Azure Pipelines Service Connection Credential Expired (AzureCLI@2)
An Azure service connection authenticates with a service principal’s client secret or certificate. When that credential expires, tasks using the connection (like AzureCLI@2) fail to acquire a token even though the YAML and permissions are unchanged.
What this error means
A previously-working AzureCLI@2 (or AzureResourceManagerTemplateDeployment, AzureWebApp) step fails to log in with an AADSTS token error. The connection that worked last week now rejects auth - the secret behind it lapsed.
##[error]AADSTS7000215: Invalid client secret provided. Ensure the secret
being sent in the request is the client secret value, not the client secret ID.Common causes
Expired client secret or certificate
Service principal secrets have an expiry. Once past it, token acquisition for the service connection fails until the secret/cert is rotated.
Secret rotated in Entra but not in the connection
If the app’s secret was regenerated in Entra ID without updating the Azure DevOps service connection, the connection still holds the old, now-invalid value.
How to fix it
Rotate and update the service connection
- In Entra ID, create a new client secret (or certificate) for the app registration.
- In Project Settings → Service connections → the connection → Edit, paste the new secret and save/verify.
- Re-run the pipeline;
AzureCLI@2should authenticate again.
Prefer workload identity federation
A workload-identity-federation service connection uses short-lived tokens with no long-lived secret to expire.
steps:
- task: AzureCLI@2
inputs:
azureSubscription: 'azure-prod-wif' # workload identity federation connection
scriptType: bash
scriptLocation: inlineScript
inlineScript: az account showHow to prevent it
- Track service-principal secret expiry and rotate before it lapses.
- Migrate Azure connections to workload identity federation where possible.
- Alert on upcoming app-registration secret expirations.