AADSTS7000222 - BadRequest or InvalidClientSecret error
This article discusses how to identify and resolve the AADSTS7000222 error (BadRequest or InvalidClientSecret) that occurs when you try to create or upgrade a Microsoft Azure Kubernetes Service (AKS) cluster.
Prerequisites
Symptoms
When you try to create or upgrade an AKS cluster, you receive one of the following error messages.
| Error code | Message |
|---|---|
BadRequest |
The credentials in ServicePrincipalProfile were invalid. Please see https://aka.ms/aks-sp-help for more details. (Details: adal: Refresh request failed. Status Code = '401'. Response body: {"error": "invalid_client", "error_description": "AADSTS7000222: The provided client secret keys for app '<application-id>' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds." |
InvalidClientSecret |
Customer auth is not valid for tenant: <tenant-id>: adal: Refresh request failed. Status Code = '401'. Response body: {"error": "invalid_client", "error_description": "AADSTS7000222: The provided client secret keys for app '<application-id>' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds." |
Cause
The issue that generates this service principal alert usually occurs for one of the following reasons:
The client secret expired.
Incorrect credentials were provided.
The service principal doesn't exist within the Microsoft Entra ID tenant of the subscription.
Verify the cause
Run the following Azure CLI code to retrieve the service principal profile for your AKS cluster and check the expiration date of the service principal:
SP_ID=$(az aks show --resource-group <rg-name> \
--name <aks-cluster-name> \
--query servicePrincipalProfile.clientId \
--output tsv)
az ad app credential list --id "$SP_ID"
Alternatively, you can verify that the service principal name and secret are correct and aren't expired. To do this, follow these steps:
In the Azure portal, search for and select Microsoft Entra ID.
In the navigation pane of Microsoft Entra ID, select App registrations.
On the Owned applications tab, select the affected application.
Find the service principal name and secret information, and verify that the information is correct and current.
Solution
In the Update or rotate the credentials for an AKS cluster article, follow the instructions in one of the following article sections, as appropriate:
Using your new service principal credentials, follow the instructions in the Update AKS cluster with service principal credentials section of that article.
More information
- Use a service principal with Azure Kubernetes Service (AKS) (especially the Troubleshoot section)
Contact us for help
If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for