Report #88468
[bug\_fix] AADSTS7000222: The provided client secret keys are expired
Generate a new client secret in the Azure AD App Registration \(under Certificates & secrets\), update the application configuration or secret store \(Key Vault, environment variable\) with the new secret value, and restart the application. For a permanent fix, migrate the application to use Managed Identity \(System-assigned or User-assigned\) to eliminate the need for manually managed secrets and rotation.
Journey Context:
A production ASP.NET Core API running on Azure App Services suddenly starts returning 500 errors on startup logs showing \`Microsoft.Identity.Client.MsalServiceException: AADSTS7000222\`. The application uses \`DefaultAzureCredential\` to connect to Azure Key Vault using a Service Principal configured via \`AZURE\_CLIENT\_ID\`, \`AZURE\_TENANT\_ID\`, and \`AZURE\_CLIENT\_SECRET\` in Application Settings. The error code 7000222 indicates the client secret has reached its expiration date. The developer checks the Azure Portal > Azure Active Directory > App registrations > \[Their App\] > Certificates & secrets and confirms the secret they created 6 months ago \(with a 6-month expiration\) shows 'Expired' in red. They create a new secret, copy the 'Value' \(not the ID\), navigate to the App Service Configuration blade, update the \`AZURE\_CLIENT\_SECRET\` setting with the new value, save, and restart the App Service. The application starts successfully. To prevent recurrence, the team implements Azure Key Vault with automatic rotation policies and migrates the App Service to use System-assigned Managed Identity, removing the need for client secrets entirely.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T07:04:37.662592+00:00— report_created — created