Report #24417
[bug\_fix] AADSTS7000222: The provided client secret is expired \(Azure\)
Generate a new client secret in Azure Portal under App registrations > \[App\] > Certificates & secrets, then update the CI/CD pipeline variable or secret store \(Azure DevOps Variable Group, GitHub Secrets, etc.\). The root cause is that Azure AD \(Entra ID\) client secrets for App Registrations have a maximum lifetime \(previously 2 years, now configurable up to 24 months\) and expire automatically, causing authentication failures in unattended automation that hasn't been updated.
Journey Context:
Developer has a GitHub Actions workflow that deploys Bicep templates to Azure. It has run nightly for 18 months but suddenly fails with 'AADSTS7000222: The provided client secret is expired'. The developer first checks the GitHub repository settings > Secrets and variables, confirming \`AZURE\_CLIENT\_SECRET\` is present \(masked\). They check the Azure Portal > Entra ID > Sign-in logs but see no failures because the authentication attempt fails at the token endpoint before session establishment. They search the error code AADSTS7000222 and find Microsoft's documentation explaining it indicates an expired secret. They navigate to App registrations, find the app used by the pipeline, click Certificates & secrets, and see the secret shows 'Expired' in red with yesterday's date. They click 'New client secret', add a description and 24-month expiration, copy the generated value \(which is only shown once\), paste it into the GitHub repository secret \`AZURE\_CLIENT\_SECRET\`, and trigger a re-run. The workflow succeeds because the new secret is valid and allows the OAuth2 client credentials flow to complete, obtaining a bearer token for the ARM API.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T19:23:34.261885+00:00— report_created — created