How to Renew Secret keys in SCCM console
While working in my SCCM lab recently, I realised the secret key for one of my Entra App registrations was expired. I received a console notification with the following message: “One or more Entra app secrets used by Cloud Services have expired. Renew to avoid service disruptions.”
Configuration Manager allows you to renew the secret key for an Entra app with a few easy steps. You can also renew client secrets for apps in the Microsoft Entra admin center, which I will cover in a separate guide.
You must renew the Microsoft Entra app’s secret key before the end of its validity period. If you let the key expire, Configuration Manager can’t authenticate with Microsoft Entra ID, which will cause your connected Azure/Entra services to stop working.
In this tutorial, I will walk you through the procedure of renewing secret keys using SCCM console. You need to have at least the “Cloud Application Administrator” Microsoft Entra role assigned to be able to renew the key.
Creating Entra ID apps in Configuration Manager
You can use Configuration Manager to directly create the apps in Microsoft Entra ID. For instance, the Entra ID apps are created when you set up CMG in SCCM, Azure AD user discovery, Tenant attach, etc.
One or more Entra app secrets used by Cloud Services have expired
Starting in version 2006 and later, the Configuration Manager console displays notifications for the following circumstances:
- One or more Microsoft Entra app secret keys will expire soon
- One or more Microsoft Entra app secret keys have expired
To resolve the above issues, you must renew the secret key; otherwise, the cloud services configured with SCCM will cease to function properly.
If you’re new to console notifications, learn how to configure SCCM console notifications.
Whenever the Entra app’s secret key is expired, the following notification appears when you launch the SCCM console:
One or more Entra app secrets used by Cloud Services have expired. Renew to avoid service disruptions
You can dismiss the alert and carry on with your work, but when you open the console, it reappears. Remember that Microsoft Entra ID is the new name for Azure AD. The names Azure Active Directory, Azure AD, and AAD are replaced with Microsoft Entra ID.
Renew Secret keys in SCCM console
Follow the below steps to renew the secret key of an Entra app in the SCCM console:
Step 1: Launch the Configuration Manager console. Navigate to Administration workspace, expand Cloud Services, and select the Microsoft Entra tenants node. Now select the tenant name, and you’ll find the applications that are configured in SCCM.
Step 2: Right-click the Entra app whose secret key is expired and select the option “Renew Secret Key“.
Step 3: Enter the credentials of either the app owner or a Microsoft Entra administrator.
Step 4: Once the authentication is successful, you get the message “Secret key successfully renewed!“. This confirms that the Entra app’s secret key has been renewed successfully.
Verify the Entra app secret key expiry in SCCM
After renewing the secret keys in SCCM for Entra apps, you can check the expiration using these steps:
- Launch the SCCM console.
- Go to Administration > Cloud Services > Microsoft Entra tenants.
- Select the Entra app from the list. The column Secret Key Expiry (UTC) shows the expiration date of the Entra app.
Need more help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.