Skip to content
Latchkey

Azure Pipelines Service Connection Credential Expired (AzureCLI@2)

An Azure service connection authenticates with a service principal’s client secret or certificate. When that credential expires, tasks using the connection (like AzureCLI@2) fail to acquire a token even though the YAML and permissions are unchanged.

What this error means

A previously-working AzureCLI@2 (or AzureResourceManagerTemplateDeployment, AzureWebApp) step fails to log in with an AADSTS token error. The connection that worked last week now rejects auth - the secret behind it lapsed.

Azure DevOps
##[error]AADSTS7000215: Invalid client secret provided. Ensure the secret
being sent in the request is the client secret value, not the client secret ID.

Common causes

Expired client secret or certificate

Service principal secrets have an expiry. Once past it, token acquisition for the service connection fails until the secret/cert is rotated.

Secret rotated in Entra but not in the connection

If the app’s secret was regenerated in Entra ID without updating the Azure DevOps service connection, the connection still holds the old, now-invalid value.

How to fix it

Rotate and update the service connection

  1. In Entra ID, create a new client secret (or certificate) for the app registration.
  2. In Project Settings → Service connections → the connection → Edit, paste the new secret and save/verify.
  3. Re-run the pipeline; AzureCLI@2 should authenticate again.

Prefer workload identity federation

A workload-identity-federation service connection uses short-lived tokens with no long-lived secret to expire.

azure-pipelines.yml
steps:
  - task: AzureCLI@2
    inputs:
      azureSubscription: 'azure-prod-wif'   # workload identity federation connection
      scriptType: bash
      scriptLocation: inlineScript
      inlineScript: az account show

How to prevent it

  • Track service-principal secret expiry and rotate before it lapses.
  • Migrate Azure connections to workload identity federation where possible.
  • Alert on upcoming app-registration secret expirations.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →