
Renew Secret key of Entra App in SCCM console

Step 3: Enter the credentials of either the app owner or a Microsoft Entra administrator.

Renew Secret keys in SCCM console
Sign in to Entra ID

Step 4: Once the authentication is successful, you get the message “Secret key successfully renewed!“. This confirms that the Entra app’s secret key has been renewed successfully.

Renew Secret keys in SCCM console
Renew Secret keys using SCCM console

    Verify the Entra app secret key expiry in SCCM

    After renewing the secret keys in SCCM for Entra apps, you can check the expiration using these steps:

    • Launch the SCCM console.
    • Go to Administration > Cloud Services > Microsoft Entra tenants.
    • Select the Entra app from the list. The column Secret Key Expiry (UTC) shows the expiration date of the Entra app.
    Verify the Entra app secret key expiry in SCCM
    Verify the Entra app secret key expiry in SCCM
    Need more help?

    If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.