Share via

Resolving AADSTS7000222 of invalid application password after expiration

Danny Ackroyd-Isales 20 Reputation points
2025-03-14T18:43:13.53+00:00

Hello,

We recently had an application secret expire - we were using it for RBAC for an app we were deploying. We updated the secret value with a new secret in the Azure DevOps variable group, but continued to get an expired secret error. Upon deleting the expired secret, the error message changed to this:

Description: AADSTS7000222: The provided client secret keys for app '***' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds.

Our deployment is divided into Terraform, the database, and the app (with an API and a service worker as separate app services on the same app service plan). The failure is occurring during attempting to deploy the app to production.

What makes this especially confusing is that the dev and QA environments continue to deploy successfully, regardless of the values of the variables ARM_CLIENT_ID and ARM_CLIENT_SECRET from the variable groups (one per instance). Dev and QA are on a different subscription than production.

Is there some place where the old secret value would be stored that could be overriding the values of ARM_CLIENT_ID and ARM_CLIENT_SECRET?

We've looked into the service connections as well, but nothing came of it.

We weren't sure if the error could have something to do with special characters in the password, but we kept generating tildes in the password.

Azure DevOps
Accepted answer
  1. Sirra Sneha 550 Reputation points Microsoft External Staff Moderator
    2025-03-18T06:29:10.6466667+00:00

    Hi @Danny Ackroyd-Isales ,

    The issue you're facing is might be due to production environment is still using the old, expired secret somewhere.

    To resolve the issue,

    • Ensure the new secret is correctly set in the Azure DevOps variable group, linked to the pipeline, and verify its usage by printing ARM_CLIENT_ID and ARM_CLIENT_SECRET (masked) in the pipeline logs.
    • Check Azure DevOps Service Connections – Go to Project Settings > Service Connections in Azure DevOps and ensure the Azure Resource Manager (ARM) service connection for production is using the new secret.
    • Check Terraform State – Run terraform state list and terraform show to see if the old secret is stored. If found, update the variables and
      run:
    terraform init
terraform apply

    Hope it helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.