Skip to main content

How to Resolve a Login Error Caused by an Expired Microsoft Entra ID Client Secret

About 2 min

Symptom

Microsoft Entra ID (Azure AD) client secrets are created with an expiration date (up to 24 months). Once a secret expires, Datawiza Access Proxy (DAP) can no longer exchange the authorization code for a token, and users attempting to log in will see a DAP Error 500 page instead of the application. The What happened section of the error page contains the underlying error returned by Entra ID:

entra id secret expired error

The most common error codes are:

  • AADSTS7000222: The provided client secret keys for app '...' are expired. — the secret has passed its expiration date. This is the exact error shown above.
  • AADSTS7000215: Invalid client secret is provided. — a more generic "the secret Entra ID received doesn't match" error, which can also occur if a secret was copied incorrectly rather than expired.

Either way, the fix is the same: generate a new client secret and update it in DCMC.

Cause

The Client Secret value configured for the Entra ID application registration used by DAP has expired. This is expected behavior — Entra ID does not support secrets without an expiration date — and requires generating a new secret and updating it wherever it's configured.

Resolution

Step 1: Generate a new client secret in Microsoft Entra ID

  1. Sign in to the Azure Portalopen in new window.
  2. Navigate to Microsoft Entra ID > App registrations, and select the application registration used by DAP.
  3. Choose Certificates & secrets from the left-hand menu.
  4. Click + New client secret.
  5. Add a description and choose an expiration period, then click Add.
  6. Copy the Value of the new secret immediately — it will not be shown again after you leave the page.

Microsoft Entra ID SSO | Create New Client Secret

Note

Do not delete the old (expired) secret until you've confirmed the new one is working — that gives you a way to roll back if something is misconfigured.

Step 2: Update the client secret in Datawiza Cloud Management Console (DCMC)

  1. Log in to the DCMCopen in new window.
  2. In the left-hand navigation, go to Identity Providers.
  3. Find the Microsoft Entra ID entry used by the affected application (for example, Microsoft Entra Id) and open it to edit.
  4. In the Edit IdP dialog, paste the new secret value from Step 1 into the Client Secret field.
  5. Click Save.

update client secret in DCMC

  1. Go to the Deployments tab and confirm the configuration update was applied successfully. See Datawiza Access Proxy configuration applied failed if the deployment shows a failure status.

Step 3: Verify

Once the deployment shows a successful status, test the login flow for the affected application to confirm users can authenticate again.

Best Practices to Avoid This in the Future

  • Set a calendar reminder ahead of the secret's expiration date — Entra ID does not send an automatic warning to DAP or DCMC when a secret is nearing expiry.
  • When creating a new secret, choose the longest available expiration period (24 months) to reduce how often this needs to happen.
  • Keep the old secret active for a short overlap period after adding the new one, in case a rollback is needed.