Report #85780
[bug\_fix] AADSTS7000222: The provided client secret has expired. Tracked ID: xxxxx Correlation ID: yyyyy
Generate a new client secret in Azure Portal > App Registration > Certificates & Secrets, update the value in Azure Key Vault or the CI/CD pipeline variable \(e.g., \`AZURE\_CLIENT\_SECRET\`\), and restart the application. For long-term reliability, migrate to Managed Identities \(for Azure resources\) or Workload Identity Federation \(for external CI/CD like GitHub Actions\) to eliminate client secrets entirely.
Journey Context:
A DevOps engineer notices that the production Terraform pipeline has started failing on Monday morning with error AADSTS7000222. The pipeline uses a service principal to authenticate to Azure. The engineer checks the App Registration in the Azure Portal and sees a red warning on the client secret indicating it expired yesterday \(2 years after creation, the default\). The engineer creates a new secret, copies the value \(which is only shown once\), navigates to Azure DevOps > Library > Variable Groups, updates the \`servicePrincipalSecret\` value, and triggers a new pipeline run. The deployment succeeds. To prevent recurrence, the team creates a calendar reminder, but later refactors the pipeline to use Workload Identity Federation with GitHub, eliminating the need for a rotatable secret entirely. The root cause was that Azure AD treats client secrets as expiring credentials by default for security, and the SDK cannot refresh them automatically like it can with Managed Identity tokens.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T02:34:07.180592+00:00— report_created — created