Skip to content
DevOps AI ToolKit
Newsletter
All guides
Azure with AI By James Joyner IV · · 7 min read

Azure Error: 'AADSTS7000222: The provided client secret keys are expired' — Cause, Fix, and Troubleshooting Guide

Quick answer

Fix Entra ID AADSTS7000222: the client secret keys are expired. Rotate the app registration secret, update Key Vault, or switch to federation.

Part of the Microsoft Entra ID (Azure AD) Sign-in Errors hub
  • #azure
  • #cloud
  • #troubleshooting
  • #errors
  • #entra
Free toolkit

Fixing errors like this? Get 500 free DevOps AI prompts

500 copy-paste AI prompts for the stack you actually run — one PDF, free.

Overview

Entra ID returns AADSTS7000222 during a client-credentials token request when the client secret presented by the application has passed its expiry date. The secret was valid and correctly formed — it has simply aged out. The literal error:

AADSTS7000222: The provided client secret keys for app '11112222-3333-4444-5555-666677778888'
are expired. Visit the Azure portal to create new keys for your app:
https://aka.ms/NewClientSecret, or consider using certificate credentials for added security.
Trace ID: ... Correlation ID: ... Timestamp: 2026-07-12 14:11:07Z

This is the explicit expired-secret variant of the broader invalid_client family — distinct from AADSTS7000215 (a wrong/invalid secret value).

Symptoms

  • A service principal / daemon app suddenly fails all token requests with AADSTS7000222.
  • The failure starts abruptly on the secret’s expiry date, not after a code change.
  • CI/CD service connections, Terraform runs, or backend services using client-credentials break simultaneously.
  • The app registration shows a client secret with a past expiry in the portal.

Common Root Causes

  • Secret reached its expiry — the client secret’s endDateTime is in the past (secrets are capped at 24 months and often set shorter).
  • No rotation process — the secret was created once and never rotated, so expiry was inevitable.
  • Rotated app but stale consumers — a new secret was created but the config/Key Vault entry the app reads still holds the expired one.
  • Multiple secrets, wrong one in use — the app has several secrets and the code is sending an old, expired one.

How to diagnose

List the app’s secrets and their expiry dates to confirm which are expired:

az ad app credential list \
  --id 11112222-3333-4444-5555-666677778888 \
  --query "[].{keyId:keyId, hint:displayName, start:startDateTime, end:endDateTime}" -o table

Any row whose end is before now is expired. Confirm the app id you are diagnosing matches the one in the error:

az ad app show --id 11112222-3333-4444-5555-666677778888 \
  --query "{name:displayName, appId:appId}" -o json

If the secret is stored in Key Vault, check what version consumers actually read:

az keyvault secret show \
  --vault-name app-kv --name sp-client-secret \
  --query "{updated:attributes.updated, expires:attributes.expires}" -o json

Fixes

Rotate the client secret and capture the new value (it is shown only once):

az ad app credential reset \
  --id 11112222-3333-4444-5555-666677778888 \
  --display-name "rotated-2026-07" \
  --years 1 \
  --query "{appId:appId, password:password, tenant:tenant}" -o json

Update every consumer — push the new secret to Key Vault (and let apps read the new version) or update pipeline/service-connection settings:

az keyvault secret set \
  --vault-name app-kv --name sp-client-secret \
  --value "<new-secret>"

Prefer certificate or federated credentials to eliminate secret expiry as a class of outage. Federated identity credentials (workload identity federation) remove long-lived secrets entirely:

az ad app federated-credential create \
  --id 11112222-3333-4444-5555-666677778888 \
  --parameters '{"name":"gh-oidc","issuer":"https://token.actions.githubusercontent.com","subject":"repo:org/repo:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}'

Remove the expired secret once nothing uses it, so it cannot be sent by mistake:

az ad app credential delete \
  --id 11112222-3333-4444-5555-666677778888 --key-id <expired-keyId>

What to watch out for

  • Overlap during rotation. Create the new secret and roll consumers before deleting the old one to avoid a gap — but here the old one is already expired, so rotate immediately.
  • Secrets are shown once. The password from credential reset cannot be retrieved later; store it in Key Vault right away.
  • Alert before expiry. Track endDateTime and alert weeks ahead; this outage is entirely predictable.
  • Certificates and federation don’t expire silently the same way — for high-value automation, migrate off client secrets to workload identity federation.
Free download · 368-page PDF

Get 500 Battle-Tested DevOps AI Prompts — Free

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.