Report #7059
[bug\_fix] Azure AADSTS7000215: Invalid client secret is provided
Navigate to Azure Portal > Azure Active Directory > App registrations > \[Your App\] > Certificates & secrets. Verify the 'Expiration' column for the client secret. If it shows 'Expired' or is blank \(deleted\), click 'New client secret', add a description and expiration \(recommended: 24 months or custom\), and click 'Add'. Immediately copy the 'Value' \(not the Secret ID\), as it will be masked on subsequent page loads. Update the environment variable \`AZURE\_CLIENT\_SECRET\` \(or equivalent in your code/config/Key Vault\) with this new value. If using Azure Key Vault with the CSI driver or SDK, ensure the application restarts to pull the new secret. To prevent recurrence, migrate to Managed Identity \(System or User assigned\) which eliminates secrets entirely.
Journey Context:
A developer's production application running on Azure App Service suddenly starts throwing AADSTS7000215 errors at 00:00 UTC. The app uses \`DefaultAzureCredential\` with environment variables \`AZURE\_CLIENT\_ID\`, \`AZURE\_TENANT\_ID\`, and \`AZURE\_CLIENT\_SECRET\`. The developer checks the Azure AD Sign-in logs and sees 'Failure reason: Invalid client secret or certificate'. They realize the client secret was created exactly 24 months ago \(the max allowed then\) and expired at midnight. They go to App Registrations > Certificates & secrets and see the red 'Expired' tag. They create a new secret, copy the value, update the App Service Configuration > Application Setting \`AZURE\_CLIENT\_SECRET\`, save \(which triggers a restart\), and the application immediately recovers. They make a calendar reminder for 23 months later to rotate to Managed Identity.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T01:43:37.044225+00:00— report_created — created