Skip to content
PointOfContactAI

Key rotation

Two secrets in your stack benefit from periodic rotation: the admin key (gates the dashboard) and the AAD app client secret (used by Teams SSO).

Admin key

Rotate from the dashboard:

  1. Open the dashboard.
  2. Click Rotate admin key in the Settings panel.
  3. The new key is shown once. Copy it to your password manager.
  4. All existing sessions are invalidated immediately.
  5. Re-log-in with the new key.

The rotation writes the new value to your Key Vault as admin-key. The customer-runtime reads from KV first (5-second cache), so the new key takes effect within seconds across all instances.

AAD app client secret

The auto-created AAD app secret has a 90-day expiry. Before expiry:

Terminal window
# Generate a new secret
NEW_SECRET=$(az ad app credential reset \
  --id <your-aad-app-object-id> \
  --display-name "PointOfContactAI Teams SSO secret (rotated $(date +%Y-%m-%d))" \
  --years 0 \
  --query password -o tsv)


# Upsert to KV
az keyvault secret set \
  --vault-name pocaikv{stack-hash} \
  --name AadAppClientSecret \
  --value "$NEW_SECRET"


# Restart the Function App to flush the secret cache
az functionapp restart -n pocai-fa-{stack-hash} -g mrg-pointofcontactai-{guid}

The customer-runtime reads AadAppClientSecret from KV with a 5-minute cache; the restart forces an immediate refresh.

(Auto-rotation lands in v1.1 — we’ll PATCH the customer FA + KV at day 75 of each cycle, sending an email confirmation.)