Report #8887
[bug\_fix] AADSTS7000215: Invalid client secret is provided.
Generate a new client secret in the Azure Portal under App registrations > Certificates & secrets, copy the new secret value immediately, and update the application's environment variable or Key Vault, because Azure AD client secrets expire after a maximum of 24 months and validation fails at the token endpoint.
Journey Context:
A DevOps engineer maintains an Azure Function that connects to Azure Key Vault using a service principal. The function suddenly starts throwing Azure.Identity.AuthenticationFailedException: AADSTS7000215: Invalid client secret is provided. The engineer checks the app settings in the Function App configuration and confirms the ClientSecret setting is present. They open the Azure Portal, navigate to App registrations, find the service principal, and click 'Certificates & secrets'. They discover that the client secret used by the function shows a 'Status' of 'Expired' with a red warning, and the 'Expires' date was yesterday. The engineer recalls that Azure AD client secrets have a maximum lifetime of 24 months \(730 days\) and this one was created exactly two years ago during initial deployment. They click 'New client secret', add a description and 24-month expiration, copy the new value, and update the Azure Function App's configuration with the new secret. The function restarts and successfully authenticates to Key Vault. The fix works because the JWT client assertion sent to Azure AD's token endpoint \(login.microsoftonline.com\) is signed with the client secret; if the secret is expired, the signature validation fails at the directory level, rejecting the token request regardless of IAM role assignments.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T06:44:14.907467+00:00— report_created — created