With its latest version, WPO365 can help monitor the expiration date(s) of AAD application / client secrets. This is important, because as soon as a secret is expired, it cannot be used anymore. And as a result – for example – your users may not be able to sign in with Microsoft anymore. If a secret is about to expire within the next 30 days, WPO365 will send a daily email notification to the configured administration email address and generate corresponding WPO365 health messages.
Introduction
When you configured WPO365 – for example to send emails using Microsoft Graph or to enable OpenID Connect based Single Sign-on – you have created one or more App registrations in Azure Active Directory / Entra ID. And you probably remember that for each App registration you created at least one Application (client) secret (on the App registration‘s Certificates & secrets page). You can think of the App registration’s ID as the username and the secret its password. Similar to passwords, secrets must be changed every now and then, to improve security. Therefore, secrets have an expiration date, after which they become invalid. Once a secret is expired, it cannot be used anymore and WPO365 may start failing e.g. users can no longer sign in with Microsoft or emails cannot be sent using Microsoft Graph anymore. Therefore it is important to renew the secret, before it expires and update the configuration of WPO365 with the new secret’s value. This may concern the following secrets:
- Application (client) secret for single sign-on (on WPO365’s Single Sign-on configuration page)
- Application (client) secret for sending email using Microsoft Graph (on the WPO365’s Mail configuration page)
- (App-only) Application (client) secret for Application access
Enable secret expiration notification
Starting with WPO365 version 24.3, monitoring of application / client secret(s) expiration is enabled by default. However, since it needs a new Microsoft Graph API permission, you must update the registered application (= App registration) in Azure AD as follows.
—– WPO365 | LOGIN
- Navigate to the plugin’s Integration configuration page and click the link View in Azure Portal for (App-only) Application (Client) ID under the heading Application Access.
If you don’t see this option, it means that you have not yet enabled app-only / application-level access. Simply check the option Use app-only token and check the next option Use existing App registration From the Single Sign-on tab. Now the options for (App-only) Application (Client) ID and (App-only) Application (Client) secret should be visible. Don’t forget to scroll to the end of the page and save the updated configuration.
—– WPO365 | MICROSOFT GRAPH MAILER
- Navigate to the plugin’s Mail configuration page and click the link View in Azure Portal for (App-only) Application (Client) ID under the heading Application Access.
—– BOTH
- Clicking the link View in Azure Portal will open https://portal.azure.com and automatically opens the Overview page of the registered application (= App registration) that must be updated.
- Continue to the registered application’s API Permissions page.
- Click + Add a permission.
- Select Microsoft Graph.
- Select Application permissions.
- Scroll down to > Application and add Application.Read.All.
- Click Add permission.
- Finally click the Grant admin consent for … link next to the + Add a permission link just above the list of already added permissions.
Disable secret expiration notification
If you do not wish WPO365 to monitoring application / client secret(s) expiration then proceed as follows.
- Go to WP Admin > WPO365 > … > Integration.
- Check the option to Skip check for AAD App registration expiration.
- Scroll to the bottom of the page and click to Save configuration.
Renew an application / client secret
To renew a secret, simply create a new secret by following the steps explained in the Getting started guide for (OpenID Connect based) Single Sign-on or the Getting started guide for sending emails using Microsoft Graph. Then copy the value of the new secret and update the corresponding option on either the Single Sign-on and / or the Mail configuration page.
Ensure WP Cron is triggered regularly
WPO365 will check once per day whether any of the application / client secrets is about to expire within the next 30 days. To do so, WPO365 creates a new so-called WP Cron job. WP Cron jobs do not run continuously and that makes them unreliable. The good news is, that you can improve this in several ways. We have documented one solution to hook WP Cron into a task scheduling service. However, you can first install – for example – WP Crontrol and observe whether your WP Cron jobs are being regularly executed.