You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
"User Intent": "User intends to deploy external or internal ingress gateways for the Istio service mesh add-on in an Azure Kubernetes Service (AKS) cluster."
"Errors Encountered": "time=2025-05-19T03:34:12-07:00 level=error msg=Error testing scenario: failed to execute code block 0 on step 0.\nError: command exited with 'exit status 3' and the message 'WARNING: The behavior of this command has been altered by the following extension: aks-preview\nERROR: (ResourceGroupNotFound) Resource group 'myResourceGroupcefc72' could not be found.\nCode: ResourceGroupNotFound\nMessage: Resource group 'myResourceGroupcefc72' could not be found.\n'\nStdErr: WARNING: The behavior of this command has been altered by the following extension: aks-preview\nERROR: (ResourceGroupNotFound) Resource group 'myResourceGroupcefc72' could not be found.\nCode: ResourceGroupNotFound\nMessage: Resource group 'myResourceGroupcefc72' could not be found.",
"User Intent": "User intends to set up an Azure Kubernetes Service (AKS) cluster with either a managed or user-assigned NAT gateway for outbound traffic management."
"User Intent": "User intends to set up an Azure Kubernetes Service (AKS) cluster with either a managed or user-assigned NAT gateway for outbound traffic management."
"Errors Encountered": "time=2025-05-19T05:14:36-07:00 level=error msg=Error testing scenario: failed to execute code block 0 on step 0.\nError: command exited with 'exit status 2' and the message 'ERROR: argument --resource-group/-g: expected one argument\n\nExamples from AI knowledge base:\naz aks get-credentials --name MyManagedCluster --overwrite-existing --resource-group MyResourceGroup\nGet access credentials for a managed Kubernetes cluster. (autogenerated)\n\naz aks get-credentials --admin --name MyManagedCluster --resource-group MyResourceGroup\nGet access credentials for a managed Kubernetes cluster. (autogenerated)\n\naz account set --subscription mysubscription\nSet a subscription to be the current active subscription. (autogenerated)\n\nhttps://docs.microsoft.com/en-US/cli/azure/aks#az_aks_get_credentials\nRead more about the command in reference docs\n'\nStdErr: ERROR: argument --resource-group/-g: expected one argument\n\nExamples from AI knowledge base:\naz aks get-credentials --name MyManagedCluster --overwrite-existing --resource-group MyResourceGroup\nGet access credentials for a managed Kubernetes cluster. (autogenerated)\n\naz aks get-credentials --admin --name MyManagedCluster --resource-group MyResourceGroup\nGet access credentials for a managed Kubernetes cluster. (autogenerated)\n\naz account set --subscription mysubscription\nSet a subscription to be the current active subscription. (autogenerated)\n\nhttps://docs.microsoft.com/en-US/cli/azure/aks#az_aks_get_credentials\nRead more about the command in reference docs",
"User Intent": "User intends to compare and understand the features, deployment scenarios, and recommendations for the Free, Standard, and Premium pricing tiers of Azure Kubernetes Service (AKS) cluster management."
"User Intent": "User intends to deploy and configure a managed NGINX ingress controller on Azure Kubernetes Service (AKS) using the application routing add-on."
title: AADSTS7000222 - BadRequest or InvalidClientSecret error
3
+
description: Learn how to troubleshoot the BadRequest or InvalidClientSecret error when you try to create or upgrade an Azure Kubernetes Service (AKS) cluster.
4
+
ms.topic: article
5
+
ms.date: 06/13/2024
6
+
author: axelgMS
7
+
ms.author: axelg
8
+
ms.custom: sap:Create, Upgrade, Scale and Delete operations (cluster or nodepool), innovation-engine
9
+
---
10
+
11
+
# AADSTS7000222 - BadRequest or InvalidClientSecret error
12
+
13
+
This article discusses how to identify and resolve the `AADSTS7000222` error (`BadRequest` or `InvalidClientSecret`) that occurs when you try to create or upgrade a Microsoft Azure Kubernetes Service (AKS) cluster.
14
+
15
+
## Prerequisites
16
+
17
+
-[Azure CLI](/cli/azure/install-azure-cli)
18
+
19
+
## Symptoms
20
+
21
+
When you try to create or upgrade an AKS cluster, you receive one of the following error messages.
22
+
23
+
| Error code | Message |
24
+
|--|--|
25
+
|`BadRequest`|**The credentials in ServicePrincipalProfile were invalid.** Please see <https://aka.ms/aks-sp-help> for more details. (Details: adal: Refresh request failed. Status Code = '401'. Response body: {"error": "invalid_client", "error_description": "**AADSTS7000222: The provided client secret keys for app '\<application-id>' are expired.** Visit the Azure portal to create new keys for your app: <https://aka.ms/NewClientSecret>, or consider using certificate credentials for added security: <https://aka.ms/certCreds>." |
26
+
|`InvalidClientSecret`|**Customer auth is not valid for tenant: \<tenant-id>**: adal: Refresh request failed. Status Code = '401'. Response body: {"error": "invalid_client", "error_description": "**AADSTS7000222: The provided client secret keys for app '\<application-id>' are expired.** Visit the Azure portal to create new keys for your app: <https://aka.ms/NewClientSecret>, or consider using certificate credentials for added security: <https://aka.ms/certCreds>." |
27
+
28
+
## Cause
29
+
30
+
The issue that generates this service principal alert usually occurs for one of the following reasons:
31
+
32
+
- The client secret expired.
33
+
34
+
- Incorrect credentials were provided.
35
+
36
+
- The service principal doesn't exist within the Microsoft Entra ID tenant of the subscription.
37
+
38
+
#### Verify the cause
39
+
40
+
Use the following commands to retrieve the service principal profile for your AKS cluster and check the expiration date of the service principal. Make sure to set the appropriate variables for your AKS resource group and cluster name.
41
+
42
+
```azurecli
43
+
SP_ID=$(az aks show --resource-group RESOURCE_GROUP_NAME \
44
+
--name AKS_CLUSTER_NAME \
45
+
--query servicePrincipalProfile.clientId \
46
+
--output tsv)
47
+
az ad app credential list --id "$SP_ID"
48
+
```
49
+
50
+
Alternatively, you can verify that the service principal name and secret are correct and aren't expired. To do this, follow these steps:
51
+
52
+
1. In the [Azure portal](https://portal.azure.com), search for and select **Microsoft Entra ID**.
53
+
54
+
1. In the navigation pane of Microsoft Entra ID, select **App registrations**.
55
+
56
+
1. On the **Owned applications** tab, select the affected application.
57
+
58
+
1. Find the service principal name and secret information, and verify that the information is correct and current.
59
+
60
+
## Solution
61
+
62
+
1. In the [Update or rotate the credentials for an AKS cluster](/azure/aks/update-credentials) article, follow the instructions in one of the following article sections, as appropriate:
63
+
64
+
-[Reset the existing service principal credentials](/azure/aks/update-credentials#reset-the-existing-service-principal-credentials)
65
+
-[Create a new service principal](/azure/aks/update-credentials#create-a-new-service-principal)
66
+
67
+
1. Using your new service principal credentials, follow the instructions in the [Update AKS cluster with service principal credentials](/azure/aks/update-credentials#update-aks-cluster-with-service-principal-credentials) section of that article.
68
+
69
+
## More information
70
+
71
+
-[Use a service principal with Azure Kubernetes Service (AKS)](/azure/aks/kubernetes-service-principal) (especially the [Troubleshoot](/azure/aks/kubernetes-service-principal#troubleshoot) section)
72
+
73
+
[!INCLUDE [Azure Help Support](../../../includes/azure-help-support.md)]
0 commit comments