Table of Contents
Renewing the Azure DevOps Service Connection key
You know that when something goes wrong, everything seems to go wrong?
I had one of those days last week.
I was in consultation and I knew there would be a rollout of a new customer. I got a call that the rollout was not working and that a secret had expired.
Original exception: AADSTS7000222: The provided client secret keys for app ‘***’ are expired.
I immediately assumed that this is a secret from an Azure AD application registration, but we do not use secrets, but certificates, so ‘what are you talking about?’ and yet the error message states that a secret has expired.
And then I see this message below:
Initializing Az module failed: There was an error with the service principal used for the deployment.
Wait a minute, we don’t do anything with the Azure module for the modern workplace? That’s what I thought anyway?
Let’s fix ‘The provided client secret keys for app ‘***’ are expired’
It doesn’t go wrong in the customer environment, but it goes wrong in your own Azure DevOps / Active Directory environment. For me at least…
We use a CI/CD pipeline in Azure DevOps for onboarding a new customer. To be able to use powerShell scripts in the pipeline you have several ‘Tasks’.
When you select the Azure PowerShell task you must choose an Azure Subscription.
The Azure Subscription is an Azure AD application registration in the backend.
So I assumed by default that this was a Managed Identity…
You can see this when editing a pipeline:
And after you implement it in the Yaml pipeline it looks like this:
- task: [email protected] inputs: azureSubscription: 'XXXXXXXXX' ScriptType: 'FilePath' ScriptPath: 'C:\temp\test.ps1' azurePowerShellVersion: 'LatestVersion' pwsh: true
As you can see, the task is an [email protected] task and the Service Principal is listed as AzureSubscription, in my code this is XXXXX.
You may not see the [email protected], but you are using another task that uses the AzureSubscription.
So search for AzureSubscription in your pipeline.
Now that we know this is the culprit, we can look for the AzureSubscription aka Service Principal in Azure DevOps.
Go to Project Settings > Service Connections and select the Service Connection you are using in the pipeline.
Click on manage Service Principal and refresh the secret with these steps.
Renewing is not enough. Also store the secret in the Service connection in Azure DevOps.
Click on Edit in the upper-right corner and update the Service principal key.
The full error message
I post the full error messages so that when people search for it they end up on my blog.
##[error]ClientSecretCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS7000222: The provided client secret keys for app '***' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds.
##[error]Initializing Az module failed: For troubleshooting, refer: https://aka.ms/azurepowershelltroubleshooting ##[error]There was an error with the service principal used for the deployment.