Problem with Client Secrets in App Registrations

Question

Problem with Client Secrets in App Registrations

Mateusz Domański 60

Hello!

In our Entra ID we have App Registration set up for SSO to one of our services

For 2 days now we are not able to log in using SSO to this service, we have verified configuration and both Azure and this service configuration is OK and nothing has changed

Error we are receiving in Microsoft Entra ID audit logs is: "The key container with id 'client_secret' in tenant 'tenantname.onmicrosoft.com' does not has a valid key. Reason: The key in the key container expired."

The key is valid and was created 2 months ago as the previous one was about to expire and was also changed in the service to which SSO now does not work (as mentioned it is not working for 2 days not 2 months)

As company I work for also provides services for other buisnesses we had a chance to see error that sounds similar in different company. We do not have access to Azure logs there to confirm but the client described it like below:

"When running a pipeline in Azure DevOps, I get an authentication error with a message indicating that the secret key (Client Secret) for the application used to authenticate to Azure (Service Principal) has expired"

I have checked and Azure Health Status does not show any errors

Does anyone recognzie this issue and have an idea what to check or how to solve it?

Best regards,
Mateusz

Accepted answer

0 additional answers

Your answer

Answer 1

Raja Pothuraju 23,465 Microsoft External Staff Moderator

Hello @Mateusz Domański,

Thank you for posting your query on Microsoft Q&A.

Based on the described scenario and error message, the issue appears to be caused by an expired client secret ID. Please follow the steps below to resolve the issue:

Sign in to the Azure portal and navigate to the Microsoft Entra service.
Select the application name under the App Registrations.
Select Certificates & Secrets Check the client secret value currently being used in your pipeline. If the existing client secret has expired, create a new client secret by clicking on "New client secret". The newly generated secret key value will be displayed under the Key column.
Copy the new client secret value and update this value in your configuration or pipeline to resolve the authentication issue.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Thanks,
Raja Pothuraju.

Mateusz Domański 60 Reputation points

2024-11-27T10:37:52.6933333+00:00

Hi Raja!

Thanks for the info but as mentioned the current key is valid and was created 2 months ago. For that time configuration on Azure or srevice site did not change so it is not the issue with our key being expired

We also received exactly the same error for few different app registrations in our tenant and all of them have valid keys
Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator

2024-11-27T11:05:55.33+00:00

Hello @Mateusz Domański,

Thank you for your quick response.

As you confirmed that the current key is valid and was created two months ago. Since the issue persists, I would like to better understand your environment to provide a more accurate solution. Could you please confirm whether your application is registered under an Azure AD B2C tenant or a Microsoft Entra ID tenant?

The error message you received points to a B2C error document, which makes me wonder if this configuration was done within an Azure AD B2C tenant.

Here is the link to the error code documentation for your reference:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/error-codes

Thanks,
Raja Pothuraju.
Mateusz Domański 60 Reputation points

2024-11-27T11:16:06.4466667+00:00
Hi Raja!

Yes, you are right

This is configured under Azure B2C tenant

What is weird SSO for this service does not work only for our internal users (who's account are created in normal Microsoft Entra ID tenant)

As far as I know this environment as we overtook it from former IT team with almost 0 documentation :) when you register as external user on our website your account gets created in our B2C tenant but this same website has button to sign in if you are our employee and after tests I see it also creates you account in our B2C tenant using information from your employee acount which is in Entra ID tenant.

My guess is that some "connection" between those two tenants no longer works

I have also found another App reg in B2C tenant called Company AAD which has a key that expired 2 days ago which is when issue started

As you know this app reg is under B2C tenant do you have any idea what this error means?

If you would agree with my guess, do you have an idea where should we start looking to update client secret? I checked already all Logic apps in our Entra ID tenant which has names related to B2C tenant
Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator

2024-11-27T15:00:21.1166667+00:00
Hello @Mateusz Domański,

Thank you for sharing the additional information on the issue.

As you confirmed, the tenant in question is an Azure AD B2C tenant, which was previously managed by your former IT team. I’d like to clarify that the behavior you’re experiencing with the B2C tenant is expected. Internal users from your Microsoft Entra ID tenant will have separate user profiles created in the Azure AD B2C tenant, as these are two distinct directories. Additionally, external users who register through your application will also have their profiles created in the Azure AD B2C tenant, as intended.

Regarding the Company AAD application, I assume this is your custom-registered application within the B2C tenant. Under a B2C tenant, only a few applications are managed by Microsoft, as indicated in the screenshot below for your reference.

The issue appears to be related to an expired policy key in your Azure AD B2C tenant, as suggested by the public documentation on policy keys in Azure Active Directory B2C. This might be causing the error you're encountering.

Please refer the below steps to Verify Policy Keys in Azure AD B2C

Sign in to the Azure portaland switch to your Azure AD B2C tenant from the Directories + subscriptions menu.

In the Azure portal, search for and select Azure AD B2C.

On the overview page, under Policies, select Identity Experience Framework.

Select Policy Keys

Verify the listed policy keys on this page to check if any have expired.

If an existing key has expired, create a new policy key with a valid secret. Ensure the key has a valid "Not Before" and "Expiration" time, following the guidance in the documentation: Policy Keys Overview.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

Thanks,
Raja Pothuraju.
Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator

2024-11-28T10:47:52.32+00:00

Hello @Mateusz Domański,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Mateusz Domański 60 Reputation points

2024-11-28T10:52:38.33+00:00

Hi Raja!

Thanks for the information

We do see multiple keys in IEF and names of them matches keys in key vaults in our first tenant so we are verifying this information

I will let you know if we find something
Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator

2024-11-28T19:18:15.43+00:00

Hello @Mateusz Domański,

Thank you for sharing the update.

Please verify those keys and let me know if you need any additional information on this.
Mateusz Domański 60 Reputation points

2024-11-29T10:04:56.8233333+00:00

Hi Raja

I have checked that some Logic Apps that are related to the no longer working service are using keys stored in Key Vault in Entra ID tenant and those keys have the same names as Policy Keys in B2C tenant

In policy keys I can see kid but in Key vault I can only display secret itself

Any idea how to verify if those are the same keys?
Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator

2024-12-04T06:19:40.46+00:00

Hello @Mateusz Domański,

Thank you for your response.

Can you please check and confirm me of the keys stored in the Key Vault being expired in Entra ID?

You can use the document linked below to retrieve key details from the Key Vault. Compare these details with the KID and x5c values. The x5c value is a Base64-encoded certificate value, which you can decode and match accordingly.

Retrieve Key Details from Key Vault

Policy Keys Overview for Azure AD B2C

Thanks,
Raja Pothuraju.
Mateusz Domański 60 Reputation points

2024-12-04T07:07:23.51+00:00

Hi Raja!

Thank you for all the support! Your idea was correct. Expect from applying the key in proper Policy Keys in B2C tenant we also had to apply it in main Entra tenant in proper Key Vault item and then also in the app itself. Of course none of those were marked to be the same and it was not marked in neither Key Vault or Policy Key that this key Expires

Thanks again!
Mateusz

Share via

Problem with Client Secrets in App Registrations

0 additional answers

Your answer