Skip to content
Schoolyear AVD

Rotate Secrets

Rotate App Registration Secret

Section titled “Rotate App Registration Secret”

The secret for the App Registration used by the Schoolyear AVD add-on expires periodically. The expiration period is determined by the duration you configure when creating the secret.

To ensure uninterrupted service, you must rotate the secret before it expires.

Follow these steps to rotate the secret:

  1. Open the AVD Add-on in your Schoolyear Secure Apps Console.

  2. Navigate to the Infrastructure tab, find the App Registration (client ID), and copy its value.

  3. Open your Microsoft Entra admin center, go to App Registrations > All applications, and search for the client ID you copied.

  4. In the App Registration, go to Certificates & secrets > Client secrets and click + New client secret.

  5. Enter a description for the secret and select an expiration date.

  6. Important: Without leaving or refreshing the page, copy the Value of the newly created secret (not the Secret ID).

  7. Return to the AVD Add-on in the Schoolyear Secure Apps Console and open the Deployment config tab.

  8. Paste the new secret value into the App Registration > Secret field and click Save Changes.

Rotate SSL Certificate

Section titled “Rotate SSL Certificate”

The SSL certificate you imported during the initial setup also expires. The validity period depends on your certificate provider.

Before the certificate expires, you must obtain a new one and import it into Azure Key Vault. The process for renewing a certificate varies by organization, but the new certificate must meet the following requirements:

  • It must be a wildcard certificate for the domain where your AVD implementation is hosted.
  • It must include the entire certificate chain, up to the root certificate.

You can find the domain name, Key Vault name, and the current certificate name in the Infrastructure tab of the AVD add-on.

Once you have the new certificate file (usually in .pfx or .pem format), upload it to the Azure Key Vault as a new version of the existing certificate object. After the new version is imported, all subsequent exam deployments will automatically use the new certificate.