SharePoint App error AADSTS7000222: The provided client secret keys are expired

External applications can connect to SharePoint (Online and On-premise) via OAuth using a bearer token. A client ID and secret is required to establish this connection (say via a SharePoint Add-in / provider-hosted App).

Refer here for steps to generate SharePoint client id and secret.

The client secret has a default validity of one year and expires after a year. You will receive an error message like below "The provided client secret keys are expired".

SharePoint App error AADSTS7000222 - client key expired
SharePoint App error AADSTS7000222 - client key expired
The remote server returned an error: (401) Unauthorized.

    "error": "invalid_client",
    "error_description": "AADSTS7000222: The provided client secret keys are expired. Visit the Azure Portal to create new keys for your app, or consider using certificate credentials for added security:\r\nTrace ID: [Trace ID]\r\nCorrelation ID: [Correlation ID]\r\nTimestamp: 2021-09-22 04:37:03Z",
    "error_codes": [
    "timestamp": "2021-09-22 04:37:03Z",
    "trace_id": "[Trace ID]",
    "correlation_id": "[Correlation ID]",
    "error_uri": ""

When you encounter this, its time to renew the client secret. Note that the same client id can be used as it does not expire.
It is recommended to renew the secret before the expiry, to avoid interruptions.

⭐ How to renew expired SharePoint client secret ?

We can either renew the existing client secret (if its not expired yet), or create a new one.
We will use SharePoint Online Management Shell (PowerShell) for this and you must be a Microsoft 365 Tenant Administrator.

Open SPO Management Shell (Run as Administrator) and run the below commands to check the the expiry date for given client ID.

Install-Module MSOnline

Import-Module MSOnline


(Get-MsolServicePrincipalCredential -AppPrincipalId [Enter Client ID] 
-ReturnKeyValues $true).EndDate.ToShortDateString() | select

Note the last date.

Execute the below script to create a new client secret, you can even define the new expiry date.
❗️ Important - This will work only if you are a Tenant Admin.


$clientId = "Enter the client ID here"

$bytes = New-Object Byte[] 32
$rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()

$newClientSecret = [System.Convert]::ToBase64String($bytes)

//Setting up the expiry date to 3 years from now
$startDate = [System.DateTime]::Now
$endDate = $startDate.AddYears(3)

New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Sign -Value $newClientSecret -StartDate $startDate -EndDate $endDate

New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Symmetric -Usage Verify -Value $newClientSecret -StartDate $startDate -EndDate $endDate

New-MsolServicePrincipalCredential -AppPrincipalId $clientId -Type Password -Usage Verify -Value $newClientSecret -StartDate $startDate -EndDate $endDate

Copy the new secret value and use it for connecting now. Refer steps here to validate using Postman if the new client secret works well.

Try Out Code2care Dev Tools:


Android Java Linux Microsoft Google Python macOS Notepad++ Microsoft Teams CSS PHP SharePoint Html Linux C Programs Bootstrap jQuery Sublime Android Studio Facebook Eclipse WhatsApp News MySQL Json HowTos JavaScript FTP S3


Code2care is an initiative to publish and share varied knowledge in programming and technical areas gathered during day-to-day learnings and development activities.

Students and Software Developers can leverage this portal to find solutions to their various queries without re-inventing the wheel by referring to our easy to understand posts. Technical posts might include Learnings, Tutorials, Trouble-Shooting steps, Video Tutorials, Code Snippets, How Tos, Blogs, Articles, etc.
🎉 We are celebrating the 10th years of Code2care! Thank you for all your support! We hope we made a difference.
We strong support Gender Equality & Diversity.

We stand in solidarity with Ukraine - Make a donation to UNHCR -