SharePoint App error AADSTS7000222: The provided client secret keys are expired


External applications can connect to SharePoint (Online and On-premise) via OAuth using a bearer token. A client ID and secret is required to establish this connection (say via a SharePoint Add-in / provider-hosted App).

Refer here for steps to generate SharePoint client id and secret.

The client secret has a default validity of one year and expires after a year. You will receive an error message like below "The provided client secret keys are expired".

SharePoint App error AADSTS7000222 - client key expired
SharePoint App error AADSTS7000222 - client key expired
The remote server returned an error: (401) Unauthorized.

{
    "error": "invalid_client",
    "error_description": "AADSTS7000222: The provided client secret keys are expired. Visit the Azure Portal to create new keys for your app, or consider using certificate credentials for added security: https://docs.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials\r\nTrace ID: [Trace ID]\r\nCorrelation ID: [Correlation ID]\r\nTimestamp: 2021-09-22 04:37:03Z",
    "error_codes": [
        7000222
    ],
    "timestamp": "2021-09-22 04:37:03Z",
    "trace_id": "[Trace ID]",
    "correlation_id": "[Correlation ID]",
    "error_uri": "https://accounts.accesscontrol.windows.net/error?code=7000222"
}

When you encounter this, its time to renew the client secret. Note that the same client id can be used as it does not expire.
It is recommended to renew the secret before the expiry, to avoid interruptions.

⭐ How to renew expired SharePoint client secret ?

We can either renew the existing client secret (if its not expired yet), or create a new one.
We will use SharePoint Online Management Shell (PowerShell) for this and you must be a Microsoft 365 Tenant Administrator.

Open SPO Management Shell (Run as Administrator) and run the below commands to check the the expiry date for given client ID.

Install-Module MSOnline

Import-Module MSOnline

Connect-MSOLService

(Get-MsolServicePrincipalCredential -AppPrincipalId [Enter Client ID] 
-ReturnKeyValues $true).EndDate.ToShortDateString() | select


Note the last date.

Execute the below script to create a new client secret, you can even define the new expiry date.
❗️ Important - This will work only if you are a Tenant Admin.

Connect-MSOLService

$clientId = "Enter the client ID here"

$bytes = New-Object Byte[] 32
$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$rand.GetBytes($bytes)
$rand.Dispose()

$newClientSecret = [System.Convert]::ToBase64String($bytes)

//Setting up the expiry date to 3 years from now
$startDate = [System.DateTime]::Now
$endDate = $startDate.AddYears(3)

New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Sign -Value $newClientSecret -StartDate $startDate -EndDate $endDate

New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Verify -Value $newClientSecret -StartDate $startDate -EndDate $endDate

New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Password -Usage Verify -Value $newClientSecret -StartDate $startDate -EndDate $endDate
$newClientSecret


Copy the new secret value and use it for connecting now. Refer steps here to validate using Postman if the new client secret works well.




Recent Posts:




Code2care is an initiative to publish and share varied knowledge in programming and technical areas gathered during day-to-day learnings and development activities.

Students and Software Developers can leverage this portal to find solutions to their various queries without re-inventing the wheel by referring to our easy to understand posts. Technical posts might include Learnings, Video Tutorials, Code Snippets, How Tos, Blogs, Articles, etc.