AZURE

AADInvalidClientSecret - AAD Invalid Client Secret: Secret Expired or Revoked

AADInvalidClientSecret means Azure AD (Entra ID) bounced your client secret—it's expired past its endDate, manually revoked, rotated without updating your config, or has typos/encoding issues. This 401 client-side error happens when Azure AD validates secrets before issuing OAuth tokens. Most common in service principal auth for VM deployments, but also shows up in AKS cluster authentication, Azure SQL database connections, and App Service deployment operations. The secret must match exactly what's stored in Azure AD.

#Common Causes

  • Secret Expiration: The client secret has passed its endDate. Client secrets have expiration dates set when created (default varies, but typically 1-2 years). Azure AD rejects expired secrets before token issuance. This is persistent—you must generate a new secret and update your application configuration.
  • Secret Revocation: The secret was manually revoked or deleted in Azure AD. Revoked secrets can't be used for authentication even if they haven't expired. This is persistent—you must generate a new secret and update your application configuration.
  • Secret Rotation Mismatch: The secret was rotated in Azure AD, but your application still uses the old secret. After rotation, the old secret becomes invalid immediately. This is persistent—you must update your application configuration (environment variables, Key Vault references, config files) with the new secret.
  • Secret Format Error: The secret value is incorrect due to typos, copy errors, or encoding issues (e.g., extra spaces, line breaks, or character encoding problems). The secret must match exactly what's stored in Azure AD. This is persistent—you must verify and correct the secret value.

Solutions

  1. 1Step 1: Diagnose - List all client secrets for the application to check expiration dates: az ad app credential list --id <app-id> --query "[].{KeyId:keyId,StartDate:startDate,EndDate:endDate}" --output table
  2. 2Step 2: Diagnose - Check for expired secrets: az ad app credential list --id <app-id> --query "[?endDate<'$(date -u +%Y-%m-%dT%H:%M:%SZ)']" --output table
  3. 3Step 3: Fix - Generate a new client secret: az ad app credential reset --id <app-id> --append --query "password" --output tsv Save the output immediately—it's only shown once.
  4. 4Step 4: Fix - Update your application configuration with the new secret. Check environment variables, Azure Key Vault references, config files, or wherever the secret is stored. Restart your application after updating.
  5. 5Step 5: Fix - Delete expired secrets to clean up: az ad app credential delete --id <app-id> --key-id <key-id>
  6. 6Step 6: Verify - Test authentication with the new secret: az login --service-principal --username <app-id> --password <new-secret> --tenant <tenant-id>

</>Code Examples

Azure AD Client Secret Diagnosis and Management
1# This script helps diagnose AADInvalidClientSecret by checking secret status
2
3# Step 1: Set application details (replace with your values)
4APP_ID="your-app-id"
5TENANT_ID="your-tenant-id"
6echo "Checking client secrets for application: ${APP_ID}"
7
8# Step 2: List all client secrets for the application
9echo "Listing all client secrets..."
10az ad app credential list \
11  --id ${APP_ID} \
12  --query "[].{KeyId:keyId,StartDate:startDate,EndDate:endDate}" \
13  --output table
14
15# Step 3: Check current date for expiration comparison
16CURRENT_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ)
17echo "Current date (UTC): ${CURRENT_DATE}"
18
19# Step 4: Check for expired secrets
20echo "Checking for expired secrets..."
21EXPIRED_SECRETS=$(az ad app credential list \
22  --id ${APP_ID} \
23  --query "[?endDate<'${CURRENT_DATE}'].{KeyId:keyId,EndDate:endDate}" \
24  --output table)
25
26if [ ! -z "$EXPIRED_SECRETS" ]; then
27  echo "WARNING: Found expired secrets:"
28  echo "$EXPIRED_SECRETS"
29else
30  echo "No expired secrets found"
31fi
32
33# Step 5: Check for secrets expiring soon (within 30 days)
34echo "Checking for secrets expiring soon (within 30 days)..."
35FUTURE_DATE=$(date -u -d '+30 days' +%Y-%m-%dT%H:%M:%SZ)
36EXPIRING_SOON=$(az ad app credential list \
37  --id ${APP_ID} \
38  --query "[?endDate>'${CURRENT_DATE}' && endDate<'${FUTURE_DATE}'].{KeyId:keyId,EndDate:endDate}" \
39  --output table)
40
41if [ ! -z "$EXPIRING_SOON" ]; then
42  echo "WARNING: Secrets expiring soon:"
43  echo "$EXPIRING_SOON"
44fi
45
46# Step 6: Generate a new client secret
47echo "Generating new client secret..."
48NEW_SECRET=$(az ad app credential reset \
49  --id ${APP_ID} \
50  --append \
51  --query "password" \
52  --output tsv)
53
54if [ ! -z "${NEW_SECRET}" ]; then
55  echo "New client secret generated successfully"
56  echo "IMPORTANT: Save this secret immediately - it's only shown once!"
57  echo "New secret: ${NEW_SECRET}"
58  echo ""
59  echo "Update your application configuration:"
60  echo "  - Environment variable: CLIENT_SECRET=${NEW_SECRET}"
61  echo "  - Azure Key Vault: Update the secret value"
62  echo "  - Config files: Update CLIENT_SECRET value"
63  echo "  - Restart your application after updating"
64else
65  echo "ERROR: Failed to generate new secret"
66fi
67
68# Step 7: Test authentication with new secret (if generated)
69if [ ! -z "${NEW_SECRET}" ]; then
70  echo "Testing authentication with new secret..."
71  if az login --service-principal \
72    --username ${APP_ID} \
73    --password ${NEW_SECRET} \
74    --tenant ${TENANT_ID} 2>&1; then
75    echo "Authentication successful with new secret"
76  else
77    echo "Authentication failed - check the error message above"
78  fi
79fi
80
81# Step 8: Delete expired secrets (optional cleanup)
82echo "Listing expired secret key IDs for deletion..."
83EXPIRED_KEY_IDS=$(az ad app credential list \
84  --id ${APP_ID} \
85  --query "[?endDate<'${CURRENT_DATE}'].keyId" \
86  --output tsv)
87
88if [ ! -z "${EXPIRED_KEY_IDS}" ]; then
89  echo "Expired secret key IDs:"
90  echo "${EXPIRED_KEY_IDS}"
91  echo ""
92  echo "To delete expired secrets, run:"
93  for key_id in ${EXPIRED_KEY_IDS}; do
94    echo "  az ad app credential delete --id ${APP_ID} --key-id ${key_id}"
95  done
96fi

Related Errors

AuthenticationFailedInvalidAuthenticationInfo

Provider Information

This error code is specific to AZURE services. For more information, refer to the official AZURE documentation.

AADInvalidClientSecret - AAD Invalid Client Secret: Secret Expired or Revoked | AZURE Error Reference | Error Code Reference