Introduction
In this article, I am going to talk about the validation of the SharePoint token that got created using Azure ACS. Please note that Azure ACS (Access control services) is a legacy way of authentication to SharePoint online and is still supported.
If you have site collection admin rights, you can directly create client ID and client secret using Appregnew.aspx and appinv.aspx. You may refer to my previous article in references section that has detail steps on how to perform these.
If you are getting error ‘Token Request Failed’ it is most probably either the client ID or secret is entered wrong, or the app principal has expired.
Whenever you create client ID and client Secret, these credentials are valid for up to one year. To get the validity of the client ID and client Secret you can check using the following PowerShell command.
Pre-requisites
- To run these steps successfully you need to have either SharePoint Admin or Global Admin rights for your tenant.
- You also need to have Azure AD module installed. If you haven’t had installed, please follow the references section.
Steps
Step 1
Get the client ID for which you need to check the validation. In my case it is
5b10e80f-4320-4a80-a2a4-451e919af3e8
Run the following command to connect to Azure AD module,
connect-azureAD
If your account is MFAed then you would get the following screen to enter the code
Step 2
On successful connection, you must be having something like the below screen, which shows account, environment, TenantID, TenantDomain, and AccountType.
Step 3
Below command gives list of all the service principals that are part of your org tenant.
Get-AzureADServicePrincipal -All $true
Step 4
In this case, we are interested in getting the details of one client ID which is
5b10e80f-4320-4a80-a2a4-451e919af3e8
If you do not have client ID, you can search by Name of the app principal that was created. In this case, we are checking for TokenBasedAuthentication_POC app principal. Please enter the below command to search by name.
Get-AzureADServicePrincipal -All $true | Where-Object -Property DisplayName -Match 'Token'
Here I am searching if any app principal name contains token. In this case, I have got the below output.
If you are sure about the principal name, you can modify the script like below
Get-AzureADServicePrincipal -All $true -Filter "DisplayName eq 'TokenBasedAuthentication_POC'"
To get the end date of the app principal update the script like below
(Get-AzureADServicePrincipal -All $true -Filter "DisplayName eq 'TokenBasedAuthentication_POC'").KeyCredentials.EndDate.ToShortDateString() | select -first 1
In this scenario, the App Principal is valid upto 1/15/2023.
Similarly, you can get the start date of the token by changing the above script which is your assignment 😊
Conclusion: Thus, in this article, we have seen how to check the App Principal is valid or not using Azure AD Powershell module.
References