How to reset the Microsoft Service Principle if it has expired (Basic Authentication)

When using MailStore to archive Microsoft Office365 and using basic authentication one important step is to create a Service Principle account using the Microsoft Azure PowerShell interface.

By default, this Service Principle account id is only valid for 365 days from the point of creation.

Once it expires any further MailStore Directory Service user synchronisations will fail with an error relating to expired API tokens like this:.

“MailStore Server was unable to retrieve a list of users from Directory Services. Requesting Microsoft Graph API token failed: AADSTS7000215: Invalid client secret is provided.”

To resolve this, the existing Service Principle (typically named MailStoreSP) will need to be removed and a new one created.

Steps:

  1. Open a PowerShell Session.
  2. Connect to the Office 365 Azure AD tenant using the command:

    Connect-MsolService -AzureEnvironment AzureCloud

    A login dialog opens. Enter admin credentials of your Microsoft Office365 plan.
  3. To get a list of all service principals that are created as the name MailStoreSP use the command:

    Get-MsolServicePrincipal -SearchString MailStoreSP

    Note you may have given this account a different name if you did not follow the existing setup guide, check MailStore Directory Services configuration for the exact account name

    This should return every Service Principle created with that name like this example:

    ExtensionData : System.Runtime.Serialization.ExtensionDataObject
    AccountEnabled : True
    Addresses : {}
    AppPrincipalId : 72c95713-a7e2-4170-9f91-ad9fe457ac1a
    DisplayName : MailStoreSP
    ObjectId : 39857919-9c7e-4e7e-9870-7ed650036d4b
    ServicePrincipalNames : {72c95713-a7e2-4170-9f91-ad9fe457ac1a, MailStoreSP}
    TrustedForDelegation : False
  4. It is the ObjectId value that we need to remove the existing account and this is done by running the following command:

    Remove-MsolServicePrincipal -ObjectId 39857919-9c7e-4e7e-9870-7ed650036d4b

    Replace with the correct ObjectId for your account
  5. Finally to create a new account with a 10 year expiry use these two commands:

    $principal = New-MsolServicePrincipal -DisplayName ‘MailStoreSP’ -ServicePrincipalNames @(“MailStoreSP”) -Type Password -Value ‘use_a_password_of_your_choice_here’ -StartDate (Get-Date) -EndDate (Get-Date).AddYears(10)

    Replace use_a_password_of_your_choice_here with the correct password

    Add-MsolRoleMember -RoleName “Directory Readers” -RoleMemberType ServicePrincipal -RoleMemberObjectId $principal.ObjectId