Share via

Azure Web App Service - Client Secret Error (AADSTS7000222) Despite Multiple New Secrets

AdamLaFever-5575 25 Reputation points
2025-03-14T18:14:32.6766667+00:00

We have an Azure ADO pipeline that is failing to deploy in one of our environments. QA and Dev are successful, but Prod fails with the error below.

ERROR:

Failed to get resource ID for resource type 'Microsoft.Web/Sites' and resource name 'actabl-dw-data-loader-prod-worker'. Error: Could not fetch access token for Azure. Status code: invalid_client, status message: Error(s): 7000222 - Timestamp: 2025-02-25 15:41:36Z - Description: AADSTS7000222: The provided client secret keys for app '***' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds. Trace ID: 9215ac31-5c4d-468e-9dc8-1fa64ee60c00 Correlation ID: 367afda0-ca2d-48eb-8f49-a13c765618f7 Timestamp: 2025-02-25 15:41:36Z - Correlation ID: 367afda0-ca2d-48eb-8f49-a13c765618f7 - Trace ID: 9215ac31-5c4d-468e-9dc8-1fa64ee60c00

We have generated new client secrets on the Azure App Registration that the ADO pipeline calls. This seemingly should have been as easy as generating a new cert and applying the value to the ADO Pipeline.

Any ideas on what we can try to resolve this challenge?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
0 comments
Accepted answer
  1. brtrach-MSFT 17,751 Reputation points Microsoft Employee Moderator
    2025-03-14T22:36:02.2633333+00:00

    @AdamLaFever-5575 Is it possible that the client cert is being used or referenced within multiple places?
    The next item we would like to have you check is to go into the Azure portal and navigate to your App Registration. Can you verify that the App Registration is indeed active and not expired? Ensure it matches the one being used in your pipeline.

    Third item to check is any environment variables that you might call on the web app. Please ensure that any variables in place related to your client secrets have been updated. This one is more hidden on the configuration blade of your Web App and is often missed by many.

    The final items that I can think of would be around permissions. Can you verify that the App Registration has the necessary API permissions, that your service principal associated with the App Registration has the correct role assignments and lastly ensure there are no conditional access policies in Entra ID that could be affecting the authentication flow.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.