Invalid client secret provided

Yashovardhan Mopur 0 Reputation points

We have been accessing the tables created in the hive metastore until some time back. Recently, the app registration secret expired due to which we got an error message that the token (app registration) has expired. We created a new client secret for this purpose and registered the newly created secret in the key vault. After that, we tried accessing the tables and this time we got a new error message that is either misleading or do not know where the secret is being referenced. We ensured that we entered the secret value and not the secret id as the error message suggests. We even tried unmounting and mounting the data lake. We appreciate any kind of help and support in this regard. The latest error message is as below:

summary: Error in SQL statement: ExecutionException: HTTP Error 401; url='<>/oauth2/token' AADToken: HTTP connection to<>/oauth2/token failed for getting token from AzureAD; contentType='application/json; charset=utf-8'; response '{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '<>'

Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,569 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 29,686 Reputation points Microsoft Employee

    Hi @Yashovardhan Mopur ,

    Thanks for your post! As you correctly noted, the error message "AADSTS7000215: Invalid client secret provided." means that the client secret is incorrect or expired either in the app registration or in a different reference.

    To resolve this issue, you should validate that your app registration has the correct value recorded for the client secret and ensure that all of the following values are correctly configured:

    User's image

    Then, since you are using Key Vault, you need to create a secret with a name of your choice in the Key Vault and copy the client secret from the app registration into the “value” field of the Key Vault secret.

    See example:

      "value": "mysecretvalue"

    If you have already done these steps and verified that the client secret in the app registrations matches the value field in the Key Vault secret, you can troubleshoot the following:

    1. Verify that the unexpired secret's expiration date is reflecting properly. You can check the expiration date of the client secret in the Azure portal and generate a new secret if it has expired.
    2. Ensure that the client secret is not being modified or corrupted during copy-pasting. Sometimes extra spaces or characters can be added while copying the client secret. Validate that the client secret is copied correctly and without any extra characters.
    3. Check if the client secret is being referenced correctly in all of your config settings. Ensure that the client secret is being referenced by its value and not its ID.

    If none of the above steps work, please provide more information about and screenshots of your app registration so that I can assist you better.

    If you would prefer, you can reach out to me at ("Attn: Marilee Turscak") and include your subscription ID and a link to this thread.

    Additionally, there are some good external resources on the databricks forums:

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information.