DEV Community

Cover image for Manage Azure Service principal's credentials expiry

Manage Azure Service principal's credentials expiry

Tidjani Belmansour, Ph.D.
Hi, my name is Tidjani Belmansour. I'm a Microsoft Azure MVP, a Cloud Solutions Architect and a coffee addict. I've been in love with computers since 1988.
・3 min read

What? How? When? Why?... What?!

Service principals are great to give an identity to an application and set its permissions. Using a service principal, we can, as an example, restrict access for an application to other resources (such as a database) and control what it can do on that database in a more granular way.

Service principals are also great when setting a service endpoint connection in Azure DevOps for example, so you can deploy/configure your Azure resources from within your pipelines using ARM.

However, when you create a service principal, its credentials are by default valid for one year. This is for security reasons, so you don't forget about existing service principals that are hanging there forever and possibly creating a security breach in your infrastructure.

Why should I care?

You should! Because if you don't, your services that rely on service principals for authentication and authorization may just stop working.

In the above scenario of the service endpoint connection in Azure DevOps, your pipelines executions will fail due to the lack of the required permissions.

How do I check for the credentials expiration date of my service principal?

You can do that by using those two simple commands:

$sp = Get-AzADServicePrincipal -DisplayName $myServiceprincipalName
Get-AzADSpCredential -ObjectId $sp.Id


How to deal with that?

Depending on whether your service principal already exists or not, the procedure is slightly different.

Setting the expiration date at the creation of the service principal

If you haven't yet created your service principal, here's how to set a custom expiration date for it during its creation.

Here, we create a service principal named totoSP with the role Reader and we ensure the password will be valid for 150 years. Seems weird (and it is actually) but it's just for the sake of the demo ;) :

$start = get-date
$end = $start.AddYears(150)

New-AzADServicePrincipal -DisplayName 'totoSP' -Role Reader -StartDate $start -EndDate $end

Extend the expiration date for an existing service principal

If your service principal already exists (whether its credentials have expired or not yet), you can set a custom expiration date using the following commands.

Once again, we ensure the password will be valid for 150 years which seems weird (and it is actually) but it's just for the sake of the demo ;) :

# Get the Id of the service principal
$sp = Get-AzADServicePrincipal -DisplayName $myServiceprincipalName

# Set new password with extended expiration date
$start = get-date
$end = $start.AddYears(150)
$credentials = New-AzADSpCredential -ObjectId $sp.Id -StartDate $start -EndDate $end

In case you need that new password (e.g. in order to update your service endpoint connection in Azure DevOps), you can use these commands. Be careful however, you can only use them in the same PowerShell session in which you created that password:

$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($credentials.Secret)
$UnsecureSecret = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)

Write-Host $UnsecureSecret

The previous script will generate a random password and use it for the new, updated credentials.
If you want to specify your own password, you can do that instead:

$SecureStringPassword = ConvertTo-SecureString -String "@zuR3_R0ck$!!!!" -AsPlainText -Force
New-AzADSpCredential -ObjectId $sp.Id -StartDate $start -EndDate $end -Password $SecureStringPassword

As a conclusion...

Today, we've learned that Azure service principal's credentials have an expiration date. We also learned how to deal with that.

I hope that you found it valuable.

Keep the discussion

You can reach me on Twitter or LinkedIn.

See you soon!

Discussion (4)

bbarman4u profile image

@tidjani So is it accurate to assume that the Service Principal's Expiration is agnostic of the person's Azure Account i.e. if the person whose id was used to create the Service Principal, leaves the company or leaves the Azure Tenant, the service principal will still live on until the defined expiry date?

tidjani profile image
Tidjani Belmansour, Ph.D. Author

Sorry for the late reply @bbarman4u . Thank you for your question.

It is right to assume that the two entities (the Service Principal and the user account who created it) have their own (and independent lifeycle).

However, it's worth mentioning that you can remove permissions of a Service Principal at any time and even delete that Service Principal.

mahdihedhli profile image
Mahdi Hedhli

Just a heads up... I believe Microsoft removed the ability to set your own passwords on service principals.

New-AzADSpCredential :** A parameter cannot be found that matches parameter name 'Password'.**
At line:1 char:68

  • ... ntial -ObjectId $sp -StartDate $start -EndDate $end -Password $Secure ...
  • ~~~~~~~~~
    • CategoryInfo : InvalidArgument: (:) [New-AzADSpCredential], ParameterBindingException
    • FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.Azure.Commands.ActiveDirectory.NewAzureADSpCredentialCommand
tidjani profile image
Tidjani Belmansour, Ph.D. Author

hmm...looks so, indeed!