Share via

Azure Web App Service - Client Secret Error (AADSTS7000222) Despite Multiple New Secrets

AdamLaFever-5575 25 Reputation points
2025-03-14T18:14:32.6766667+00:00

We have an Azure ADO pipeline that is failing to deploy in one of our environments. QA and Dev are successful, but Prod fails with the error below.

ERROR:

Failed to get resource ID for resource type 'Microsoft.Web/Sites' and resource name 'actabl-dw-data-loader-prod-worker'. Error: Could not fetch access token for Azure. Status code: invalid_client, status message: Error(s): 7000222 - Timestamp: 2025-02-25 15:41:36Z - Description: AADSTS7000222: The provided client secret keys for app '***' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds. Trace ID: 9215ac31-5c4d-468e-9dc8-1fa64ee60c00 Correlation ID: 367afda0-ca2d-48eb-8f49-a13c765618f7 Timestamp: 2025-02-25 15:41:36Z - Correlation ID: 367afda0-ca2d-48eb-8f49-a13c765618f7 - Trace ID: 9215ac31-5c4d-468e-9dc8-1fa64ee60c00

We have generated new client secrets on the Azure App Registration that the ADO pipeline calls. This seemingly should have been as easy as generating a new cert and applying the value to the ADO Pipeline.

Any ideas on what we can try to resolve this challenge?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,687 questions
0 comments
Accepted answer
  1. brtrach-MSFT 17,656 Reputation points Microsoft Employee
    2025-03-14T22:36:02.2633333+00:00

    @AdamLaFever-5575 Is it possible that the client cert is being used or referenced within multiple places?
    The next item we would like to have you check is to go into the Azure portal and navigate to your App Registration. Can you verify that the App Registration is indeed active and not expired? Ensure it matches the one being used in your pipeline.

    Third item to check is any environment variables that you might call on the web app. Please ensure that any variables in place related to your client secrets have been updated. This one is more hidden on the configuration blade of your Web App and is often missed by many.

    The final items that I can think of would be around permissions. Can you verify that the App Registration has the necessary API permissions, that your service principal associated with the App Registration has the correct role assignments and lastly ensure there are no conditional access policies in Entra ID that could be affecting the authentication flow.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.