Rotating Azure AD (AAD) Connection Credentials

Problem statement

This can occur with either an Azure Active Directory (AAD) Connection in an Auth0 tenant or a Dashboard SSO setup using AAD. The login will begin failing, and the following error message will be returned:

*{\"error\":\"invalid_client\",\"error_description\":\"AADSTS7000222: The provided client secret keys for app 'AZURE-AD-CLIENT-ID' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds. }*

Symptoms

  • Recording a .har file or viewing the network traffic during login will show this error being returned.
  • In instances of Dashboard SSO, Admins will not be able to access the Auth0 dashboard.
  • If this is a normal AAD connection users would be unable to log in.

Steps to reproduce

  • Configure an AAD Connection for Dashboard SSO and use expired client secret when configuring it in Auth0.

Cause

The AAD client secret had expired which broke the login flow. AAD client secrets typically have a configured expiry, and it is generally up to the customer to keep track of relevant secret expiries to ensure no downtime.

Solution

For regular AAD connections, generate a new client secret and update the appropriate AAD Connection with the new value.

For Dashboard SSO, open a Support Ticket with Auth0 to coordinate sending the new client secret and updating the connection configuration.