Rotating Azure AD (AAD) Connection Credentials

When configuring an AAD Connection for Dashboard SSO, the login will begin failing, and the following error message will be returned:

{\"error\":\"invalid_client\",\"error_description\":\"AADSTS7000222: The provided client secret keys for app 'AZURE-AD-CLIENT-ID' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds. }

This can occur with either an Azure Active Directory (AAD) Connection in an Auth0 tenant or a Dashboard SSO setup using AAD. In instances of Dashboard SSO, Admins will not be able to access the Auth0 dashboard. If this is a normal AAD connection, users would be unable to log in. 

• Azure AD
• Client Secret

The AAD client secret had expired, breaking the login flow. AAD client secrets typically have a configured expiry, and it is generally up to the customer to keep track of when the relevant secret expires to ensure no downtime.

For regular AAD connections, generate a new client secret and update the appropriate AAD Connection with the new value.

For Dashboard SSO, open a Support Ticket with Auth0 to coordinate sending the new client secret and updating the connection configuration.