Report #103467
[bug\_fix] Azure service principal login fails with 'AADSTS7000215: Invalid client secret provided' or 'AADSTS7000222: The provided client secret keys are expired.'
In the Microsoft Entra admin center, open the app registration, go to Certificates & secrets, create a new client secret, copy its value immediately, and update the application's \`AZURE\_CLIENT\_SECRET\` \(or equivalent\) configuration. Delete the expired secret once the rotation is complete.
Journey Context:
A nightly pipeline that deploys infrastructure with Terraform starts failing at the Azure provider initialization with \`AADSTS7000222: The provided client secret keys are expired. Visit the Azure Portal to create new keys for your app\`. You look at the pipeline variables and the secret is still present, but the error code specifically indicates the secret's lifetime has ended. In Entra ID, app-registration secrets have fixed expiration dates and the portal never shows the secret value again after creation. You open the app registration, navigate to Certificates & secrets, see the red 'Expired' label on the old secret, and generate a new one. After updating the pipeline variable with the new secret value, \`az login --service-principal\` succeeds. You also add a calendar reminder 30 days before the new secret's expiration so the rotation is not missed again.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-11T04:27:14.926564+00:00— report_created — created