After using Proofpoint on O365 for a while, you'll most likely have the Azure sync feature configured to keep your organization's mailboxes updated in Proofpoint automatically. However, the shared secret that Proofpoint uses for this functionality has a maximum life of two years on the O365 side. This means that once that two-year mark is reached, the Azure sync will no longer automatically add / remove mailboxes to reflect any changes in O365.

If your Azure sync happens to expire, you may see the following error when attempting to save your sync settings:

Thankfully, this can be fixed by regenerating that secret value in O365 and updating that information in Proofpoint. It should only take a few minutes to complete, and these are the required steps:


Locate your sync application in Microsoft Entra / Azure AD


  • Log into your O365 Admin Center, then click the option for Microsoft Entra. (You may need to click Show All first.)

  • On the left side of this page, go to Applications > App Registrations.

  • Click on All Applications, then click on the app you created when setting up the Azure sync. It may be called something along the lines of "Proofpoint Essentials Azure AD Sync." (The application ID listed next to it on the right should match the application ID listed in Proofpoint under User Management > Import and Sync > Azure Directory Sync.)

  • Copy the listed Application (client) ID to somewhere safe like a Notepad window, as this will be needed later.

  • On the left side of the screen, click on Certificates and Secrets. The secret shown on the next page should display the expiration date next to it. (This one is not currently expired, but yours might be.)


Generate a new secret value


  • Click on + New Client Secret.
  • Fill a name in the “Description” box, then set the expiration date to the longest possible value of 24 months.
  • Click the Add button when finished.

  • The new secret value will now appear, but this is the only time it will be visible. Copy the new string under “Value” over to your Notepad window.

  • You should now have both your application ID and your new client secret copied down in Notepad.


Update the secret value in Proofpoint


  • In your Proofpoint tenant, navigate to User Management > Import and Sync > Azure Directory Sync.

  • Make sure the Application (client) ID field matches what you just saw in Azure.
  • Paste the new secret value into the Client Secret Key field.
  • Click Save at the bottom of the page.

If everything worked correctly, you should see this message after saving: