Report #12380
[bug\_fix] AADSTS7000215: Invalid client secret is provided.
Navigate to the Azure Portal > Microsoft Entra ID > App registrations > \[Your App\] > Certificates & secrets. Create a new client secret and update the application configuration \(environment variable, Key Vault, or secret store\). Alternatively, migrate the application to use Managed Identity \(System-assigned or User-assigned\) to eliminate client secrets entirely.
Journey Context:
A developer has an Azure Function that connects to Azure Key Vault using DefaultAzureCredential with environment variables AZURE\_CLIENT\_ID, AZURE\_TENANT\_ID, and AZURE\_CLIENT\_SECRET. The function works for 12 months. Suddenly, on a Tuesday morning, all invocations fail with 'AADSTS7000215: Invalid client secret is provided.' The developer checks the app registration in Azure Portal > Certificates & secrets. They see the secret they were using shows 'Expired: Yesterday'. They had set it to expire in 12 months when created. The error is confusing because it says 'invalid' rather than 'expired', but the AADSTS error code 7000215 covers both invalid and expired secrets. The developer creates a new secret, updates the Function App Configuration \(or Key Vault reference\), and redeploys. To prevent recurrence, they enable a System-Assigned Managed Identity on the Function App and add an access policy for that identity in Key Vault, removing the client secret environment variables entirely. The error disappears because Managed Identity uses certificate-based tokens from the Azure Instance Metadata Service \(IMDS\) endpoint, which are rotated automatically by Azure.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T15:49:56.475822+00:00— report_created — created