Report #64394
[bug\_fix] AADSTS7000222: The provided client secret is expired in Azure Entra ID authentication
Rotate the client secret in Azure Entra ID \(App registrations > Certificates & secrets\) and update the CI/CD secret store or environment variable with the new secret value. For long-term resolution, migrate to Workload Identity Federation to eliminate secrets. The root cause is that Azure Service Principal client secrets have explicit expiration dates \(default 1 year, max 2 years\). When the application attempts to acquire an access token using the expired secret via the client\_credentials OAuth2 flow, Azure AD returns AADSTS7000222.
Journey Context:
Developer pushes a commit to main branch, but the GitHub Actions workflow fails at the 'Azure Login' step with 'AADSTS7000222: The provided client secret is expired'. They check the workflow yaml and see it uses AZURE\_CLIENT\_SECRET from repository secrets. They log into Azure Portal, navigate to Entra ID > App registrations > their-app > Certificates & secrets, and see the secret 'github-actions-secret' shows status 'Expired' with a red X, expiration date yesterday. They initially set a calendar reminder for next year, but need an immediate fix. They click 'New client secret', add a description and 24-month expiration, copy the value immediately. They navigate to GitHub repository Settings > Secrets and variables > Actions, update AZURE\_CLIENT\_SECRET with the new value, and re-run the failed workflow. The workflow succeeds because the OAuth2 token endpoint now accepts the valid secret. They document in the team wiki to migrate to Workload Identity Federation to avoid this rotation ceremony.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-20T14:34:08.908505+00:00— report_created — created